IETF Logo Mail Archive

Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)

Tero Kivinen <kivinen@iki.fi> Mon, 21 December 2009 12:05 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DA5F3A689A for <ipsec@core3.amsl.com>; Mon, 21 Dec 2009 04:05:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.577
X-Spam-Level:
X-Spam-Status: No, score=-2.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0nC5EkRg8EC for <ipsec@core3.amsl.com>; Mon, 21 Dec 2009 04:05:45 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id C38D63A680B for <ipsec@ietf.org>; Mon, 21 Dec 2009 04:05:44 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id nBLC5RF5028368 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 21 Dec 2009 14:05:27 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id nBLC5QAb002247; Mon, 21 Dec 2009 14:05:26 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19247.25734.318539.699760@fireball.kivinen.iki.fi>
Date: Mon, 21 Dec 2009 14:05:26 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Dan Harkins <dharkins@lounge.org>
In-Reply-To: <72a888732545c5066f493228c416d286.squirrel@www.trepanning.net>
References: <19243.32427.247190.77844@fireball.kivinen.iki.fi> <OF1FD3CDFB.F4E96F12-ON85257690.004924DB-85257690.004AD52E@us.ibm.com> <72a888732545c5066f493228c416d286.squirrel@www.trepanning.net>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 4 min
X-Total-Time: 3 min
Cc: ipsec@ietf.org
Subject: Re: [IPsec] IKEv2 Diffie-Hellman Elliptic curve mess (RFC4753, RFC5114, RFC4869, and draft-solinas-rfc4753bis-01)
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2009 12:05:46 -0000

Dan Harkins writes:
>   The solution of allocating new numbers still doesn't really solve the
> problem because if you receive an KE payload from group 19, 20, or 21
> "you can make your guess whether they also implemented errata or not,
> and act based on that" and that sounds like a recipe for future
> non-interoperability.

As I just noticed we do support RFC4753 without errata in our previous
versions we need to do something on this. What my current plan would
be to make patch that will change implementations to support errata,
and also change the group numbers to new. This means you get no
proposal support or invalid ke payload notification if you try to talk
to old versions supporting groups 19-21. If the policy allows any of
the modp groups then invalid ke payload error cause both ends to move
to modp groups which means implementations can talk to each other, and
if policy only allows those new groups then you get no proposal chosen
and then you need to modify policy to support some common groups. 

>   The IANA registry for these groups is used by more than just IKE(v2)
> and it would be nice if it was coherent and did not make assumption like
> that.

ikev2-parameters IANA registry should not be used for anything else
than IKEv2. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email