[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Last ditch proposal for crypto suites

To: pbaker@verisign.com
Subject: RE: Last ditch proposal for crypto suites
From: Paul Koning <pkoning@equallogic.com>
Date: Thu, 29 Aug 2002 13:53:00 -0400
Cc: Charlie_Kaufman@notesdev.ibm.com, ipsec@lists.tislabs.com
References: <2F3EC696EAEED311BB2D009027C3F4F405869B84@vhqpostal.verisign.com>
Sender: owner-ipsec@lists.tislabs.com

If I heard Charlie right, the ability to handle a la carte negotiation
would be optional, so if it turns out to be necessary after all, there
would have to be a mad scramble to implement in in all the
implementations that had left it out at first.

Ok, so be it.

One data point: in a past life when I implemented IPsec, we
effectively implemented suites.  The management interface had a MIB
table of "crypto profiles" -- table rows with a name and a choice for
each of the transforms.  We supplied a default set of profiles, the
obvious suspects: default-auth (md5 only); default-weak (md5 and des);
default-strong (md5 and 3des).  I don't remember anyone ever adding
profiles to that list, unless they were testing oddball setups at
bakeoff meetings...

So I would argue that the suite approach is the best way to meet
customer needs.

	 paul

References:
- RE: Last ditch proposal for crypto suites
  - From: "Hallam-Baker, Phillip" <pbaker@verisign.com>

Prev by Date: RE: Last ditch proposal for crypto suites
Next by Date: Re: Last ditch proposal for crypto suites
Prev by thread: RE: Last ditch proposal for crypto suites
Next by thread: Re: Last ditch proposal for crypto suites
Index(es):
- Date
- Thread