[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 3DES (was: ipsec vs. firewalls)
Steve Bellovin wrote:
>
> I'm not sure that a discussion on the merits of firewalls is very
> profitable here. Regardless of whether or not we like them, I think
> we can all agree that firewalls are real, and are likely to remain so,
> and IPSEC (and everything else) should take notice of them.
>
> A more interesting topic is whether or not 3DES should be mandatory-
> to-implement. I suggest that it should be -- DES is obviously doomed
> (pick your favorite time constant), and we should take that into
> account. We're better off if the IPSEC boxes being deployed now are
> ready to switch.
I'd certainly argue that 3DES should be mandatory, but I'm of the
"encrypt 'til it hurts, then back off 3dB" school.
There's certainly still a perception that breaking 56-bit
DES is "hard". The mindset seems to be that "your average
pimply teen hacker" isn't going to bother assembling a
brute-forcing farm. It's not, of course, the "pimply teen hackers"
than concern me--and neither should they represent the threat
model we're (IETF/IPSEC WG) trying to guard against.
I could, of course, argue that CAST-128 should me mandatory, but that
would be letting my corporate loyalty show through :-)
Follow-Ups:
References: