[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DES Only IPsec?

To: Ghislaine Labouret <Ghislaine.Labouret@hsc.fr>
Subject: Re: DES Only IPsec?
From: Hakan Olsson <ho@crt.se>
Date: Sun, 7 Oct 2001 20:58:55 +0200 (MET DST)
Cc: KoAps <koaps@g3k.cc>, Tech <tech@openbsd.org>

On Sun, 7 Oct 2001, Ghislaine Labouret wrote:
...
> In the pre-defined suites, 3DES implies Diffie-Hellman group 2, while
> DES implies group 1. But a restriction in QM is that you can not send
> proposals with different groups, so your list above is not a valid set
> of proposals.

A comment: it's actually the authentication algorithm that determines
which DH group is used currently, meaning SHA implies DH group 2, and MD5
DH group 1.  Speaking relative strengths, for 3DES it make more sense to
use SHA than MD5, while for DES, MD5 is "enough".  Most examples therefore
groups them thus.

For the current problem, change the proposed suites to SHA-only (or
MD5-only).  I've just added a note about this to the isakmpd.conf(5)
manual page in -current.

I guess I should get around to rewriting the predefined configuration code
one of these days...

/H

--
Håkan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB

References:
- Re: DES Only IPsec?
  - From: Ghislaine Labouret <Ghislaine.Labouret@hsc.fr>

Prev by Date: MCT USB <-> RS232 adapter.
Next by Date: Re: smbfs
Prev by thread: Re: DES Only IPsec?
Next by thread: MCT USB <-> RS232 adapter.
Index(es):
- Date
- Thread