This is not a design error. If you have an export driver, how can you expect to run 3DES?
Now why we can't reject it. Envision you are running a world-wide corporation where domain-based policies are assigned to clients at different sites at different counties. Some of them run the export version of Win2K. Since it is near impossible to know what version of Win2K clients are running, so all clients policies are set to use 3DES. On the corp-side, some servers will be configured to accept 3DES only and others both DES and 3DES. If you don't weaken 3DES on the export clients, there is no way to talk to servers with DES configured.
Having said that, the report mechanism should probably be improved and we will address this in the next release.
--Chun
-----Original Message-----
From: Paul Koning [mailto:pkoning@xedia.com]
Sent: Friday, May 12, 2000 1:24 PM
To: Sumi Singh
Cc: ipsec@lists.tislabs.com
Subject: RE: Win2000 IKE and 3des
>>>>> "Sumi" == Sumi Singh <sumis@Exchange.Microsoft.com> writes:
Sumi> Just to clarify the behaviour of Windows 2000 - Windows 2000
Sumi> weakens 3DES policy to DES if you do not have the strong
Sumi> encryption pack (128-bit) installed. This weakening is
Sumi> announced by an event in the Audit log. So if you have 2 peers
Sumi> with no encryption pack installed, and a policy to use 3DES,
Sumi> they will talk DES since they cannot do 3DES.
Clearly that's a major design error.
If you ask for something that's not supported, it should be rejected.
To change it (even with a message in some obscure log) is clearly
wrong. You don't build secure systems that way.
paul