RE: Security Use Requirements

[RJ Atkinson <rja@inet.org>]

At 04:37 07/02/01, John Hufferd wrote:

>  In any event. the need is for security is at least 3DES.

        It is illogical to argue that having NO SECURITY is
better than having DES-CBC.  Since you appear to be doing
precisely this, I must be confused by your words and not
following you clearly.  Can you kindly clarify ?

>Also the cost of a Gigabit chip for 3DES, I just found out, 
>is $300 for Samples.  

        That's not what I'm seeing, but in any event, 
I think the discussion of hardware is not terribly on point.

>Now, I am beginning to think that it is reasonable for one 
>of the following approaches to be OK. That is, one of those 
>approaches should meet the requirement for "Must Implement".
>1. Only implementing an interface to the external IPSec/TLS box
>2, SW implementation of IPSec/TLS
>3. HW IPSec/TLS

        (1) is a non-starter because it means no security will
        be widely available to users/operators, IMHO.

        IETF would never say whether a particular implementation 
had to be done in hardware or software; that is obviously an 
implementation detail and product differentiator.  So from an 
IETF perspective (2) and (3) are identical and boil down to 
putting "must implement security" into the specifications 
(for whichever security the WG converges on).

Ran
rja@inet.org