[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Ciphersuites MUSTs and SHOULDs

To: "'Paul Hoffman / VPNC'" <paul.hoffman@vpnc.org>, "Theodore Ts'o"<tytso@mit.edu>, ipsec@lists.tislabs.com
Subject: RE: Ciphersuites MUSTs and SHOULDs
From: Roger Younglove <ryounglove@networksgroup.com>
Date: Mon, 3 Feb 2003 15:50:57 -0500
Sender: owner-ipsec@lists.tislabs.com

In the original design of IPSec, I believe in our desire to provide
choices for the end user we created a nightmare. The adoption of
multi-vendor IPSec has been delayed in implementation for that reason.
We need to think from the end user's viewpoint. Technically what Ted
says is correct however from an end user's viewpoint if they can not
upgrade their currently operating equipment we are not going to see the
benefits of IKEv2 implemented until existing equipment is phased out.
This will only increase product non interoperatibility and more
resentment to IPSec. 
My vote is to keep the original wording to allow the updating of
currently deployed systems. 

Roger Younglove, CISSP
Principal Consultant
NetWorks Group
O. 810.225.4800 ex. 2245
M. 810.599.0879
E. ryounglove@networksgroup.com
www.networksgroup.com
 

-----Original Message-----
From: Paul Hoffman / VPNC [mailto:paul.hoffman@vpnc.org] 
Sent: Friday, January 31, 2003 1:16 PM
To: Theodore Ts'o; ipsec@lists.tislabs.com
Subject: Ciphersuites MUSTs and SHOULDs

Wearing his WG chair hat, Ted said:

>I have adjusted the MUST/SHOULD from Paul's message since I believe
that
>for implementations that will be moving to implement IKEv2, it is
>reasonable to require the implementation of AES, as it as so many
>advantages over 3DES.

The current proposal contains not only a list of MUSTs and SHOULDs, 
it has language that is supposed to go into the document about them. 
The counter-proposal doesn't change the support language. The 
counter-proposal offers no security or interoperability rationale. 
For example, the counter-proposal mandates both 3DES and AES. How 
does that help interoperability or security?

Ted's proposal (which is certainly not based on any consensus from 
the mailing list) essentially prevents any currently-deployed IPsec 
system that has 3DES-acceleration from running IKEv2 sensibly. The 
vendor would have to offer AES in software next to 3DES in hardware, 
and hopefully explain to the user what the difference is.

Is this what the WG wants? Or would the WG prefer a set of MUSTs and 
SHOULDs that allow vendors to update currently-deployed systems with 
IKEv2?

--Paul Hoffman, Director
--VPN Consortium

smime.p7s

Prev by Date: Re: Modefg considered harmful
Next by Date: RE: new to VPN
Prev by thread: Re: Modefg considered harmful
Next by thread: Re: Revised identity, again
Index(es):
- Date
- Thread