[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Interoperability (was: Death to AH?)
>>>>> "Dan" == Dan Harkins <dharkins@cips.nokia.com> writes:
Dan> On Fri, 02 Jun 2000 16:05:43 EDT you wrote
>> You mention several other problems. Perhaps you could start your
>> own thread on them :)'
>>
>> Gee I don't liek the way IKE doesn't really define approaches for
>> lifetimes for the ISAKMP SA. Results in interop challenges......
Dan> Here we go again Bob....
Dan> Quite a while ago I attempted to define an approach to deal with
Dan> things like lifetimes and key lengths and other attributes that
Dan> do not have a simple boolean acceptance criteria and
Dan> failed. There was no consensus. But I'm willing to try again:
Dan> If someone offers you a keylength for a variable-keylenght
Dan> cipher which is greater than or equal to what you have
Dan> configured, accept it. If it's less reject it.
I'd support that.
Dan> If someone offers you a lifetime which is less than or equal to
Dan> what you have configured, accept it. If it's more reject it.
I'd support that too.
Dan> The hardest one though is the Diffie-Hellman group. I know of
Dan> quite a few people that will accept group 5 (and reject group 1)
Dan> if they're configured for group 2 but even saying that an
Dan> implementation SHOULD do that seemed to be too much for enough
Dan> people to kill it.
Hm. Weird. Could we try that one again and see why this is?
Dan> And where in the scale do you add new groups
Dan> or groups of different types-- elliptic curve vs. prime modulus?
I think you have to leave that one out. The reason is that, unlike
all the other examples, there is no clear order among these. That
indeed is the problem with the group number: it only has a partial
order.
paul
Follow-Ups:
References: