[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Last ditch proposal for crypto suites
In message <OF710D18BE.04BE38CA-ON85256C24.000F505D-85256C24.001239FC@iris.com>
, Charlie_Kaufman@notesdev.ibm.com writes:
>
>
>
>
>The discussion of crypto suites vs. ala carte algorithm negotiation in
>IKEv2 was frustrating. I think most people like suites better (in the
>possibly unrealistic belief that we can keep the number of suites
>manageably small), but the advocates for ala carte negotiation were more
>adament about its necessity.
You know my opinion -- scrap a la carte. But let me ask the question
differently: Paul Hoffman, in your interoperability tests do you see
many different combinations actually used? Or don't your tests go
there?
As for the specific suggestion -- I think I'd rather keep a la carte,
rather than the hybrid suggestion. I fear the complexity, not just of
having both sets of code, but also of being able to cope correctly with
an offer or a response that specified one a la carte entry *and* one
suite. I think the potential for bugs there is high. But if we want
to go there, we need to specify precisely how to deal with the
situation. In particular, we need to specify the rules on how to
decide which to accept, and what to do if there is an apparent conflict
in a response.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)