Re: suites vs. a la carte and IPcomp in IKEv2-05

[Derek Atkins <derek@ihtfp.com>]

Dan Harkins <dharkins@trpz.com> writes:

>   I really prefer a la carte. The argument against-- that all combinations
> are not tested-- is really specious. The argument against suites is
> that they multiply like rabbits. Supporting IPcomp means 6 more.
> Adding 2 D-H groups to the IPsec suites means 8 more. 

As an implementor I, too, prefer a la carte.  I agree with your
particular arguments.  I happen to disagree with Hugo on the testing
point.  If you've tested 3DES, AES, HMAC-MD5, and HMAC-SHA1 in unit
testing, I don't think you need a complete security analysis of the
full matrix of possibilities.  A block cipher is a block cipher, and
are generally interchangable.

The only argument I've heard that favors suits is from hardware
vendors.  Hardware is not as plug-and-play as software, so you can't
necessarily do any combination.  My answer to that concern is to just
advertize the list of things you support.  You can spell out the
"supported harware suites" using the a la carte methods.

I missed the Atlanta meeting where this was decided (I was chairing
IMPP at the time).  Before the meeting there was a fairly clear
concensus on this list (IMNSHO, after reading ALL the mail on this
list from May 2002 through January 2003 in one sitting) to use a la
carte on the wire but suggest named suites for the (configuration)
user interface.  Indeed, I was shocked to see the mail after the
Atlanta meeting that reversed what I thought was a clear consensus on
the list.  I still maintain that is the "best of all worlds".

>   thanks,
> 
>     Dan.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com