Are you sure you want to use manual keying? Especially with 3DES, which is one of the most secure IPSec choices if used correctly?
I may be falling victim to some Netscreen terminology blunder, but "Manual Keying" normally means that the actual keys used by the ESP and AH encryption algorithms (3DES in your case) are fixed manually at each end. This is bad, since there will be no re-keying, ever, and you'd need to have a way of transferring the keys to each site so that they can be typed in and then arrange for some sort of key-change schedule, otherwise you'll end up sending all your data under one key. This is both fragile and possibly insecure, depending on how much of the differential analysis stuff you buy into for DES. Note that manual keying isn't the same as "pre-shared keys" which are used to generate keys that are used in IKE (Internet Key Exchange protocol), which then takes care of all the keying, re-keying and associated issues for both ESP and AH, in a secure manner. In a good IPSec setup the keys are changed (by IKE) regularly, and the negotiation phase of IKE would use either digital signatures or one of the public key modes. My _personal_ favourite is probably using "RSA encrypted nonces" with large (1024+) keys, or digital sigs with a self-maintained CA. The long and the short of it is that manual keying is really only for testing purposes or for EXTREMELY hardcore crypto freaks who have a super secure out-of-band key exchange protocol, with associated rotation and re-keying regimes. If you know all this, and you're actually implying that you mistrust IKE for some reason, please let me know, because I'd be very interested in any discussion suggested that it is flawed. If none of this made any sense, then let me know and I'll be less terse! Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Warren van Eyssen > Sent: Friday, January 11, 2002 5:17 PM > To: Firewalls (E-mail) (E-mail) > Subject: Netscreen 5xp 3Des Keys > > > Hi All, > > Can anybody help with the following problem > I have a Netscreen 5xp OS Ver 3.0.0r1.0 > I want to use 3Des-CBC Manual Key encryption[...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
