Hi Rahul. I don’t have a link, but common sense says that there are four things to consider when choosing algorithms: - required strength - for example DES is only 56 bits. - compliance - certain industries have regulations specifying which algorithms to use. - performance - of all the acceptable algorithms, use the fastest one on your machine - availability - if your crypto library does not support AES-192 or XCBC, you just can't use them.
Unless you're into banking or top-secret military data, all the algorithms you have mentioned, with the possible exception of DES, are secure enough. I will also assume that you don't have compliance requirements, so what we're left with is performance and availability. On most Intel based platforms, AES with whatever keysize is quicker than 3DES, although AES-128 is quicker than AES-192 or AES-256. HMAC-MD5 is quicker than HMAC-SHA1, which in turn is quicker than AES-XCBC. So usually your best bet would be AES-128 with either HMAC-MD5 or HMAC-SHA1. Note that there is no particular reason to treat different services differently. ________________________________________ From: ipsec-boun...@ietf.org [mailto:ipsec-boun...@ietf.org] On Behalf Of rahul bharadhwaj Sent: Thursday, February 18, 2010 1:54 PM To: ipsec@ietf.org Subject: [IPsec] information about choosing hash/crypt for different services Hi All I need to create ipsec rules for services like telnet, ftp, print, icmp, http etc separately, as part of my learning. Could you anyone let me know, on what basis hashing(md5, sha1, xcbc) and encrytion (des,3des, aes128/192/256 ) techniques can be chosen for each type of service. Please provide if any suitable links available. Thanks _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
