[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: speaking of keys

To: Stephen Kent <kent@bbn.com>
Subject: Re: speaking of keys
From: "Marcus Leech" <mleech@nortelnetworks.com>
Date: Thu, 19 Dec 2002 20:03:15 -0500
CC: Michael Richardson <mcr@sandelman.ottawa.on.ca>, ipsec@lists.tislabs.com
References: <200212111549.gBBFnxFn017684@sandelman.ottawa.on.ca> <p0510030aba27fcaefe70@[128.89.88.34]>
Sender: owner-ipsec@lists.tislabs.com

Stephen Kent wrote:
> 
> If we choose more than one MUST value, then we should be able to rely
> on interoperability on either value, and people at least have an
> ability to pick one as a default.  My original concern was that they
> might default to the biggest value (on the "bigger is better" theory
> of operation) and then we would get bad press re the expense of
> IPsec/IKE.
> 
> Maybe we can't avoid this, but that was the concern I originally
> voiced. Another way of approaching this might be to mandate support
> for larger group sizes, but not yet mandate support for SPECIFIC
> groups at these larger sizes. That way user communities would be free
> to choose groups at bigger sizes and be assured of interoperability
> among various vendor products, but we could avoid creating  defaults
> that we know users would select mindlessly.
> 
One could put some guidance in the document about relative performance
  and security merits of the mandated groups.  Or even actual numbers
  ("at the time of writing, here's the deal on performance").  I think
  that the best we can accomplish is to provide guidance to the
developers
  trying to cut code for this standard. It's up to them to determine how
  to best "package" this for the ultimate consumer.

I really don't have a problem with MUSTing a couple of groups at
  least.

    1024 - fast, but somewhat less secure
    15xx - slower, but rather more secure

I can sympathize with not wanting to mandate the much larger groups. 
Small
  devices (telephones, for example) really do have some serious storage
  and peformance issues, but storage is the real killer, as it turns
  out.  Bad engineering, if you ask me, but the reality is that there
  are a whole poopload of these devices out in the field, with a bigger
  poopload on the way.  These things are *very* cost-sensitive.  It
really
  is the case that product line managers will agonize over feature
decisions
  that might require adding another $0.50 to the hardware cost of the
device.

-- 
----------------------------------------------------------------------
Marcus Leech                             Mail:   Dept 8M70, MS 012, FITZ
Advisor                                  Phone: (ESN) 393-9145  +1 613
763 9145
Security Architecture and Planning       Fax:   (ESN) 393-9435  +1 613
763 9435
Nortel Networks                          mleech@nortelnetworks.com
-----------------Expressed opinions are my own, not my employer's------

Follow-Ups:
- Re: speaking of keys
  - From: Russ Housley <housley@vigilsec.com>
- Re: speaking of keys
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- Re: speaking of keys
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
- Re: speaking of keys
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: speaking of keys
Next by Date: RE: Proposed Configuration payload for IKEv2
Prev by thread: Re: speaking of keys
Next by thread: Re: speaking of keys
Index(es):
- Date
- Thread