[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suites vs. a la carte and IPcomp in IKEv2-05



Dan Harkins <dharkins@tibernian.com> writes:

> already seeing. IKEv2-02 also had the complex ANDing and ORing that I
> think we should get rid of. Why not just have a single SA payload that
> contains TLVs for each of the necessary attributes? Multiple occurances
> of an attribute mean "I'll do either" (as it was in IKEv2-02 even though
> I doubt that would be used much if ever).

While I agree with everything else you said about 02 vs 05 (cut from
this reply), I do need to add that the one argument I heard that
implies AND and OR are necessary in an a la carte system is for
hardware deployments that support multiple algorithms but NOT in
arbitrary combinations.  For example, a hardware implementation that
ONLY supports 3DES with MD5, or AES with SHA-1...

Granted, this is probably a rare occurance, but I've heard this
argument from a few people over the years so I have no reason to
ignore it.  In order to support this architecture you need some
mechanism to negotiate pseudo-suites.  It's rare, and obviously in a
software implementation you don't need to worry about it.  However if
we wish to support specialized hardware implementations we do kind of
need this mechanism.

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com