[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Stephen Kent writes:
> I agree with your observation that it would be unsafe to accept such 
> a group simply as a result of negotiation. What I want is the ability 
> for a community to accept a given group, a priori, and be able to 
> tell one another that the group they previously agreed to use is the 
> one to use for a given SA.

This can be archieved by the private number space groups. Also note
that the current draft do say:
3.3.4 Mandatory Transform IDs
   It is likely that IANA will add additional transforms in the future,
   and some users may want to use private suites, especially for IKE
   where implementations should be capable of supporting different
   parameters, up to certain size limits. In support of this goal, all
   implementations of IKEv2 SHOULD include a management facility that
   allows specification (by a user or system administrator) of Diffie-
   Hellman parameters (the generator, modulus, and exponent lengths and
   values) for new DH groups. Implementations SHOULD provide a
   management interface via which these parameters and the associated
   transform IDs may be entered (by a user or system administrator), to
   enable negotiating such groups.

I.e implementations SHOULD have capability to input those private
groups to the system. 

> The problem my clients have encountered is that vendors generally 
> provide NO management interface to enter the parameters for private 
> groups. Thus the existence of this facility has, in effect, been 

I think most of them do not provide the management interface, because
the do not provide any way to use private groups at all. Now this
management interface is "SHOULD", so hopefully more people will
implement it. It is also much easier to implement only the adding of
new groups without the capability of sending the group parameters in
the wire, so hopefully more implementations will follow this "SHOULD". 

> useless.  However, if we mandated in IKEv2 that a management 
> interface MUST be present to configure private groups, which can then 
> be referenced as you note above, I think that would suffice.

I am fine with MUST too, but I think SHOULD is enough. For some very
small boxes they might want to limit to the only one group or
something, and they might not have any configuration interface at
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/