[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: suites vs. a la carte and IPcomp in IKEv2-05
>>>>> "Andrew" == Andrew Krywaniuk <askrywan@hotmail.com> writes:
>> Cipher suites are important if you want security according to your
>> needs/requirements and a la carte proposals are important for
>> interop.
Andrew> Well actually I waws thinking pretty much the
Andrew> opposite. Cipher suites are important for interop and a la
Andrew> carte proposals are important if you want security according
Andrew> to your needs/requirements
Maybe, maybe not. I once implemented IPsec for a router; it offered
suites at the UI level. It came standard with 3 suites
(authentication only; auth + encrypt DES, auth + encrypt 3DES). The
only reason it was 3 and not 2 is because of the mistaken insistence
in the existing specs that DES is required. There was also an ability
to add suites; I don't think this was ever used by customers. We told
them "use the auth + 3DES suite" and that was the end of the
discussion.
So I think a small number of suites, perhaps more than the number of
thumbs on your hand but fewer than your fingers, is ample for
"security according to your needs/requirements". The standards have
WAY too much flexibility to no practical benefit.
paul