[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: swIPe abstract (was Re: raptor encryption)
From: mikech () avana ! net
Date: 1997-07-21 8:44:56
[Download RAW message or body]
------------------------
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Subject: Re: swIPe abstract (was Re: raptor encryption)
Date: Mon, 21 Jul 1997 12:36:07 +0300
To: firewalls@GreatCircle.COM
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> >>>>> "mikech" == mikech <mikech@avana.net> writes:
> mikech> implementations), I can tell you that the biggest hurdle
> mikech> is its lack of an "accepted" key exchange
> mikech> mechanism. Currently we are using a sneakernet, S/MIME or
>
> I don't know where you have been for the past year, but the accepted
> KMP is ISAKMP with Oakley. Not the best, not the easiest, and most
> definitely not the one we will use in ten years (I hope), but
> nevertheless the standard one.
I think you will find some dissenting voices in the SUN camp ;-)
> At least ten vendors interoperated using ISAKMP, and the
> Kent/Sao/Madson ESP transform document in early June in Detroit. That
> included two Israeli vendors (who can only ship DES to north america),
> and the Linux FreeSWAN project, and DataFellows.
>
Sorry, but there is a huge difference in early interoperability testing and a
"standard". It is nice when you have no revenue tied into the success of a
product to say, "this is the standard!" Which interoperability test statistics
are you citing? Give us a document or URL.
>
> mikech> *Our* problem is that once you get into automated key
> mikech> exchanges you are talking public key crypto and royalties
> mikech> out the ying-yang. DES/3DES and MD5 can be used royalty
>
> Well, the Diffie-Hellman patent expires this September. If you are
> satisfied to use DSA to sign your DH ephemeral exponents for ISAKMP,
What does "if you are satisfied" mean? Do you feel this is a weak algorithm?
It doesn't sound like you have much faith in it yourself ;-)
> then you can build ISAKMP royalty free. Elliptic curve public keying
> algorithms are another route.
>
Doesn't help much if everyone uses a different key exchange method, does it?
We are talking about standards here.
I had people just like you write me and say the SKIP with Unsigned
Diffie-Hellman used for the key exchange was the "de-facto" standard because
of SUN's backing and the S/WAN results
http://www.rsa.com/rsa/SWAN/swan_test.htm .
They were just as vociferous as you were that their "standard" worked between
many different version of Firewall ;-)
> mikech> ;-) At least IBM granted the use of its IKMP protocol for
> mikech> free in Photuris implementations (RFC 1822).
>
> Photuris, while not mandatory standards track, is now seeing some
> movement again.
>
> mikech> Until you can automatically swap keys, change them
> mikech> mid-session, and work with any combination Firewall/OS,
>
> Did that, been there.
Sorry, but I will have to disagree with you, no one is doing this today
automatically between heterogenous firewalls/OS's. If anyone knows of examples
of dissimilar Firewalls setting up an encrypted tunnel using IPSec with
automatic key exchange (in a production environment!) I would love to hear
about it.
---------------End of Original Message-----------------
Mike
--
08:44:56
07/21/97
_______________________________________________________________________
Michael W. Chalkley Tel: +1.770.772.4567
ZapNet! Inc. Fax: +1.770.475.7640
Suite 400-120 E-mail: mikech@iproute.com
10945 State Bridge Road mikech@avana.net
Alpharetta, GA 30202 http://www.iproute.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic