[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suites vs. a la carte and IPcomp in IKEv2-05



I would say me too; but that would be the case for many other items as 
well, such as 4/6 vs. 4.

However, I don't see the point in reopening all the items for yet 
another round of discussion.  If IPsec suites also need to have DH 
group, let us add it.

regards,
Lakshminath

Scott G. Kelly wrote:
> I originally supported suites, but then was convinced that a-la-carte is
> probably better, especially if you're not going to include the DH group.
> I too thought we converged on a-la-carte here on the list, and was
> surprised to see suites in the updated doc(s).
> 
> Scott
> 
> Derek Atkins wrote:
> 
>>Dan Harkins <dharkins@trpz.com> writes:
>>
>>
>>>  I really prefer a la carte. The argument against-- that all combinations
>>>are not tested-- is really specious. The argument against suites is
>>>that they multiply like rabbits. Supporting IPcomp means 6 more.
>>>Adding 2 D-H groups to the IPsec suites means 8 more.
>>
>>As an implementor I, too, prefer a la carte.  I agree with your
>>particular arguments.  I happen to disagree with Hugo on the testing
>>point.  If you've tested 3DES, AES, HMAC-MD5, and HMAC-SHA1 in unit
>>testing, I don't think you need a complete security analysis of the
>>full matrix of possibilities.  A block cipher is a block cipher, and
>>are generally interchangable.
>>
>>The only argument I've heard that favors suits is from hardware
>>vendors.  Hardware is not as plug-and-play as software, so you can't
>>necessarily do any combination.  My answer to that concern is to just
>>advertize the list of things you support.  You can spell out the
>>"supported harware suites" using the a la carte methods.
>>
>>I missed the Atlanta meeting where this was decided (I was chairing
>>IMPP at the time).  Before the meeting there was a fairly clear
>>concensus on this list (IMNSHO, after reading ALL the mail on this
>>list from May 2002 through January 2003 in one sitting) to use a la
>>carte on the wire but suggest named suites for the (configuration)
>>user interface.  Indeed, I was shocked to see the mail after the
>>Atlanta meeting that reversed what I thought was a clear consensus on
>>the list.  I still maintain that is the "best of all worlds".
>>
>>
>>>  thanks,
>>>
>>>    Dan.
>>
>>-derek
>>
>>--
>>       Derek Atkins
>>       Computer and Internet Security Consultant
>>       derek@ihtfp.com             www.ihtfp.com
> 
>