IPSec Questions

Eric Henriksen eric at redcreek.com
Wed Aug 11 09:36:29 EDT 1999 

Functionally, I agree with most of the response below.  However, It is
important to remember that running 'Mixed Mode' AH and ESP Transport will
result in double encapsulation.  Given the previous discussion on this forum
regarding the impact of 'growing' the packets with additional header,
remember the effect this has on fragmentation and inherent problem that MS
and low-speed connected platforms have in dealing with fragmentation.  Also
AH will conduct hash authentication on every packet, which may severely
limit throughput - especially for platform that so not specifically
accelerate the hash function (not just DES).

Additionally, the level of security added to the solution is unecessary
given the resources needed to brute force attack the 3DES keys to begin
with.  For example, the 168 bit key space of 3DES has 3.74e+50 key
combinations, estimated at at least an effective strength of 112 bit
contiguous key length, or 5.2e+33.  Assuming that the best effort attack by
the Electronic Frontier Foundation on a DES key, with 7.21e+16 key variants,
was about 3 hours.  Which puts the worse case strength of 3key 3DES at
7.21e+16 times the key combos, or 216,172,782,113,783,808 hours, or over 24
trillion years.  Give it 12 trillion years to average half the key space and
throw a large number of parallel processes at this and it's still unlikely
that the session would be cracked and hijacked given the present-day silicon
processor technology (possibilities with quantum mechanics aside).

AH (or even HMAC auth within ESP) is generally overkill for all but the most
paranoid.  UNLESS you need the encapsulation functionality and ESP protocols
pose some unforeseen problem.  But since the ESP tunnel mode offers
encapsulation, even with no transform (unencrpted) if desired, applications
for AH are limited.  AH/ESP mixed seems almost superfluous, unless I am
missing something.  Anyone have any ideas on this?

Otherwise, SHA-1 is slightly stronger and slower, but both provide excellent
strength hashes to authenticate the keying processes.   ISAKMP can also use
3DES to pass this authenticated key information.  Not to mention that keying
material is fairly far removed from the keys  themselves (public key
crypto), making the encrypted material not very useful even if you cold
crack it.  In short, either one should be fine in a well designed IPSec
implementation.

----- Original Message -----
From: Rick Smith <rick_smith at securecomputing.com>
To: Tina Bird <tbird at secnetgroup.com>; <vpn at listserv.secnetgroup.com>
Sent: Tuesday, August 10, 1999 4:58 PM
Subject: Re: IPSec Questions


> At 02:59 PM 8/10/99 -0500, Tina Bird wrote:
>
> >Hi all -- Eric Zines asked me a couple of very good questions yesterday,
so
> >I'm throwing
> >them to the rest of you for ideas and opinions.
> >
> >Does anyone ever use AH within IPSec in tunnel mode, rather than
transport
> >mode?  If
> >so, how did you make the decision that that was your optimal choice?
>
> Security-wise you're unlikely to see a difference, but there might be a
> functional difference depending on the equipment you have. The best thing
> is to set up the equipment you're using and figure out which one works
best
> in your network. Some products might not handle both modes effectively, or
> might not interoperate with other products in one mode or the other.
> Transport mode is slightly more efficient since you don't have to send two
> IP headers. If you set it up and can't tell the difference between them,
> then it won't matter which you use.
>
> >How do you decide whether to use MD5 or SHA-1 for message authentication?
> >SHA-1
> >has a longer key, but are there any other ways to decide between them?
>
> Again, the security difference isn't likely to matter. The longer key is
> safer, but the improved safety wouldn't justify any operational
> inconvenience you might encounter due to software interactions or
> incompatabilities. If you're using IKE/ISAKMP to do periodic rekeying, the
> risk of someone doing a successful integrity attack is negligible even if
> you're using the shorter MD5 key.
>
>
> Rick.
> smith at securecomputing.com
> "Internet Cryptography" at http://www.visi.com/crypto/
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list