[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Win2000 IKE and 3des
> This is not a design error. If you have an export driver, how can you
> expect to run 3DES?
You can't.
>
> Now why we can't reject it. Envision you are running a world-wide
> corporation where domain-based policies are assigned to clients at
> different sites at different counties. Some of them run the export
> version of Win2K. Since it is near impossible to know what version of
> Win2K clients are running, so all clients policies are set to use 3DES.
> On the corp-side, some servers will be configured to accept 3DES only
> and others both DES and 3DES. If you don't weaken 3DES on the export
> clients, there is no way to talk to servers with DES configured.
Then you need to have configuration option allows the administrator
to configure 3DES and DES or 3DES only.
>
> Having said that, the report mechanism should probably be improved and
> we will address this in the next release.=20
Sorry Chun,
I see the problem you are trying to address, but I don't agree
with your solution.
Regards,
Michael Carney
>
> --Chun
>
> -----Original Message-----
> From: Paul Koning [mailto:pkoning@xedia.com]
> Sent: Friday, May 12, 2000 1:24 PM
> To: Sumi Singh
> Cc: ipsec@lists.tislabs.com
> Subject: RE: Win2000 IKE and 3des
>
>
> >>>>> "Sumi" =3D=3D Sumi Singh <sumis@Exchange.Microsoft.com> writes:
>
> Sumi> Just to clarify the behaviour of Windows 2000 - Windows 2000
> Sumi> weakens 3DES policy to DES if you do not have the strong
> Sumi> encryption pack (128-bit) installed. This weakening is
> Sumi> announced by an event in the Audit log. So if you have 2 peers
> Sumi> with no encryption pack installed, and a policy to use 3DES,
> Sumi> they will talk DES since they cannot do 3DES.
>
> Clearly that's a major design error.
>
> If you ask for something that's not supported, it should be rejected.
> To change it (even with a message in some obscure log) is clearly
> wrong. You don't build secure systems that way.
>
> paul
>
> ------_=_NextPart_001_01BFBC55.58D2F2C8
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 6.0.4366.0">
> <TITLE>RE: Win2000 IKE and 3des</TITLE>
> </HEAD>
> <BODY>
> <!-- Converted from text/plain format -->
>
> <P><FONT SIZE=3D2>This is not a design error. If you have an =
> export driver, how can you expect to run 3DES?</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Now why we can't reject it. Envision you are =
> running a world-wide corporation where domain-based policies are =
> assigned to clients at different sites at different counties. Some =
> of them run the export version of Win2K. Since it is near =
> impossible to know what version of Win2K clients are running, so all =
> clients policies are set to use 3DES. On the corp-side, some =
> servers will be configured to accept 3DES only and others both DES and =
> 3DES. If you don't weaken 3DES on the export clients, there is no =
> way to talk to servers with DES configured.</FONT></P>
>
> <P><FONT SIZE=3D2>Having said that, the report mechanism should probably =
> be improved and we will address this in the next release. </FONT>
> </P>
>
> <P><FONT SIZE=3D2>--Chun</FONT>
> </P>
>
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
>
> <BR><FONT SIZE=3D2>From: Paul Koning [<A =
> HREF=3D"mailto:pkoning@xedia.com">mailto:pkoning@xedia.com</A>]</FONT>
>
> <BR><FONT SIZE=3D2>Sent: Friday, May 12, 2000 1:24 PM</FONT>
>
> <BR><FONT SIZE=3D2>To: Sumi Singh</FONT>
>
> <BR><FONT SIZE=3D2>Cc: ipsec@lists.tislabs.com</FONT>
>
> <BR><FONT SIZE=3D2>Subject: RE: Win2000 IKE and 3des</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>>>>>> "Sumi" =3D=3D Sumi =
> Singh <sumis@Exchange.Microsoft.com> writes:</FONT>
> </P>
>
> <P><FONT SIZE=3D2> Sumi> Just to clarify the behaviour of =
> Windows 2000 - Windows 2000</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> weakens 3DES policy to DES if you do =
> not have the strong</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> encryption pack (128-bit) installed. =
> This weakening is</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> announced by an event in the Audit =
> log. So if you have 2 peers</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> with no encryption pack installed, and =
> a policy to use 3DES,</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> they will talk DES since they cannot =
> do 3DES.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Clearly that's a major design error.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>If you ask for something that's not supported, it =
> should be rejected.</FONT>
>
> <BR><FONT SIZE=3D2>To change it (even with a message in some obscure =
> log) is clearly</FONT>
>
> <BR><FONT SIZE=3D2>wrong. You don't build secure systems that =
> way.</FONT>
> </P>
>
> <P> <FONT SIZE=3D2>paul</FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01BFBC55.58D2F2C8--
References: