[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: suites vs. a la carte and IPcomp in IKEv2-05
At 2:08 PM -0500 3/10/03, Derek Atkins wrote:
>Dan Harkins <dharkins@tibernian.com> writes:
>
>> already seeing. IKEv2-02 also had the complex ANDing and ORing that I
>> think we should get rid of. Why not just have a single SA payload that
>> contains TLVs for each of the necessary attributes? Multiple occurances
>> of an attribute mean "I'll do either" (as it was in IKEv2-02 even though
>> I doubt that would be used much if ever).
>
>While I agree with everything else you said about 02 vs 05 (cut from
>this reply), I do need to add that the one argument I heard that
>implies AND and OR are necessary in an a la carte system is for
>hardware deployments that support multiple algorithms but NOT in
>arbitrary combinations. For example, a hardware implementation that
>ONLY supports 3DES with MD5, or AES with SHA-1...
One of the early goals for IKEv2 was simplicity. Doing AND and OR
moves sharply away from that. Dan's proposal above would be much
simpler to implement.
--Paul Hoffman, Director
--VPN Consortium