[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Win2000 IKE and 3des

To: "Chun Ye" <chunye@Exchange.Microsoft.com>
Subject: Re: Win2000 IKE and 3des
From: Mike Carney <carney@securecomputing.com>
Date: Mon, 15 May 2000 09:31:48 -0500
cc: "Paul Koning" <pkoning@xedia.com>, "Sumi Singh" <sumis@Exchange.Microsoft.com>, ipsec@lists.tislabs.com, carney@jumpsrv.stp.securecomputing.com
In-reply-to: Your message of "Fri, 12 May 2000 14:02:13 PDT." <19398D273324D3118A2B0008C7E9A56913554D@SIT.platinum.corp.microsoft.com>
Sender: owner-ipsec@lists.tislabs.com


> This is not a design error.  If you have an export driver, how can you
> expect to run 3DES?

You can't.

> 
> Now why we can't reject it.  Envision you are running a world-wide
> corporation where domain-based policies are assigned to clients at
> different sites at different counties.  Some of them run the export
> version of Win2K.  Since it is near impossible to know what version of
> Win2K clients are running, so all clients policies are set to use 3DES.
> On the corp-side, some servers will be configured to accept 3DES only
> and others both DES and 3DES.  If you don't weaken 3DES on the export
> clients, there is no way to talk to servers with DES configured.

Then you need to have configuration option allows the administrator
to configure 3DES and DES or 3DES only.

> 
> Having said that, the report mechanism should probably be improved and
> we will address this in the next release.=20

Sorry Chun,
  I see the problem you are trying to address, but I don't agree
with your solution.

Regards,
Michael Carney

> 
> --Chun
> 
> -----Original Message-----
> From: Paul Koning [mailto:pkoning@xedia.com]
> Sent: Friday, May 12, 2000 1:24 PM
> To: Sumi Singh
> Cc: ipsec@lists.tislabs.com
> Subject: RE: Win2000 IKE and 3des
> 
> 
> >>>>> "Sumi" =3D=3D Sumi Singh <sumis@Exchange.Microsoft.com> writes:
> 
>  Sumi> Just to clarify the behaviour of Windows 2000 - Windows 2000
>  Sumi> weakens 3DES policy to DES if you do not have the strong
>  Sumi> encryption pack (128-bit) installed. This weakening is
>  Sumi> announced by an event in the Audit log. So if you have 2 peers
>  Sumi> with no encryption pack installed, and a policy to use 3DES,
>  Sumi> they will talk DES since they cannot do 3DES.
> 
> Clearly that's a major design error.
> 
> If you ask for something that's not supported, it should be rejected.
> To change it (even with a message in some obscure log) is clearly
> wrong.  You don't build secure systems that way.
> 
> 	paul
> 
> ------_=_NextPart_001_01BFBC55.58D2F2C8
> Content-Type: text/html;
> 	charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 6.0.4366.0">
> <TITLE>RE: Win2000 IKE and 3des</TITLE>
> </HEAD>
> <BODY>
> <!-- Converted from text/plain format -->
> 
> <P><FONT SIZE=3D2>This is not a design error.&nbsp; If you have an =
> export driver, how can you expect to run 3DES?</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>Now why we can't reject it.&nbsp; Envision you are =
> running a world-wide corporation where domain-based policies are =
> assigned to clients at different sites at different counties.&nbsp; Some =
> of them run the export version of Win2K.&nbsp; Since it is near =
> impossible to know what version of Win2K clients are running, so all =
> clients policies are set to use 3DES.&nbsp; On the corp-side, some =
> servers will be configured to accept 3DES only and others both DES and =
> 3DES.&nbsp; If you don't weaken 3DES on the export clients, there is no =
> way to talk to servers with DES configured.</FONT></P>
> 
> <P><FONT SIZE=3D2>Having said that, the report mechanism should probably =
> be improved and we will address this in the next release. </FONT>
> </P>
> 
> <P><FONT SIZE=3D2>--Chun</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
> 
> <BR><FONT SIZE=3D2>From: Paul Koning [<A =
> HREF=3D"mailto:pkoning@xedia.com">mailto:pkoning@xedia.com</A>]</FONT>
> 
> <BR><FONT SIZE=3D2>Sent: Friday, May 12, 2000 1:24 PM</FONT>
> 
> <BR><FONT SIZE=3D2>To: Sumi Singh</FONT>
> 
> <BR><FONT SIZE=3D2>Cc: ipsec@lists.tislabs.com</FONT>
> 
> <BR><FONT SIZE=3D2>Subject: RE: Win2000 IKE and 3des</FONT>
> </P>
> <BR>
> 
> <P><FONT SIZE=3D2>&gt;&gt;&gt;&gt;&gt; &quot;Sumi&quot; =3D=3D Sumi =
> Singh &lt;sumis@Exchange.Microsoft.com&gt; writes:</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>&nbsp;Sumi&gt; Just to clarify the behaviour of =
> Windows 2000 - Windows 2000</FONT>
> 
> <BR><FONT SIZE=3D2>&nbsp;Sumi&gt; weakens 3DES policy to DES if you do =
> not have the strong</FONT>
> 
> <BR><FONT SIZE=3D2>&nbsp;Sumi&gt; encryption pack (128-bit) installed. =
> This weakening is</FONT>
> 
> <BR><FONT SIZE=3D2>&nbsp;Sumi&gt; announced by an event in the Audit =
> log. So if you have 2 peers</FONT>
> 
> <BR><FONT SIZE=3D2>&nbsp;Sumi&gt; with no encryption pack installed, and =
> a policy to use 3DES,</FONT>
> 
> <BR><FONT SIZE=3D2>&nbsp;Sumi&gt; they will talk DES since they cannot =
> do 3DES.</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>Clearly that's a major design error.</FONT>
> </P>
> 
> <P><FONT SIZE=3D2>If you ask for something that's not supported, it =
> should be rejected.</FONT>
> 
> <BR><FONT SIZE=3D2>To change it (even with a message in some obscure =
> log) is clearly</FONT>
> 
> <BR><FONT SIZE=3D2>wrong.&nbsp; You don't build secure systems that =
> way.</FONT>
> </P>
> 
> <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>paul</FONT>
> </P>
> 
> </BODY>
> </HTML>
> ------_=_NextPart_001_01BFBC55.58D2F2C8--

References:

RE: Win2000 IKE and 3des

From: "Chun Ye" <chunye@Exchange.Microsoft.com>

Prev by Date: Re: Windows 2000 and Cicsco router interoperability
Next by Date: Re: Windows 2000 and Cicsco router interoperability
Prev by thread: Re: Win2000 IKE and 3des
Next by thread: RE: Win2000 IKE and 3des
Index(es):
- Main
- Thread