[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SOI QUESTIONS: 5.1-5.2

To: "'Theodore Ts'o'" <tytso@mit.edu>, " 'list'" <ipsec@lists.tislabs.com>
Subject: SOI QUESTIONS: 5.1-5.2
From: "Andrew Krywaniuk" <andrew.krywaniuk@alcatel.com>
Date: 11 Jul 2002 17:32:48 -0400
Importance: Normal
In-Reply-To: <E17SM1U-0000bS-00@think.thunk.org>
Reply-To: andrew.krywaniuk@alcatel.com
Sender: owner-ipsec@lists.tislabs.com

> 5.1.A)Is negotiation for the algorithm suite required or not?

Yes. The idea that you can avoid negotiation in JFK is illusory. You either
get negotiation in the exchange or in the meta-negotiation.


> 5.1.B) Is there ever a case when you want the initiator to
> have the "last
> word"?

I don't understand this question


> 5.1.2 Agreement of IPsec SA cryptographic algorithms
>
> JFK's SA negotiation uses pre-defined suites, and Bob
> presents a single
> suite to Alice. In IKEv2 SA negotiation allows the two
> parties to agree on
> the most preferred parameters, the same as it does for key
> negotiation.
>
> 5.1.2.A) Is it important to allow negotiation of the SA algorithms?

Isn't this the same as 5.1.A?


> 5.2.A) Is it important to have predefined suites or a la
> carte selection of
> parameters?

I prefer to have so-called "GUI ciphersuites" where we allow negotiation of
parameters on the wire, but define names for a few specific combinations.
These common names could then be used in a GUI to ensure easy configuration
of heterogeneous networks. The problem with ciphersuites has traditionally
been that not everyone is going to agree on every parameter. Ciphersuites
will force us to accomodate the lowest common denominator (or perhaps the
highest common denominator). At least by making the algorithms negotiable on
the wire, it's not such a forced decision.

Whether the ciphersuite is virtual or sent on the wire doesn't make it any
harder for you to optimize for that specific case. You can look for specific
combinations of algorithms and instantiate an optimized subclass/code path.
In practice, it's not IKE but ESP that really needs to be optimized, anyway.
Most of us already have code for the IPsec transform part which handles both
the generic case and optimized subcases.

Andrew
-------------------------------------------
There are no rules, only regulations. Luckily,
history has shown that with time, hard work,
and lots of love, anyone can be a technocrat.

Follow-Ups:
- Re: SOI QUESTIONS: 5.1-5.2
  - From: Michael Richardson <mcr@sandelman.ottawa.on.ca>

References:
- SOI QUESTION: 5.1 SA creation style: Cryptographic agreement
  - From: "Theodore Ts'o" <tytso@mit.edu>

Prev by Date: SOI QUESTION: 6.2 Port number
Next by Date: Re: SOI QUESTION: 5.3 SPD entries
Prev by thread: Re: SOI QUESTION: 5.1 SA creation style: Cryptographic agreement
Next by thread: Re: SOI QUESTIONS: 5.1-5.2
Index(es):
- Date
- Thread