Hi
If you're interessted in cracking DES take a look at
http://www.eff.org/descracker.html
Best regards
Roberto
-----Original Message-----
From: Javier Contreras Albesa [mailto:javier_albesa@xxxxxxxx]
Sent: Montag, 9. Dezember 2002 07:35
To: Justin Menga; 'Ciaron Gogarty'; security@xxxxxxxxxxxxxx
Subject: RE: SA Timeouts
Hola
An IPSec SA of one our is OK for most applications. Better if
used PFS ans Justin recommends.
AFAIK there is not a "easy" way to break DES. It has been mathematically
broken, you can do analisys, but you wont find a "DES Cracker" "point
and click" for Script Kiddies. All DES crakers are based for now in brute
force. Of course, if you are carring important information, DES is
completely
out of discussion. For example in Europe, even if you are a normal company,
and you are sending medical or psicological info, you must use "hard"
encryption, being 3DES the most accepted.
And, BTW, in order to crack DES using non-brute force methods, the attacker
must have a LOT of cyphertext with the same key. By a lot, I mean houndreds
of megabytes, so the time is not the only factor. It is not the same
one hour transmitting 1 MB, or one hour with 300 MB. The critical size is
(2^32)2 or more o less 2 GB, so it is better to stay quite far for
transmitting near of 2 GB with the same DES key. I believe that the default
is 600 or 800 MB, which is a good number.
I use 1 hour IPSec SA, and 3 hours IKE SA for remote access, 6 hours for
lan to lan IKE, allways with PFS.
Take care with PFS. Most of the recalculation of the diffie-hellman is done
by the main CPU, not the VPN accelerator (at least until 12.2(8)T) so a big
network with a lot of SA, could crash a router, even if it can handle the
3DES performance requirements.
Regards.
--- Justin Menga <Justin.Menga@xxxxxxxxxxxxxx> escribis: > Hi
>
> The default for IPSec Sas is one hour - you should set your IPSec SA
> timeouts to shorter than your IKE SA timeouts, as must more information is
> exchanged over an IPSec SA. If you are using DES encryption, I'd
> recommended setting these quite low as DES is easily cracked these days.
> You can leave the timeouts as the defaults if you choose high strength
> encryption (e.g. 3DES or AES-256) as well as strong DH groups (e.g. Group
5
> or Group 7). Also use PFS to ensure IKE and IPSec session keys are
> separate. I generally tune down the IKE SA timeout to 4 hours (from the
> default of 1 day) and leave the IPSec SA to 1 hour - however I live in New
> Zealand and don't really deal with the huge VPNs you can get elsewhere in
> the world.
>
> The only real load will be if keys are renegotiated at the same time -
this
> would only happen if lots of users connected at the same time, which your
> box must be designed to cope with any time. Obviously if you are using
> high-strength DH groups (e.g. Group 7), and PFS, the load is significantly
> increased when generating new session keys, so ensure you don't set
> timeouts
> too low when using these high security features.
>
> Regards,
> Justin
>
>
> -----Original Message-----
> From: Ciaron Gogarty [mailto:cgogarty@xxxxxxxxxxx]
> Sent: Saturday, December 07, 2002 1:06 PM
> To: security@xxxxxxxxxxxxxx
> Subject: SA Timeouts
>
>
> Anybody have any real world experience on setting timeouts for IPSEC and
> ISAKMP sa's?? The default is kind of large, so I was going to reduce it
> to
> an hour or so, and then started thinking that an hour is to short.. so the
> trade off is performance for security. Specifically it's with a 3005 and
> about 37 remote sites, 3des. Given that the 3005 doesn't do encryption in
> hardware am I going to overburden the box???
>
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended
> solely for the use of the individual or entity to whom they are
addressed.
> If you have received this email in error please notify the system
manager.
>
> This footnote also confirms that this email message has been swept for
> the
> presence of computer viruses.
>
> For more information contact postmaster@xxxxxxxxxxx
>
> phone + 353 1 4093000
>
> fax + 353 1 4093001
> **********************************************************************
=====
---
Javier Contreras Albesa
___________________________________________________
Yahoo! Sorteos
Consulta si tu nzmero ha sido premiado en
Yahoo! Sorteos http://loteria.yahoo.es
