Re: IPSEC WORKING GROUP LAST CALL

["Perry E. Metzger" <perry@piermont.com>]

"Theodore Y. Ts'o" writes:
> The triple DES document wasn't one of the documents that I put into IETF
> last call, as one of the "core group" of documents.  Do people believe
> that should get pushed out to the IESG at the same time?

Yes. In the years since the original IPSec work was done, DES has
become far too weak for words. To my clients with financial
applications, the few hundred K a DES cracker would cost is probably a
reasonable expense for an attacker to undertake. Even if we are not
going to mandate 3DES we should at least make sure that a solid
standard for how to do it is available at the same time as the other specs.

> There is a related question to the other cipher suites for which DOI
> document contains references: ARCFOUR, Blowfish, and RC5.  Since RFC's
> are not allowed to refer to internet-drafts, what do we want to do with
> them in the DOI spec?

"ARCFOUR", a.k.a. RC4 (the name RC4 is trademarked), is described in
detail in Schneier. We could always reference that. Ditto for Blowfish.

Perry

---

Follow-Ups:

• Re: IPSEC WORKING GROUP LAST CALL
• From: "Marcus Leech" <Marcus.Leech.mleech@nt.com>
• Re: IPSEC WORKING GROUP LAST CALL
• From: "Steven M. Bellovin" <smb@research.att.com>

References:

• Re: IPSEC WORKING GROUP LAST CALL
• From: "Theodore Y. Ts'o" <tytso@MIT.EDU>

---

• Prev by Date: Re: IPSEC WORKING GROUP LAST CALL
• Next by Date: Re: IPSEC WORKING GROUP LAST CALL
• Prev by thread: Re: IPSEC WORKING GROUP LAST CALL
• Next by thread: Re: IPSEC WORKING GROUP LAST CALL
• Index(es):
  • Main
  • Thread