Re: Comments on Section 3.1 of new IKE draft

[Sandy Harris <sandy.harris@sympatico.ca>]

Jesse Walker wrote:

> 2. Section 3.1. continues:
> 
>      In addition IKE implementations SHOULD support the following
>      values:
>      - CAST in CBC mode and Blowfish in CBC mode for encryption
>      algorithm.

Should say CAST-128 and reference RFC 2144 to indicate which member
of the CAST family of ciphers.
 
[snip]

> Charles Kunsinger already made the point that most of these have not
> been discussed on the list, and it is not self-evident whether any of
> these algorithms really rate a SHOULD.

Blowfish and CAST-128 are significantly faster in software than DES let
alone 3DES, have adequate keylength, and have withstood considerable
analysis. Both specs and implementations are freely avaialble.

IPSEC definitely SHOULD support some modern block ciphers, designed
after DES and building on the experience gained analysing it. CAST-128
and Blowfish are the obvious candidates. 

Sure seems self-evident to me.

We should add "... MAY support any AES round two candidate cipher ..."?

> Without clear guidelines on when
> and why to use each of these algorithms, arbitrarily adding SHOULDs ...

It's not arbitrary. At least not for block ciphers.

Clear guidelines? How about these: Offer both whenever you intiate.
Accept either. Prefer either to 3DES. Of the two, prefer CAST-128
because it rekeys faster and has lower memory overhead.

---

Follow-Ups:

• Re: Comments on Section 3.1 of new IKE draft
• From: Will Price <wprice@cyphers.net>

References:

• Comments on Section 3.1 of new IKE draft
• From: "Jesse Walker" <jwalker@shiva.com>

---

• Prev by Date: Proposal for IP Peer protocol
• Next by Date: Re: Comments on draft-ietf-ipsec-ike-01.txt (long)
• Prev by thread: Re: Comments on Section 3.1 of new IKE draft
• Next by thread: Re: Comments on Section 3.1 of new IKE draft
• Index(es):
  • Main
  • Thread