Re: Last Call: IPSEC drafts -> Proposed Standards

[bmanning () ISI EDU]

> bmanning () isi edu writes:
> > I think that a significant point is not that MD5 is "weak" but that it is 
> > slow, by almost any standard.  RFC 1810 discusses this problem in depth.
> > If we, as a community are willing to live with reduced speed networks, then
> > the use of MD5 is indicated.  If we, as a community require 100Mbps and
> > greater services, then MD5 is -NOT- a viable solution and requiring its
> > deployment is as bad or worse than no security at all, since people will
> > turn it off to get the performance that they have today.  
> >
> > People are generally not willing to sacrifice performance for security.
>
> Use of MD5 is not required. Implementation of the MD5 transform for
> interoperability is required. There is no requirement to run any
> security at all at any time unless you like.

then we get the 99% problem indicated earlier.  slow protocols are available
now, through the use of IP options.  Although there, almost no-one uses them
due to the processing constraints.  This is yet one more case of selecting
the least common demoninator, which almost noone will use. 

Louie,  why doesn't your employer use IPsecurity today?  It's available via 
IP options. (Perhaps we should ask operations types if they are willing to
accept a security model which robs them of throughput on todays networks and
prevents them from using faster transports in the future.)

(Note to the NANOG community.  Please review the proposed IP Security docs
and RFC 1810.  Perhaps the IESG would be willing to take input from an operations
perspective here.)

As for other transforms... Please contact Dr. Joe Touch  (touch () isi edu)
for a writeup of his efforts in this area.

-- 
--bill