Re: [Cfrg] Re: [saag] Algorithm upgrades

[Bill Sommerfeld <sommerfeld at sun.com>]

On Sat, 2004-11-06 at 03:55, D. J. Bernstein wrote:
> > In our universe, we configured IPsec security gateways to accept both
> > AES and 3DES, then incrementally changed the preferred algorithm of the
> > clients. 
> 
> I was able to incrementally switch clients from telnet to ssh, where the
> server supported both telnet and ssh. The client indicated its protocol
> selection through its choice of TCP port number.

and then, perhaps unknown to you, ssh and sshd negotiated about a half
dozen algorithm parameters, each of which would require a bit or two to
encode even using the most compact encoding...

> We already have many levels of protocol selection: IP protocol numbers,
> TCP port numbers, and more. Was it impossible to encode a DES-vs.-AES
> bit for IPSec into one of those numbers?

in a word, yes, because there are only 16 bits of well-known port, and
you generally need much more than one bit to encode sufficiently rich
combinations of algorithm parameters.

					- Bill






_______________________________________________
Cfrg mailing list
Cfrg at ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg