[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmp-05.txt

To: PC-Waterhouse Richard <Waterhouse@nt1-ndhm.chnt.gtegsc.com>
Subject: Re: isakmp-05.txt
From: Daniel Harkins <dharkins@cisco.com>
Date: Fri, 18 Oct 1996 14:50:35 -0700
Cc: 'IPSEC Working Group' <ipsec@TIS.COM>
In-Reply-To: Your message of "Fri, 18 Oct 1996 16:00:00 CDT." <3267F332@smtp-gw.dos.chnt.gtegsc>
Sender: ipsec-approval@neptune.tis.com
PC-Waterhouse Richard wrote:
> 1. Why MUST all implementations of ISAKMP support the Internet DOI ?  We   
> have a potential application that has nothing to do with thre Internet.

Well, this is the _Internet_ Engineering Task Force afterall. 

Nothing is stopping you from creating your own DOI. In fact, if you do
please share it with the rest of us. At the least it would be edifying
for other developers.

> 2. A general impression - if you are serious about "MUST", you don't have   
> enough of them to nail it down to the point that interoperability is   
> guaranteed.

If you have any specific ideas that will guarantee interoperability now
is the time to speak up-- the drafts are being edited presently.

  regards,

    Dan.


To: PC-Waterhouse Richard <Waterhouse@nt1-ndhm.chnt.gtegsc.com>
cc: 'IPSEC Working Group' <ipsec@TIS.COM>
Subject: Re: isakmp-05.txt 
In-reply-to: Your message of "Fri, 18 Oct 1996 16:00:00 CDT."
             <3267F332@smtp-gw.dos.chnt.gtegsc> 
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Fri, 18 Oct 1996 18:03:08 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk
Message-ID:  <9610210738.aa23470@neptune.TIS.COM>


PC-Waterhouse Richard writes:
> 1. Why MUST all implementations of ISAKMP support the Internet DOI ?  We   
> have a potential application that has nothing to do with thre Internet.

This is the INTERNET Engineering Task Force. The ISOC police will not
handcuff you for implementing something else, but our goal here is to
provide protocols for Internet users. You can feel free to use
variations on any spec we build for any private application you may
have -- just don't call it ISAKMP.

Perry



Date: Sun, 20 Oct 1996 15:20:40 -0700
From: Ran Atkinson <rja@cisco.com>
Message-Id: <199610202220.PAA05515@cornpuffs.cisco.com>
To: ipsec@TIS.COM
Subject: Re: isakmp-05.txt
In-Reply-To: <199610182150.OAA07772@spook>
References: <3267F332@smtp-gw.dos.chnt.gtegsc>
Organization: cisco Systems
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

Someone wrote:
>> 1. Why MUST all implementations of ISAKMP support the Internet DOI ?  We   
>> have a potential application that has nothing to do with thre Internet.

Not all implementations of the ISAKMP Base Specification should be required
to implement the "Internet DOI" (or "IPsec DOI"), IMHO.

In the view of many, it is desirable to decouple the IPsec-specific
parts from the base ISAKMP specification for precisely the reason you
outline.  I am aware of work by others creating other DOIs for ISAKMP
that will permit ISAKMP to be used at all layers of a protocol stack.
>From an implementer perspective, this is highly desirable because it
would facilitate significant amounts of code reuse.  Vendors using PF_KEY
could use PF_KEY and an ISAKMP daemon to negotiate SAs for any protocol
available in a UNIX kernel, for example.

IMHO, the draft authors should consider renaming the "Internet DOI"
to be "IP Security DOI" because it is very much IPsec-centric in
its current form.  Further, I would suggest making it a requirement
that implementations of the "IP Security DOI" also implement the ISAKMP
Base Specification, but NOT requiring all implementations of the ISAKMP
Base Specification to implement the "IP Security DOI".

Then Dan Harkins responded: 
>Nothing is stopping you from creating your own DOI. In fact, if you do
>please share it with the rest of us. At the least it would be edifying
>for other developers.

I would encourage this as well.  I'll also note that one can publish an
Informational RFC on any topic.  So if one were (hypothetically) creating an
"FastEthernet-layer DOI", then it could be published as an Informational RFC,
even though it mightn't be an appropriate topic for standardisation within the
IETF.

Regards,

Ran
rja@cisco.com






Date: Tue, 22 Oct 1996 14:18:23 -0400 (EDT)
Message-Id: <199610221818.OAA20612@carp.morningstar.com>
From: Karl Fox <karl@ascend.com>
To: ipsec@TIS.COM
Subject: 40-bit DES
Reply-To: Karl Fox <karl@ascend.com>
Organization: Ascend Communications
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

Does anybody out there support ESP-DES-CBC using 40-bit keys?  If so,
how do you restrict the key space?
-- 
Karl Fox, servant of God, employee of Ascend Communications
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221   +1 614 326 6841



Message-Id: <199610221823.LAA23039@cornpuffs.cisco.com>
From: Ran Atkinson <rja@cisco.com>
Date: Tue, 22 Oct 1996 11:23:41 PDT
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: ipsec@TIS.COM
Subject: [Admin] ESP 3DES MD5 Editor 
Cc: naganand@ftp.com
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk


All,

  Paul Lambert and I have appointed Naganand Doraswamy <naganand@ftp.com> as
the document editor to write up an ESP Transform combining Triple-DES, MD5,
and Replay Protection.  This new transform is to be derived from and as
similar as practical to Jim Hughes' ESP DES-CBC MD5 transform.  This new
transform is intended to become standards-track.   It will appear online
as draft-ietf-ipsec-esp-3des-md5-*.txt once Naganand has written it up.

Paul Lambert <palamber@us.oracle.com>
Randall Atkinson <rja@cisco.com>



-- 



Message-Id: <199610222041.QAA16767@jekyll.piermont.com>
To: Karl Fox <karl@ascend.com>
cc: ipsec@TIS.COM
Subject: Re: 40-bit DES 
In-reply-to: Your message of "Tue, 22 Oct 1996 14:18:23 EDT."
Reply-To: perry@piermont.com
X-Reposting-Policy: redistribute only with permission
Date: Tue, 22 Oct 1996 16:41:00 -0400
From: "Perry E. Metzger" <perry@piermont.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk


Karl Fox writes:
> Does anybody out there support ESP-DES-CBC using 40-bit keys?  If so,
> how do you restrict the key space?

I'm sure you could do it using the lovely IBM CDMF algorithm. On the
other hand, given how cheap it is to break a 40 bit key ($0.08,
according to Blaze et al), why would you want to? If you are having
export problems, move your development, don't cut back on your
strength -- unless you are seeking embarassment.

Perry



Message-Id: <199610230212.WAA02005@smb.research.att.com>
X-Authentication-Warning: smb.research.att.com: smb owned process doing -bs
To: Karl Fox <karl@ascend.com>
cc: ipsec@TIS.COM
Subject: Re: 40-bit DES 
Date: Tue, 22 Oct 1996 22:10:07 -0400
From: Steve Bellovin <smb@research.att.com>
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk


	 Does anybody out there support ESP-DES-CBC using 40-bit keys?  If so,
	 how do you restrict the key space?

The best way I know of is IBM's Commercial Data Masking Facility.  However,
it's patented.  In any event, see

@inproceedings{cdmf1,
        author = {D.B.Johnson and  S.M. Matyas and A.V. Le and J.D. Wilkins},
        title = "Design of the Commercial Data Masking Facility Data Privacy
Algorithm",
        year = {1993},
        booktitle = {Proceedings of the First ACM Conference on Computer and
Communications Security},
        month = {November},
        pages = {93--96}
}

@article{cdmf2,
        author = {D.B.Johnson and  S.M. Matyas and A.V. Le and J.D. Wilkins},
        title = "The Commercial Data Masking Facility ({CDMF}) Data Privacy
algorithm",
        journal = {IBM Jour. of Research and Development},
        volume = 38,
        number = 2,
        pages = {217--226},
        month = {March},
        year = 1994,
        annotate = {CDMF is covered by U.S. patent number 5,323,464.}
}




Date: Tue, 22 Oct 1996 17:08:03 -0400 (EDT)
Message-Id: <199610222108.RAA09089@carp.morningstar.com>
From: Karl Fox <karl@ascend.com>
To: perry@piermont.com
Cc: ipsec@TIS.COM
Subject: Re: 40-bit DES 
In-Reply-To: <199610222041.QAA16767@jekyll.piermont.com>
Reply-To: Karl Fox <karl@ascend.com>
Organization: Ascend Communications
Sender: ipsec-approval@neptune.tis.com
Precedence: bulk

Perry E. Metzger writes:
> Karl Fox writes:
> > Does anybody out there support ESP-DES-CBC using 40-bit keys?  If so,
> > how do you restrict the key space?
> 
> I'm sure you could do it using the lovely IBM CDMF algorithm.

The last time this question was brought up on this list, CDMF was
mentioned but it was said IBM had patented it.  I was trying to find
out what others did, if anybody does it at all.

> On the other hand, given how cheap it is to break a 40 bit key
> ($0.08, according to Blaze et al), why would you want to? If you are
> having export problems, move your development, don't cut back on
> your strength -- unless you are seeking embarassment.

It wouldn't embarass me at all.  If somebody wants to buy it, I'll be
happy to create a product that we can sell them.

As to exporting development, the NSA told us that not only couldn't we
export source with any kind of hook for encryption, we couldn't even
hire someone outside of the country to add encryption to an existing
product without running afoul of the U.S. laws.  Of course, I'm not a
lawyer, and am not suggesting that their claims were necessarily valid.
-- 
Karl Fox, servant of God, employee of Ascend Communications
3518 Riverside Drive, Suite 101, Columbus, Ohio 43221   +1 614 326 6841
Prev by Date: Re: Short keys * Options, combinations, and negotiations => simplicity
Next by Date: Re: isakmp-05.txt
Prev by thread: Re: Short keys * Options, combinations, and negotiations =>
Next by thread: Re: isakmp-05.txt
Index(es):
- Main
- Thread