[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: proposed changes to ISAKMP/Oakley

To: Daniel Harkins <dharkins@cisco.com>
Subject: Re: proposed changes to ISAKMP/Oakley
From: Tero Kivinen <kivinen@ssh.fi>
Date: Tue, 14 Oct 1997 16:28:32 +0300 (EET DST)
Cc: John Burke <jburke@cylink.com>, ipsec@tis.com
In-Reply-To: <199710132254.PAA25264@dharkins-ss20>
Organization: SSH Communications Security Oy
References: <3.0.32.19971013140414.0096dc60@192.43.161.2><199710132254.PAA25264@dharkins-ss20>
Sender: owner-ipsec@ex.tis.com

Daniel Harkins writes:
> > I would agree that group-parameter attributes should be forbidden for the
> > standard groups.
> That is exactly it! If the group is known by a Group Descriptor (whether 
> because it's one defined in the draft-- there are now 4 groups-- or whether
> it's one you have via New Group Mode-- then that's all you use to
> identify it.

I was thinking about doing implicit new group mode negotiation when
negotiating the Isakmp SA when defining the group by its component
parts. Then it would be easier if I could use the same group also in
phase II directly. Now I have to do following:

	1) Negotiate Isakmp SA with group(modp, 2, p)
	2) Make new group mode negotiation to renegotiate group(modp,
	   2, p) and give it private group number 52312.
	3) Start Quick mode negotiation using group 52312.

If the group descriptor number is allowed also in when negotiating
Isakmp SA then it would go like this:

	1) Negotiate Isakmp SA with group(modp, 2, p) and give it
	   private group number 52312.
	2) Start Quick mode negotiation using group 52312.

I agree that sending ANY parameters for any standard group should be
considered as an error. Ie I would change it not to forbid group
descriptor when there are paramters, I would change it to forbid the
group parameters when the group descriptor is not private group.

> Perhaps if I quote the draft you can tell me if it's unclear. In the section
> that describes the attributes that must be negotiated in phase 1 it says:
> 
> 	"The Diffie-Hellman group MUST be either specified using a defined 
> 	 group description (section 6) or by defining all attributes of a 
> 	 group (section 5.7). Group attributes (such as group type or 
> 	 prime-- see Appendix A) MUST NOT be offered in conjunction with a 
> 	 previously defined group."

So this forbids to have any group attributes when using predefined
group. I assume that the predefined group here means the groups
defined in the draft (or reserved by draft, ie 1-32767)? 
-- 
kivinen@iki.fi		              	     Work : +358-9-4354 3205
Magnus Enckellin kuja 9 K 19, 02610, Espoo   Home : +358-9-502 1573

References:

Re: proposed changes to ISAKMP/Oakley

From: John Burke <jburke@cylink.com>

Re: proposed changes to ISAKMP/Oakley

From: Daniel Harkins <dharkins@cisco.com>

Prev by Date: Re: proposed changes to ISAKMP/Oakley
Next by Date: more...changes to ISAMKP/Oakley
Prev by thread: Re: proposed changes to ISAKMP/Oakley
Next by thread: Re: proposed changes to ISAKMP/Oakley
Index(es):
- Main
- Thread