Re: [IPsec] Updating IPsec algorithm requirements

To: Paul Koning <Paul_Koning at dell.com>, mcgrew at cisco.com
Subject: Re: [IPsec] Updating IPsec algorithm requirements
From: Paul Hoffman <paul.hoffman at vpnc.org>
Date: Sat, 7 Nov 2009 07:09:32 +0900
Cc: ipsec at ietf.org
Delivered-to: ipsec at core3.amsl.com
In-reply-to: <19188.29670.319220.85945 at pkoning-laptop.lab.equallogic.com>
List-archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-help: <mailto:ipsec-request@ietf.org?subject=help>
List-id: Discussion of IPsec protocols <ipsec.ietf.org>
List-post: <mailto:ipsec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
References: <3A070C8D-782B-4CC2-B48E-0DA63EC5A4ED at cisco.com> <19188.29670.319220.85945 at pkoning-laptop.lab.equallogic.com>

At 2:07 PM -0500 11/6/09, Paul Koning wrote:
>I agree.  For the reasons you gave, and also to remove the temptation
>to run AES-CTR without authentication for performance reasons, even
>though the standard says not to do this.

It is usually not temptation, but by mistake, aided by poor UI practice on the parts of >90% of VPN vendors. That is, I have found few vendors in the VPNC lab that *prevent* you from running with null authentication. Having a combined mode in the mix, particularly if it is the required algorithm, would reduce the prevalence of this kind of mistake.

--Paul Hoffman, Director
--VPN Consortium

References:
- [IPsec] Updating IPsec algorithm requirements
  - From: David McGrew
- Re: [IPsec] Updating IPsec algorithm requirements
  - From: Paul Koning

Prev by Date: Re: [IPsec] Updating IPsec algorithm requirements
Next by Date: [IPsec] IPsec with QKD
Previous by thread: Re: [IPsec] Updating IPsec algorithm requirements
Next by thread: Re: [IPsec] Updating IPsec algorithm requirements
Index(es):
- Date
- Thread

Re: [IPsec] Updating IPsec algorithm requirements

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.