So, how about replacing the first two paragraphs? OLD: The Advanced Encryption Standard (AES - [FIPS-197]) has become the gold standard in encryption. Its efficient design, wide implementation, and hardware support allow for high performance in many areas, including IPsec VPNs. On most modern platforms, AES is anywhere from 4x to 10x as fast as the previous most-used cipher, 3-key Data Encryption Standard (3DES - [SP800-67]). 3DES also has a 64-bit block, which means that the amount of data that can be encrypted before rekeying is required is not great. These reasons make AES not only the best choice, but the only choice.
The problem is that if future advances in cryptanalysis reveal a weakness in AES, VPN users will be in an unenviable position. With the only other widely supported cipher being the much slower 3DES, it is not feasible to re-configure IPsec installations away from AES. [standby-cipher] describes this issue and the need for a standby cipher in greater detail. NEW: The Advanced Encryption Standard (AES - [FIPS-197]) has become the go-to algorithm for encryption. It is now the most commonly used algorithm in many areas, including IPsec virtual private networks (VPN). On most modern platforms AES is anywhere from 4x to 10x as fast as the previous popular cipher, 3-key Data Encryption Standard (3DES - [SP800-67]). 3DES also uses a 64-bit block, which means that the amount of data that can be encrypted before rekeying is required is limited. These reasons make AES not only the best choice, but the only viable choice for IPsec. The problem is that if future advances in cryptanalysis reveal a weakness in AES, VPN users will be in an unenviable position. With the only other widely supported cipher for IPsec implementations being the much slower 3DES, it is not feasible to re-configure IPsec installations away from AES. [standby-cipher] describes this issue and the need for a standby cipher in greater detail. Yoav _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec