[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suites vs. a la carte and IPcomp in IKEv2-05

To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: suites vs. a la carte and IPcomp in IKEv2-05
From: Derek Atkins <derek@ihtfp.com>
Date: 10 Mar 2003 21:21:44 -0500
Cc: ipsec@lists.tislabs.com
In-Reply-To: <p0521051fba92bda5682d@[63.202.92.157]>
References: <200303061917.h26JH1ma000279@fatty.lounge.org><sjmsmtv9gzb.fsf@kikki.mit.edu><p0521051fba92bda5682d@[63.202.92.157]>
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> writes:

> At 2:08 PM -0500 3/10/03, Derek Atkins wrote:
> >Dan Harkins <dharkins@tibernian.com> writes:
> >
> >>  already seeing. IKEv2-02 also had the complex ANDing and ORing that I
> >>  think we should get rid of. Why not just have a single SA payload that
> >>  contains TLVs for each of the necessary attributes? Multiple occurances
> >>  of an attribute mean "I'll do either" (as it was in IKEv2-02 even though
> >>  I doubt that would be used much if ever).
> >
> >While I agree with everything else you said about 02 vs 05 (cut from
> >this reply), I do need to add that the one argument I heard that
> >implies AND and OR are necessary in an a la carte system is for
> >hardware deployments that support multiple algorithms but NOT in
> >arbitrary combinations.  For example, a hardware implementation that
> >ONLY supports 3DES with MD5, or AES with SHA-1...
> 
> One of the early goals for IKEv2 was simplicity. Doing AND and OR
> moves sharply away from that. Dan's proposal above would be much
> simpler to implement.

That's fine.  I have no specific, personal objection to leaving out
the AND and OR functionality.  I was just pointing out that there
were reasonable reasons to have such functionality.

If we DO decide to leave it out in the name of simplicity we should at
least add some text that shows that we thought about this issue.  I
would propose something like:

  Certain hardware architectural implementations may only support
  limited combinations of algorithms.  For example, a piece of
  hardware may only support 3DES+MD5 or AES+SHA1, but there is no way
  to actually negotiate for one or the other combinations.  The
  working group acknowledges this limitation, but decided in favor of
  the simplicity of ruling out such architectures.

> --Paul Hoffman, Director
> --VPN Consortium

-derek

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek@ihtfp.com             www.ihtfp.com

Follow-Ups:
- Re: suites vs. a la carte and IPcomp in IKEv2-05
  - From: Tylor Allison <allison@securecomputing.com>

References:
- Re: suites vs. a la carte and IPcomp in IKEv2-05
  - From: Dan Harkins <dharkins@tibernian.com>
- Re: suites vs. a la carte and IPcomp in IKEv2-05
  - From: Derek Atkins <derek@ihtfp.com>
- Re: suites vs. a la carte and IPcomp in IKEv2-05
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

Prev by Date: Re: comments on ikev2 05 (cryptography)
Next by Date: Re: SPI in Delete Payload of IKE / IKEv2
Prev by thread: Re: suites vs. a la carte and IPcomp in IKEv2-05
Next by thread: Re: suites vs. a la carte and IPcomp in IKEv2-05
Index(es):
- Date
- Thread