Re: Suites vs a-la-carte

["Scott G. Kelly" <scott@bstormnetworks.com>]

Paul Hoffman / VPNC wrote:
> IKEv2 should be simpler for the implementer so that we feel better
> about its security. Just as important to the VPN industry, however,
> is that IKEv2 be simpler for the gateway administrator. Few
> adminstrators need to know the difference between Phase 1 and Phase
> 2; in fact, given that the first child-SA is now negotiated in Phase
> 1, we will be hard-pressed to clearly explain why the difference
> matters at all.
> 
> >Instead of thinking in terms of one number which encodes everything, we
> >could view it in terms of phase 1 suites and phase 2 general parameters
> >*and* suites.
> 
> This doesn't sound simpler. :-)
> 

Yes, I agree, but I don't know if there's anything we can do to make it
*really* simple. I agree that compressing phase 1 and 2 algs into one
number seems to make it simpler, but then Tero's argument surfaces - how
many combinations is that? And no matter what, there are other
parameters that are somewhat open-ended, as Tero noted.

I originally thought suites were the answer, but now I'm thinking that
*the* answer doesn't exist. On the other hand, this needs resolution.
Maybe Tero is right, and the best choice is to support a la carte
selection. If we reduce the number of supported algs to a minimum, maybe
that's the best we can do.

Scott