[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Slicing and dicing
> Given this, I'd say forget about handling it.
Quick question, do you mean key mgmt. failing? If so, I agree, and you state
the perfect reasons why below...
> The world isn't just DES, though. The question about what to do with weak
> keys in general. Are weak keys in other algorithms equally improbable?
I dunno about other algorithms, but you can't discount that possibility.
> Given the difficulty in even test code to replace the weak keys with
> other keys, I'd prefer to simply fail the SA, and cause ISAKMP to start
> over again. I think even my vic-20 can afford to do this once every
> (86400/300 * 365)/(2* 10**-52) years.
Pardon the small plug, but PF_KEY has, since its inception, and at the
insistence of the many, REQUIRED to return errors when an algorithm's key is
deemed weak. This means either SADB_ADD, or SADB_UPDATE will fail miserably
when/if a weak key is fed down.
I agree with Michael, in that the SA should fail, and ISAKMP should kick-in
again.
Just my $0.02.
Dan
Follow-Ups:
References: