I will be in touch with Declan regarding this shortly. I will note in separate email the info available on Win2k IPSec. I'd appreciate it if there are other issues regarding Windows 2000 IPSec that media representatives need addressed, send email directly to me for IPSec only, or Rob Trace, robt@microsoft.com, who is the program manager for VPN.
Wm
William Dixon
Program Manager - Internet Protocol Security
Windows Operating Systems Division
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
Email: WDixon@microsoft.com (preferred), Work: 425-703-8729
-----Original Message-----
From: Mike Carney [mailto:carney@securecomputing.com]
Sent: Monday, May 15, 2000 7:32 AM
To: Chun Ye
Cc: Paul Koning; Sumi Singh; ipsec@lists.tislabs.com;
carney@jumpsrv.stp.securecomputing.com
Subject: Re: Win2000 IKE and 3des
> This is not a design error. If you have an export driver, how can you
> expect to run 3DES?
You can't.
>
> Now why we can't reject it. Envision you are running a world-wide
> corporation where domain-based policies are assigned to clients at
> different sites at different counties. Some of them run the export
> version of Win2K. Since it is near impossible to know what version of
> Win2K clients are running, so all clients policies are set to use 3DES.
> On the corp-side, some servers will be configured to accept 3DES only
> and others both DES and 3DES. If you don't weaken 3DES on the export
> clients, there is no way to talk to servers with DES configured.
Then you need to have configuration option allows the administrator
to configure 3DES and DES or 3DES only.
>
> Having said that, the report mechanism should probably be improved and
> we will address this in the next release.=20
Sorry Chun,
I see the problem you are trying to address, but I don't agree
with your solution.
Regards,
Michael Carney
>
> --Chun
>
> -----Original Message-----
> From: Paul Koning [mailto:pkoning@xedia.com]
> Sent: Friday, May 12, 2000 1:24 PM
> To: Sumi Singh
> Cc: ipsec@lists.tislabs.com
> Subject: RE: Win2000 IKE and 3des
>
>
> >>>>> "Sumi" =3D=3D Sumi Singh <sumis@Exchange.Microsoft.com> writes:
>
> Sumi> Just to clarify the behaviour of Windows 2000 - Windows 2000
> Sumi> weakens 3DES policy to DES if you do not have the strong
> Sumi> encryption pack (128-bit) installed. This weakening is
> Sumi> announced by an event in the Audit log. So if you have 2 peers
> Sumi> with no encryption pack installed, and a policy to use 3DES,
> Sumi> they will talk DES since they cannot do 3DES.
>
> Clearly that's a major design error.
>
> If you ask for something that's not supported, it should be rejected.
> To change it (even with a message in some obscure log) is clearly
> wrong. You don't build secure systems that way.
>
> paul
>
> ------_=_NextPart_001_01BFBC55.58D2F2C8
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
> <HTML>
> <HEAD>
> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
> charset=3Dus-ascii">
> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
> 6.0.4366.0">
> <TITLE>RE: Win2000 IKE and 3des</TITLE>
> </HEAD>
> <BODY>
> <!-- Converted from text/plain format -->
>
> <P><FONT SIZE=3D2>This is not a design error. If you have an =
> export driver, how can you expect to run 3DES?</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Now why we can't reject it. Envision you are =
> running a world-wide corporation where domain-based policies are =
> assigned to clients at different sites at different counties. Some =
> of them run the export version of Win2K. Since it is near =
> impossible to know what version of Win2K clients are running, so all =
> clients policies are set to use 3DES. On the corp-side, some =
> servers will be configured to accept 3DES only and others both DES and =
> 3DES. If you don't weaken 3DES on the export clients, there is no =
> way to talk to servers with DES configured.</FONT></P>
>
> <P><FONT SIZE=3D2>Having said that, the report mechanism should probably =
> be improved and we will address this in the next release. </FONT>
> </P>
>
> <P><FONT SIZE=3D2>--Chun</FONT>
> </P>
>
> <P><FONT SIZE=3D2>-----Original Message-----</FONT>
>
> <BR><FONT SIZE=3D2>From: Paul Koning [<A =
> HREF=3D"mailto:pkoning@xedia.com">mailto:pkoning@xedia.com</A>]</FONT>
>
> <BR><FONT SIZE=3D2>Sent: Friday, May 12, 2000 1:24 PM</FONT>
>
> <BR><FONT SIZE=3D2>To: Sumi Singh</FONT>
>
> <BR><FONT SIZE=3D2>Cc: ipsec@lists.tislabs.com</FONT>
>
> <BR><FONT SIZE=3D2>Subject: RE: Win2000 IKE and 3des</FONT>
> </P>
> <BR>
>
> <P><FONT SIZE=3D2>>>>>> "Sumi" =3D=3D Sumi =
> Singh <sumis@Exchange.Microsoft.com> writes:</FONT>
> </P>
>
> <P><FONT SIZE=3D2> Sumi> Just to clarify the behaviour of =
> Windows 2000 - Windows 2000</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> weakens 3DES policy to DES if you do =
> not have the strong</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> encryption pack (128-bit) installed. =
> This weakening is</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> announced by an event in the Audit =
> log. So if you have 2 peers</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> with no encryption pack installed, and =
> a policy to use 3DES,</FONT>
>
> <BR><FONT SIZE=3D2> Sumi> they will talk DES since they cannot =
> do 3DES.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>Clearly that's a major design error.</FONT>
> </P>
>
> <P><FONT SIZE=3D2>If you ask for something that's not supported, it =
> should be rejected.</FONT>
>
> <BR><FONT SIZE=3D2>To change it (even with a message in some obscure =
> log) is clearly</FONT>
>
> <BR><FONT SIZE=3D2>wrong. You don't build secure systems that =
> way.</FONT>
> </P>
>
> <P> <FONT SIZE=3D2>paul</FONT>
> </P>
>
> </BODY>
> </HTML>
> ------_=_NextPart_001_01BFBC55.58D2F2C8--