[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: suites vs. a la carte and IPcomp in IKEv2-05

To: askrywan@hotmail.com
Subject: RE: suites vs. a la carte and IPcomp in IKEv2-05
From: Paul Koning <pkoning@equallogic.com>
Date: Mon, 3 Mar 2003 13:28:57 -0500
Cc: jshukla@trlokom.com, ipsec@lists.tislabs.com
References: <F5egy1JyQNoS8yLPGOt0002723a@hotmail.com>
Sender: owner-ipsec@lists.tislabs.com

>>>>> "Andrew" == Andrew Krywaniuk <askrywan@hotmail.com> writes:

 >> Cipher suites are important if you want security according to your
 >> needs/requirements and a la carte proposals are important for
 >> interop.

 Andrew> Well actually I waws thinking pretty much the
 Andrew> opposite. Cipher suites are important for interop and a la
 Andrew> carte proposals are important if you want security according
 Andrew> to your needs/requirements

Maybe, maybe not.  I once implemented IPsec for a router; it offered
suites at the UI level.  It came standard with 3 suites
(authentication only; auth + encrypt DES, auth + encrypt 3DES).  The
only reason it was 3 and not 2 is because of the mistaken insistence
in the existing specs that DES is required.  There was also an ability
to add suites; I don't think this was ever used by customers.  We told
them "use the auth + 3DES suite" and that was the end of the
discussion.

So I think a small number of suites, perhaps more than the number of
thumbs on your hand but fewer than your fingers, is ample for
"security according to your needs/requirements".  The standards have
WAY too much flexibility to no practical benefit.

	paul

References:
- RE: suites vs. a la carte and IPcomp in IKEv2-05
  - From: "Andrew Krywaniuk" <askrywan@hotmail.com>

Prev by Date: RE: CP(CFG_REQUEST) required?
Next by Date: IPsec -- new versions of AH and ESP
Prev by thread: RE: suites vs. a la carte and IPcomp in IKEv2-05
Next by thread: Re: suites vs. a la carte and IPcomp in IKEv2-05
Index(es):
- Date
- Thread