RE: Comments on draft-ietf-ipsec-ike-01.txt (long)

["Mason, David" <David_Mason@nai.com>]

I vote for MAY  :)

-dave



> -----Original Message-----
> From:	Dan Harkins [SMTP:dharkins@network-alchemy.com]
> Sent:	Thursday, June 10, 1999 4:45 PM
> To:	Heyman, Michael
> Cc:	ipsec@lists.tislabs.com
> Subject:	Re: Comments on draft-ietf-ipsec-ike-01.txt (long) 
> 
>   I really miss Ran Atkinson. During a discussion on mandating support 
> for secure DNS he said the following:
> 
>   "Hmm.  Perhaps permit me to narrow those statements a bit to try to
> clarify
>    something (mandating implementation support vs. mandating use) that
>    periodically causes confusion within the IPsec WG.
> 
>    "The IETF requires that _implementations_ of IP also _implement_
> support for
>    DNS.  The IETF does NOT require that users actually _USE_ DNS.  Now
> most 
>    users DO use DNS because it is widely implemented and it is often
> easier to
>    use than typing an IP number.  However, on occasion users (e.g. me)
> don't 
>    use DNS and instead just type an IP number on the command line (e.g. 
>    "telnet 1.2.3.4") and this isn't violating any IETF requirement."
> 
> So we can mandate the support for negotiating up things like key lengths
> but
> not require that it be done every single time. If someone wants to have a
> policy that says, "128 bits no more no less" then they are free to do that
> without violating any IETF requirements just as Ran (and you, and me) is
> free 
> to type telnet 1.2.3.4 and not violate any IETF requirements.
> 
>   As I stated before, the text that is causing so many people problems is
> being
> rewritten and the word "policy" will not show up anywhere. No one is
> advocating
> overriding any policy. But the text said SHOULD. Some want MUST. So,
> keeping
> in mind the difference between mandating implementation support versus
> mandating use, what should it be? SHOULD or MUST? Is there a reason not to
> support this capability (again, keeping in mind the difference between
> mandating implementation support versus mandating use)?
> 
>   Dan.
> 
> On Thu, 03 Jun 1999 14:22:45 PDT you wrote
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > > From: Derrell D. Piper [mailto:ddp@network-alchemy.com]
> > > Sent: Thursday, June 03, 1999 12:39 PM
> > > 
> > > >   So let me ask the entire working group: should vendors
> > > >   be prohibited from accepting a key length greater than 
> > > >   what they have configured? Should they be prohibited from 
> > > >   accepting a stronger group? 
> > > 
> > > Absolutely not and I'd go so far as to make it a SHOULD 
> > > instead of a MAY.
> > > 
> > > We're trying to design good security, not workarounds for bad 
> > > implementations.
> > >
> > Hmmm, this means if a policy _explicitly_ states 128 bit encryption
> > (note, the policy _did not_ state 128 bit encryption or greater),
> > then IKE has the right to change the policy to be 128 bit or greater?
> >
> > IMHO, IKE must act dumb when it comes to policy and must not assume
> > it knows better then whatever set that policy. Here we seem to be
> > arguing that good security is allowing stronger encryption even when
> > stronger encryption is precluded by the policy. I would argue that
> > good security offers no such surprises.
> > 
> > I can imagine applications that may not want to manage, or be capable
> > of managing, the extra 320 bits (above 128) possible in in Blowfish.
> > I can imagine machines not wishing to do the extra work required of a
> > stronger group.
> > 
> > 
> > 
> > - -Michael Heyman

---

• Prev by Date: Re: Comments on draft-ietf-ipsec-ike-01.txt (long)
• Next by Date: Re: RFC2409
• Prev by thread: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
• Next by thread: RE: Comments on draft-ietf-ipsec-ike-01.txt (long)
• Index(es):
  • Main
  • Thread