[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Cfrg] Re: [saag] Algorithm upgrades

To: EKR <ekr at rtfm.com>
Subject: Re: [Cfrg] Re: [saag] Algorithm upgrades
From: Jari Arkko <jari.arkko at piuha.net>
Date: Sun, 07 Nov 2004 16:52:42 +0200
Cc: Paul Hoffman / IMC <phoffman at imc.org>, saag at mit.edu, cfrg at ietf.org
In-reply-to: <kjactt23rs.fsf@romeo.rtfm.com>
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
Organization: None
References: <6C588E657934BB438F46B92D4BBCCD8A763F07@EXCHVS2.louisville.stortek.com> <20041106085556.96474.qmail@cr.yp.to> <p06110426bdb2a00ae044@[10.20.30.249]> <kjactt23rs.fsf@romeo.rtfm.com>
Reply-to: jari.arkko at piuha.net
Sender: cfrg-bounces at ietf.org
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040316

Eric Rescorla wrote:

Statements like "not really noticeable" and "work well operationally"
are absurdly out of touch with typical IPsec VPN users. Even the best
UIs for gateways force low-ability admins and lower-ability end users
to make multiple selections of things that they don't (and shouldn't
need to!) understand.
Maybe so, but why blame algorithm negotiation for this? Both SSH and TLS have algorithm negotiation and in practice noone even notices.


I agree that the algorithm negotiation is not the reason.
If you look at the difference between the SSL and IPsec
models, I think the difficulties come from two areas:

o  Separation of the application and the security layer. In
   SSL, applications are in direct control of the security
   layer and the configuration of the security layer also
   goes through the application's user interface. Given
   that the application knows its security requirements
   and its traffic flows, it knows what traffic needs to
   be protected and how. So you can skip, for instance,
   port number and address pattern specifications. Personally,
   I like entering IPv6 addresses in hex to configuration
   files, but I'm not quite sure most people on the planet
   agree with me.

o  Harder requirements. For instance, IPsec applications
   typically require all parties to be provisioned with
   keys and configuration, whereas in SSL some applications
   work with just server-side keys.

--Jari


_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

References:
- Re: [Cfrg] Re: [saag] Algorithm upgrades
  - From: Hughes, James P
- Re: [Cfrg] Re: [saag] Algorithm upgrades
  - From: D. J. Bernstein
- Re: [Cfrg] Re: [saag] Algorithm upgrades
  - From: Paul Hoffman / IMC

Prev by Date: Re: [Cfrg] Re: [saag] Algorithm upgrades
Next by Date: Re: [Cfrg] Re: [saag] Algorithm upgrades
Previous by thread: Re: [Cfrg] Re: [saag] Algorithm upgrades
Next by thread: RE: [Cfrg] Re: [saag] Algorithm upgrades
Index(es):
- Date
- Thread