[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LAST CALL: IKE



At 4:14 PM +0300 6/25/03, Tero Kivinen wrote:
>Stephen Kent writes:
>>  I agree with your observation that it would be unsafe to accept such
>>  a group simply as a result of negotiation. What I want is the ability
>>  for a community to accept a given group, a priori, and be able to
>>  tell one another that the group they previously agreed to use is the
>>  one to use for a given SA.
>
>This can be archieved by the private number space groups. Also note
>that the current draft do say:
>----------------------------------------------------------------------
>3.3.4 Mandatory Transform IDs
>...
>    It is likely that IANA will add additional transforms in the future,
>    and some users may want to use private suites, especially for IKE
>    where implementations should be capable of supporting different
>    parameters, up to certain size limits. In support of this goal, all
>    implementations of IKEv2 SHOULD include a management facility that
>    allows specification (by a user or system administrator) of Diffie-
>    Hellman parameters (the generator, modulus, and exponent lengths and
>    values) for new DH groups. Implementations SHOULD provide a
>    management interface via which these parameters and the associated
>    transform IDs may be entered (by a user or system administrator), to
>    enable negotiating such groups.
>...
>----------------------------------------------------------------------
>
>I.e implementations SHOULD have capability to input those private
>groups to the system.
>
>>  The problem my clients have encountered is that vendors generally
>>  provide NO management interface to enter the parameters for private
>>  groups. Thus the existence of this facility has, in effect, been
>
>I think most of them do not provide the management interface, because
>the do not provide any way to use private groups at all. Now this
>management interface is "SHOULD", so hopefully more people will
>implement it. It is also much easier to implement only the adding of
>new groups without the capability of sending the group parameters in
>the wire, so hopefully more implementations will follow this "SHOULD".
>
>>  useless.  However, if we mandated in IKEv2 that a management
>>  interface MUST be present to configure private groups, which can then
>>  be referenced as you note above, I think that would suffice.
>
>I am fine with MUST too, but I think SHOULD is enough. For some very
>small boxes they might want to limit to the only one group or
>something, and they might not have any configuration interface at
>all...
>--

Thanks for the explanation. I agree that we have what we need here 
already, and I apologize for not reading closely enough.

Or, as they used to say on SNL "NEVERMIND."

Steve