[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: suites vs. a la carte and IPcomp in IKEv2-05
Dan Harkins <dharkins@tibernian.com> writes:
> already seeing. IKEv2-02 also had the complex ANDing and ORing that I
> think we should get rid of. Why not just have a single SA payload that
> contains TLVs for each of the necessary attributes? Multiple occurances
> of an attribute mean "I'll do either" (as it was in IKEv2-02 even though
> I doubt that would be used much if ever).
While I agree with everything else you said about 02 vs 05 (cut from
this reply), I do need to add that the one argument I heard that
implies AND and OR are necessary in an a la carte system is for
hardware deployments that support multiple algorithms but NOT in
arbitrary combinations. For example, a hardware implementation that
ONLY supports 3DES with MD5, or AES with SHA-1...
Granted, this is probably a rare occurance, but I've heard this
argument from a few people over the years so I have no reason to
ignore it. In order to support this architecture you need some
mechanism to negotiate pseudo-suites. It's rare, and obviously in a
software implementation you don't need to worry about it. However if
we wish to support specialized hardware implementations we do kind of
need this mechanism.
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com