IPSec Questions

Rick Smith rick_smith at securecomputing.com
Tue Aug 10 16:58:53 EDT 1999


At 02:59 PM 8/10/99 -0500, Tina Bird wrote:

>Hi all -- Eric Zines asked me a couple of very good questions yesterday, so
>I'm throwing
>them to the rest of you for ideas and opinions.
>
>Does anyone ever use AH within IPSec in tunnel mode, rather than transport
>mode?  If
>so, how did you make the decision that that was your optimal choice?  

Security-wise you're unlikely to see a difference, but there might be a
functional difference depending on the equipment you have. The best thing
is to set up the equipment you're using and figure out which one works best
in your network. Some products might not handle both modes effectively, or
might not interoperate with other products in one mode or the other.
Transport mode is slightly more efficient since you don't have to send two
IP headers. If you set it up and can't tell the difference between them,
then it won't matter which you use.

>How do you decide whether to use MD5 or SHA-1 for message authentication?
>SHA-1
>has a longer key, but are there any other ways to decide between them?

Again, the security difference isn't likely to matter. The longer key is
safer, but the improved safety wouldn't justify any operational
inconvenience you might encounter due to software interactions or
incompatabilities. If you're using IKE/ISAKMP to do periodic rekeying, the
risk of someone doing a successful integrity attack is negligible even if
you're using the shorter MD5 key.


Rick.
smith at securecomputing.com
"Internet Cryptography" at http://www.visi.com/crypto/

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list