IETF Logo Mail Archive

Re: [IPsec] Beginning discussion on secure password-only authentication for IKEv2

Yoav Nir <ynir@checkpoint.com> Wed, 03 March 2010 08:14 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 827D828C2CD; Wed, 3 Mar 2010 00:14:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y9O8UYwTmzcF; Wed, 3 Mar 2010 00:14:06 -0800 (PST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by core3.amsl.com (Postfix) with ESMTP id 90A4C28C2D1; Wed, 3 Mar 2010 00:14:03 -0800 (PST)
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id o238E2sd020886; Wed, 3 Mar 2010 10:14:03 +0200 (IST)
X-CheckPoint: {4B8E190C-0-1B201DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 3 Mar 2010 10:14:22 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Yaron Sheffer <yaronf@checkpoint.com>
Date: Wed, 03 Mar 2010 10:14:07 +0200
Thread-Topic: [IPsec] Beginning discussion on secure password-only authentication for IKEv2
Thread-Index: Acq6qYdfAdfTFsYcTXS1Qz8cnFDpQw==
Message-ID: <AD12854E-B2EA-454D-9B9B-4646CFAB2DA8@checkpoint.com>
References: <p0624081ac7b20a6459c5@[10.20.30.158]> <3a17cf9ee724023e307fc446a871f9bf.squirrel@www.trepanning.net> <7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05CB56E1@il-ex01.ad.checkpoint.com>
In-Reply-To: <7F9A6D26EB51614FBF9F81C0DA4CFEC801BE05CB56E1@il-ex01.ad.checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IPsecme WG <ipsec@ietf.org>, "cfrg@irtf.org" <cfrg@irtf.org>, Dan Harkins <dharkins@lounge.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [IPsec] Beginning discussion on secure password-only authentication for IKEv2
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 08:14:09 -0000

Yes, you can sort-of negotiate DH groups, but you don't have the "New Group Mode" that we had in section 5.6 or RFC 2409.

So with RFC 4306, you're stuck with only those groups that appear in the IANA registry, rather than your own pet DH groups.

On Mar 2, 2010, at 10:49 PM, Yaron Sheffer wrote:

> 
> 
> By the way, IKEv2 does allow for negotiation of the DH group using the ugly INVALID_KE_PAYLOAD hack.
> 
> 
>>  RFC 2409 supported negotiation of various parameters, like the group
>> used for the Diffie-Hellman key exchange. That was removed in RFC 4306.
>> All of the candidate exchanges listed in draft-sheffer-ipsecme-pake-
>> criteria do some sort of discrete logarithm cryptography and therefore
>> it would be useful to list whether the candidate algorithm can use
>> any of the groups either negotiated or asserted by IKE(v2).

v2.23.0 | Report a Bug | By Email