Re: suites - phase 1 vs 2

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Dan" == Dan McDonald <danmcd@east.sun.com> writes:
    >> 1) 3DES/MD5  (i.e. no IPcomp)
    >> 2) 3DES/SHA1
    >> 3) 3DES/MD5/LZS
    >> 4) AES/SHA1/LZS
    >> ...
    >> 
    >> that is, I'm pretty sure that we want the IPcomp choice (or not) to be part
    >> of the ESP suite, not a seperate list.

    Dan> You either need to also include AH (whether it's there or not), OR
    Dan> you need 
    Dan> to treat AH, ESP, and IPcomp as separate protocols.  You can't just
    Dan> include 

  I would actually prefer to do the former - include AH or not.
  This gets rid of the various debates about 
       IP ESP AH IP
vs     IP AH ESP IP
vs     IP AH IP ESP IP
...

  This becomes part of the ciphersuite. I think that ciphersuites would then
essentially become use cases. Does that give us too many of them? I doubt it.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPXTqMYqHRg3pndX9AQEq3QP/UVPJO0/TpIm/hxcCbxGDYQyw9A/NkBp4
5Xd3HIXR59c225vq3kLZakDF79PQMfzPAfzq0TBvIUPYVm0wcFHfbSqvBJXpPz7f
PScLQwBru63R7/rtB5hX/7VFqtT1rLvvcLP5MkmokA07TnCoRdfKMLhtgyhcfDlh
h5R6pGNqjQo=
=T10K
-----END PGP SIGNATURE-----