[anonsec] should IPsec policies be partially ordered?
Michael Richardson
mcr at sandelman.ca
Mon Mar 19 08:38:28 PDT 2007
Paul Wouters wrote:
> On Sun, 18 Mar 2007, Michael Richardson wrote:
>
>> I also don't want applications to ever hard code things like "AES128".
>> Instead, I want them to use something like "ENCRYPTION_STENGTH_MEDIUM",
>> and have some files, a la /etc/services that defines what that means for this system.
>
> Reminds me of Draytek Vigor's, which had a "medium" setting meaning modp768
> with 1DES......
> Not only do you have to agree on the order of this list, you also have to
> maintain it in the light of faster hardware ove rtime.
Not relevant.
The choice is not between "medium" vs "3DES". Medium security *WAS* 1DES (vs RC4)
ten plus years ago. Of course, there are maintenance issues.
The choice is between replacing all the binaries on the machine that use the
BTNS IPsec API, or replacing one file that defines what the "medium" profile is.
More information about the ANONSEC
mailing list