[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suites vs. a la carte and IPcomp in IKEv2-05



Paul Koning <pkoning@equallogic.com> writes:
> Sure I know about that hardware, but that wasn't your example.  You
> said "3DES and SHA" vs. "AES and MD5".  7811 supports 3DES with either
> SHA or MD5; later chips support AES with either SHA or MD5.  So the
> choice for authentication function does not affect whether you are
> able to perform a given encryption algorithm.
I don't know of any real hardware that supports the second combination,
but I wouldn't be at all surprised to hear about it. 

I haven't examined this particular IPsec situation in excruciating
detail but I can tell you that this kind of thing used to come up all
the time with SSL, especially when the private keying material is also
in hardware for security purposes.  So, for instance, you couldn't mix
and match Skipjack with DH. And the more individual negotiable items
one has, the worse things get. For instance, if one ends up
negotiating compression as well..

However, if none of the hardware guys care, I suppose that one can
consider this a theoretical issue.

-Ekr

-- 
[Eric Rescorla                                   ekr@rtfm.com]
                http://www.rtfm.com/