[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last ditch proposal for crypto suites

To: Charlie_Kaufman@notesdev.ibm.com, ipsec@lists.tislabs.com
Subject: Re: Last ditch proposal for crypto suites
From: Alex Alten <Alten@attbi.com>
Date: Thu, 29 Aug 2002 23:33:13 -0700
In-Reply-To: <OFFE7F83C3.72343742-ON85256C24.0077E42F-85256C24.0078B6BE@iris.com>
Sender: owner-ipsec@lists.tislabs.com

At 05:58 PM 8/29/2002 -0400, Charlie_Kaufman@notesdev.ibm.com wrote:
>
>I propose that we remove the text for a la carte negotiation from the IKEv2
>spec, 
...

I'm amazed that after so many years the WG is still arguing over this issue
(or maybe I'm not).  As Steve B. pointed out interoperability and buggy code
are very important considerations.

We only need to spec two MUST have suites.  RSA/3DES-CBC/SHA-1 and 
RSA/AES-CTR-128/SHA-2.  Forget the rest, they are going into the dustbin
of history.  Details like PFS, HMAC should be the same across the suites. 

What I'll add, along with my vote to do suites, is that the receiver MUST
accept whatever suite the sender chooses to use.  This will make life a lot
easier and will not be a "security" problem. The difference between 3DES and 
AES-128 is minor.  What we are really after is to provide an upgrade path from
3DES to AES, to gain the huge performance improvement and yet not screw our
existing customers.

Choose the mandatory suites wisely and sparingly.  Once the IKEv2 dust has 
settled there will be much more difficult fish to fry.

Good luck Charlie & Co.,

- Alex

--

Alex Alten
Alten@ATTBI.com

Follow-Ups:
- Re: Last ditch proposal for crypto suites
  - From: Paul Koning <pkoning@equallogic.com>

References:
- Re: Last ditch proposal for crypto suites
  - From: Charlie_Kaufman@notesdev.ibm.com

Prev by Date: Re: Last ditch proposal for crypto suites
Next by Date: RE: Last ditch proposal for crypto suites
Prev by thread: Re: Last ditch proposal for crypto suites
Next by thread: Re: Last ditch proposal for crypto suites
Index(es):
- Date
- Thread