[anonsec] should IPsec policies be partially ordered?
Michael Richardson
mcr at sandelman.ca
Sun Mar 18 08:13:15 PDT 2007
Miika Komu wrote:
> * The comparison functions should allow comparison of attribute1 <
> attribute2, not just equality.
Maybe. Creating a partial order of various attributes is non-trivial,
I think.
Is AES128 > 3DES? (on what basis? faster? more secure? lower latency?)
Is HMAC-MD5 > SHA2-256 ?
(No, the comparsion isn't valid. HMAC and non-HMAC uses are not the same,
and IPsec always uses HMAC... well. do we? We don't use it for XCBC-AES, right?)
I would like to have the partial order. I am not certain that it is something
that we will agree to. Perhaps I'm wrong, and the work is trivial.
I also don't want applications to ever hard code things like "AES128".
Instead, I want them to use something like "ENCRYPTION_STENGTH_MEDIUM",
and have some files, a la /etc/services that defines what that means for this system.
More information about the ANONSEC
mailing list