Re: Suites vs a-la-carte

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 11:08 PM +0200 11/12/02, Tero Kivinen wrote:
>I didn't receive any comments of my previous mail about this issue, I
>think it was too long or something.
>
>Anyways I think the IKEv2 has way too many dimensions to negotiate
>for suite style negotiation. For IKE SA creation there is 5 different
>dimensions, and some of them are open ended numbers. For IPsec SA we
>have about 6 and then at least 2 new extensions.
>
>We cannot realisticly encode all that informatin to one single number.

Sure we can; we just can't agree to the limited number of numbers 
that we would encode. That is, we can easily say "If you see suite 
#1, it means phase 1 {rsa signature of at least 1024 bits, aes-128, 
sha1, d-h group 2, IKE window size of 5} and phase 2 { aes-128, sha 
auth, no ah, no compression, pfs using d-h group 2, tunnel with 
NAT-T, extended sequence numbers, ECN}". The hard question is how 
many more numbers do we need to allocate to key all IPsec scenarios 
using IKEv2.

>This means that we propably need to have some of those parameters
>negotiated as a-la-carte style negotiation (Diffie-Hellman group,
>window size, extension options in IPsec (extended sequence numbers,
>ECN) etc). If we are going to add the a-la-carte negotiation then I
>think it is better to everything in same way not to mix them, thus use
>the a-la-carte completely.

Agree.

>We can have gui-suites for the commonly used parameters, but in that
>case too we might want to include all information to those numbers
>(like window size).

Agree. The GUI-suites would only be a short-hand for common 
scenarios, and we could probably come to agreement on a set of five 
or so.

--Paul Hoffman, Director
--VPN Consortium