[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: suites vs. a la carte and IPcomp in IKEv2-05



On Sun, 2 Mar 2003, Andrew Krywaniuk wrote:
> >Cipher suites are important if you want security according to your
> >needs/requirements and a la carte proposals are important for interop.
> 
> Well actually I waws thinking pretty much the opposite. Cipher suites are 
> important for interop and a la carte proposals are important if you want 
> security according to your needs/requirements

I think the missing word that explains this difference in outlook is
"standardized".  *In the absence* of *standardized* suites, flexibility is
important for successful interop.  However, clearly the right way to do
interop-with-the-world is to have a standardized suite, or at most a few
such suites, so everybody knows what to do to interoperate.

The current a la carte world has widespread interop capability mostly
because there is wide implicit agreement on one or two suites.  The IPsec
specifications themselves have far too much unnecessary flexibility and
provide far too little guidance about preferred choices.  (Back when I was
with the FreeS/WAN project, we made a first attempt at remedying this with
our "IKE Implementation Issues" informational-RFC draft, but the draft 
appears to have fallen down the crack caused by my departure.)

                                                          Henry Spencer
                                                       henry@spsystems.net