[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: swIPe abstract (was Re: raptor encryption)
From:       mikech () avana ! net
Date:       1997-07-21 1:20:11
[Download RAW message or body]

Having just completed our IPSec implementation (and testing its compatibility 
with most other IPSec implementations), I can tell you that the biggest hurdle 
is its lack of an "accepted" key exchange mechanism. Currently we are using a 
sneakernet, S/MIME or PGP manual exchange mechanism for keys. Both SKIP and 
Photuris are still at the development stage and are not cross compatible.

In our own implementation we stuck with the basics, DES/3DES and Keyed MD5 
header authentication with manual key exchange. We used Phil Karn's excellent 
DES/3DES 80x86 assembly code for the encryption/decryption engine and get 
about 10 megabits/sec on a 150 MHz Pentium (this code is in the public domain 
and can be used by anyone). Phil's code has also made its way overseas 
(through no fault of Phil's) so it can be used outside of the U.S. as well. 
The Linux and BSD versions we tested were developed outside of the U.S. There 
is *not* a lack of free code.

The encrypted-authenticated tunnels work like a charm even in a heterogeneous 
network (IBM Secure Gateway, Linux IPSec, etc.) and we had no problems.

*Our* problem is that once you get into automated key exchanges you are 
talking public key crypto and royalties out the ying-yang. DES/3DES and MD5 
can be used royalty free. Not everyone can agree on which public key crypto 
company to make rich by choosing a key exchange mechanism ;-) At least IBM 
granted the use of its IKMP protocol for free in Photuris implementations (RFC 
1822).

Until you can automatically swap keys, change them mid-session, and work with 
any combination Firewall/OS, you will not have wide-spread acceptance of 
IPSec.

Mike   
--
01:20:12
07/21/97
_______________________________________________________________________
Michael W. Chalkley                                Tel: +1.770.772.4567
ZapNet! Inc.                                       Fax: +1.770.475.7640
Suite 400-120                                E-mail: mikech@iproute.com
10945 State Bridge Road                                mikech@avana.net
Alpharetta, GA 30202                             http://www.iproute.com

[prev in list] [next in list] [prev in thread] [next in thread]