Re: Comments on draft-ietf-ipsec-ike-01.txt (long)

[Shawn Mamros <smamros@nortelnetworks.com>]

>I'm attempting to codify the behavior of certain implementations. Some
>people will not accept group 1 if they have group 2 configured but will
>happily accept group 5. That seems to be correct behavior. Similarly for
>variable length ciphers. If you're configured for 128 bit blowfish and
>someone asks you if you want to do 448 bit blowfish do you refuse? If so
>why? If not then where in the RFCs does it say that you can do this? 

In addition to the concerns about this that Tim Jenkins stated, I'll
add one more:

A site admin running a box intending to support many IPSec and IKE
SAs (where "many" could number in the hundreds or thousands) might
be concerned about the performance of said box when running stronger
ciphers, or when running larger D-H groups.  In particular, if one
is handling lots of rekeying operations and is using PFS, then D-H
performance could become a concern.  I could see where an admin might
be concerned that D-H will "take too long" if an implementation
automatically accepts group 5 when group 2 is configured, with no
means provided to change that behavior, just because "the standard
says so".

Performance tradeoffs may be just as important, and perhaps even more
so, than security tradeoffs to some people.  I feel uncomfortable
legislating behavior that might fly in the face of what end-users
and end-administrators want to do.

-Shawn Mamros
E-mail to: smamros@nortelnetworks.com

---

Follow-Ups:

• Re: Comments on draft-ietf-ipsec-ike-01.txt (long)
• From: Dan Harkins <dharkins@network-alchemy.com>

---

• Prev by Date: New MIB Drafts Submitted
• Next by Date: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
• Prev by thread: Re: Comments on draft-ietf-ipsec-ike-01.txt (long)
• Next by thread: Re: Comments on draft-ietf-ipsec-ike-01.txt (long)
• Index(es):
  • Main
  • Thread