[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal for new DH Groups 6, 7, and 8



Since there are, apparently, no known EC-based working implementations
of IPsec, maybe we should make sure the folks who are thinking about
this have some implementation experience.

I would assume this means the usual suspects, like Certicom and SSH, could be
asked how this stuff is working out.

Throwing more magic numbers into a document set that's been discussed as
too complex seems debatable, at least without feedback from implementors.

Who out there has investigated EC with IPsec (and can talk about it?)
I said 'investigated', not 'shipped' -- I realize this is essentially a
research topic at this point.


At 09:55 AM 2/7/00 -0500, Yuri Poeluev wrote:
>Will Price wrote:
>
>> Sounds fine to me.  I'm far more concerned with reaching agreement on
>> larger primes and getting ID numbers assigned than in which primes get
>> used.
>>
>> It was also pointed out off the list that there is an existing draft for
>> 6, 7, 8, and 9 in the EC space.  Thus, these DH primes should be 10, 11,
>> and 12.
>>
>> So, let's move this forward.  Do you want to write those primes up as a
>> draft or can Dan include them in the next IKE-01 draft?
>>
>> Tero Kivinen wrote:
>> >
>> > Will Price writes:
>> > > I would like to propose three new DH Groups for IKE of 2048, 3072, and
>> > > 4096 bits.  This should adequately cover all foreseeable future needs.
>> I
>> > > have included documentation on the generation of these primes which
>> were
>> > > originally generated for PGPfone, and there is an interesting story
>> about
>> > > how they were generated at the end of this message.
>> >
>> > I think those primes should be generated in the same way the primes
>> > currently in the IKE are generated, i.e to have format of
>> > [... alternate primes...]
>>
>> --
>>
>> Will Price, Director of Engineering
>> PGP Security, Inc.
>> a division of Network Associates, Inc.
>> Direct  (408)346-5906
>> Cell/VM (650)533-0399
>
>Hi,
>
>Yes, there is an existing draft for EC groups labed #6, 7, 8, 9 -
draft-ietf-ipsec-ike-ecc-groups-01.txt
>Dan, the above draft has been available for a while, and if there are no
comments,
>we should proceed to publishing it as an RFC, or include the groups
>(along with the new proposed DH groups) in the next IKE draft.
>What does everyone else think?
>
>Thanks,
>Yuri Poeluev
>Certicom Corp.
>



References: