[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Last ditch proposal for crypto suites



In message <OF710D18BE.04BE38CA-ON85256C24.000F505D-85256C24.001239FC@iris.com>
, Charlie_Kaufman@notesdev.ibm.com writes:
>
>
>
>
>The discussion of crypto suites vs. ala carte algorithm negotiation in
>IKEv2 was frustrating. I think most people like suites better (in the
>possibly unrealistic belief that we can keep the number of suites
>manageably small), but the advocates for ala carte negotiation were more
>adament about its necessity.

You know my opinion -- scrap a la carte.  But let me ask the question 
differently:  Paul Hoffman, in your interoperability tests do you see 
many different combinations actually used?  Or don't your tests go 
there?

As for the specific suggestion -- I think I'd rather keep a la carte, 
rather than the hybrid suggestion.  I fear the complexity, not just of 
having both sets of code, but also of being able to cope correctly with 
an offer or a response that specified one a la carte entry *and* one 
suite.  I think the potential for bugs there is high.  But if we want 
to go there, we need to specify precisely how to deal with the 
situation.  In particular, we need to specify the rules on how to 
decide which to accept, and what to do if there is an apparent conflict 
in a response.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)