Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] FreeSWAN, FW-1 and DES

To: Roger Smith <[email protected]>
Subject: Re: [FW1] FreeSWAN, FW-1 and DES
From: Alexander Hoogerhuis <[email protected]>
Date: 14 Apr 2001 11:18:48 +0200
Cc: [email protected]
In-reply-to: <[email protected]>
References: <[email protected]>
Sender: [email protected]
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

The following section is from the FreeSWAN 1.9 FAQ:

--- start
Does FreeS/WAN support single DES encryption?

   No, single DES is not used either at the IKE level for negotiating
   connections or at the IPSEC level for actually building them.

   Single DES is insecure.

    But isn't DES support part of the IPSEC standard?

   Yes, but DES is insecure. As we see it, it is more important to
   deliver real security than to comply with a standard which has been
   subverted into allowing use of inadequate methods. See this
   discussion .

    I have to talk to .... which offers only DES. How do I do this?

   Ask he device vendor for the triple DES upgrade. These exist for
   many IPSEC devices. If no cipher stronger than DES is available, we
   recommend you not use that IPSEC implementation.

   If a 3DES implementation exists but your vendor cannot sell it to
   you because of export laws, consider complaining to one or more of:

     * the vendor
     * your own government, especially any branch concerned with
       citizen's privacy and/or protection of communication
       infrastructure
     * the local embassy of the nation which restricts export to you

   Consider using FreeS/WAN instead. PCs are cheap and we deliver 3DES
   now.

   As a matter of project policy, we will not help anyone subvert
   FreeS/WAN to provide insecure DES encryption.
--- end

As you can read, it is a somewhat stiff attitude that only 3DES
counts. However, since they want to be the holders of high morals and
wonderful inflexibility, I'm sure you find that reflected in
structured and clear source code, so adding support for DES would not
be hard :)

cheers,
Alexander

Roger Smith <[email protected]> writes:

> Hi I'm having problems connecting to FW-1 from
> Linux/FreeSWAN - I have heard that FreeSWAN will only
> talk to Firewalls that can do 3DES. Since our Firewall
> can only do DES at the moment, I'm interested to know
> if this is true?
> 
> Regards
>   Chris
> 
> ____________________________________________________________
> Do You Yahoo!?
> For regular News updates go to http://in.news.yahoo.com
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================

-- 
Alexander Hoogerhuis
FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] FreeSWAN, FW-1 and DES
  - From: Roger Smith <[email protected]>

Prev by Date: Re: [FW1] Building an NT bastion host
Next by Date: [FW1] Slightly of topic reg no of cpu's in a unix system
Previous by thread: Re: [FW1] FreeSWAN, FW-1 and DES
Next by thread: [FW1] session auth agent
Index(es):
- Date
- Thread