Re: is manual keying mandatory (fwd)

["Paul Lambert"<plambert@certicom.com>]

>>From a practical standpoint, Diffie-Hellman is
>extremely expensive in lessor-powered CPU's

This is good reason retain and fix the elliptic curve options in Oakley.

It's much faster and a better system solution than manual keys.

Paul





dfox@BayNetworks.COM on 03/20/98 10:46:22 AM

Please respond to dfox@BayNetworks.COM

To:   adams@cisco.com
cc:   rgm-sec@htt-consult.com, jhwilson@austin.ibm.com, ipsec@tis.com (bcc:
      Paul Lambert/Certicom)
Subject:  Re: is manual keying mandatory (fwd)




>From a practical standpoint, Diffie-Hellman is extremely expensive in
lessor-powered CPU's, and in an environment where IP interfaces are
coming up and down in a dynamic environment (say PPP over demand-dial
ISDN lines), doing Diffie-Hellman again and again may be more taxing on
the CPU than Triple DES encryption on full throughput.
In such an environment, one can use a different KMP than ISAKMP/Oakley.
But it would be beneficial to know that a completely inexpensive key
management system (manual keying) is universally supported in all IP
Security implementations.  My customers would then be able to make the
choice themselves whether to go with (relatively expensive) automated
keying or (relatively inexpensive) manual keying, regardless of the
IPSec-capable devices they were interfacing with.
For this reason, I feel it is necessary to keep manual keying support a
MUST.
--
Daniel C. Fox                  <dfox@baynetworks.com>
Software Project Leader        Tel:  +1 978-916-4216
Remote Access Server Division  Fax:  +1 978-916-4789
Bay Networks, Inc.             <http://www.baynetworks.com>