[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Suites vs a-la-carte
At 11:08 PM +0200 11/12/02, Tero Kivinen wrote:
>I didn't receive any comments of my previous mail about this issue, I
>think it was too long or something.
>
>Anyways I think the IKEv2 has way too many dimensions to negotiate
>for suite style negotiation. For IKE SA creation there is 5 different
>dimensions, and some of them are open ended numbers. For IPsec SA we
>have about 6 and then at least 2 new extensions.
>
>We cannot realisticly encode all that informatin to one single number.
Sure we can; we just can't agree to the limited number of numbers
that we would encode. That is, we can easily say "If you see suite
#1, it means phase 1 {rsa signature of at least 1024 bits, aes-128,
sha1, d-h group 2, IKE window size of 5} and phase 2 { aes-128, sha
auth, no ah, no compression, pfs using d-h group 2, tunnel with
NAT-T, extended sequence numbers, ECN}". The hard question is how
many more numbers do we need to allocate to key all IPsec scenarios
using IKEv2.
>This means that we propably need to have some of those parameters
>negotiated as a-la-carte style negotiation (Diffie-Hellman group,
>window size, extension options in IPsec (extended sequence numbers,
>ECN) etc). If we are going to add the a-la-carte negotiation then I
>think it is better to everything in same way not to mix them, thus use
>the a-la-carte completely.
Agree.
>We can have gui-suites for the commonly used parameters, but in that
>case too we might want to include all information to those numbers
>(like window size).
Agree. The GUI-suites would only be a short-hand for common
scenarios, and we could probably come to agreement on a set of five
or so.
--Paul Hoffman, Director
--VPN Consortium