Re: IKEv2 stuff.. Re: More MODP Diffie-Hellman groups for IKE

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

>>>>> "Ari" == Ari Huttunen <Ari.Huttunen@F-Secure.com> writes:
    Ari> 40000 + number of bits in the group.

    Ari> It would be nice to have officially assigned numbers, though.
    Ari> Especially since you cannot negotiate this by having a VID, since
    Ari> they are used in the first message.

    Ari> The same restriction applies to the.. dare I say it?.. here goes..
    Ari> X-Auth authentication type. There's no way to negotiate it's usage
    Ari> by using a VID. Our new software version sends this automatically,
    Ari> and a couple of vendors whose software refused any connection when
    Ari> they received an attribute they didn't understand, agreed to change
    Ari> their software that it skips a transform it doesn't fully understand
    Ari> and tries to match the next transform.

    Ari> The current RFCs do not state what to do when something like this
    Ari> happens.. i.e. an unknown attribute is received in a transform payload.

  I thought that you are supposed to ignore proposals that you do not
understand. Where "understand" means either that you match:
	    assigned #,		  
	    (VID, private#) 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [

---

Follow-Ups:

• Re: IKEv2 stuff.. Re: More MODP Diffie-Hellman groups for IKE
• From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

---

• Prev by Date: Re: [Design] Re: opportunistic encryption deployment problems
• Next by Date: key management protocols
• Prev by thread: Re: [Design] Re: opportunistic encryption deployment problems
• Next by thread: Re: IKEv2 stuff.. Re: More MODP Diffie-Hellman groups for IKE
• Index(es):
  • Main
  • Thread