Re: Suites vs a-la-carte

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 3:57 PM -0800 11/12/02, Scott G. Kelly wrote:
>I agree that suites seem overwhelming when considered from this
>perspective. However, there is another way to look at this. Before going
>into that, I should point out that we don't have to support every
>esoteric combination anyone could dream up. If we provide numbers for
>all mainstream combinations and then provide for vendor IDs and private
>numbers, folks wanting unusual combinations can define them privately.
>It's been my experience that most implementations don't make use of more
>than a few combinations in practice.

IKEv2 should be simpler for the implementer so that we feel better 
about its security. Just as important to the VPN industry, however, 
is that IKEv2 be simpler for the gateway administrator. Few 
adminstrators need to know the difference between Phase 1 and Phase 
2; in fact, given that the first child-SA is now negotiated in Phase 
1, we will be hard-pressed to clearly explain why the difference 
matters at all.

>Instead of thinking in terms of one number which encodes everything, we
>could view it in terms of phase 1 suites and phase 2 general parameters
>*and* suites.

This doesn't sound simpler. :-)

--Paul Hoffman, Director
--VPN Consortium