Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140-2, etc.
"Dan Harkins" <dharkins@lounge.org> Fri, 10 July 2009 01:26 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF4783A6AC4 for <ipsec@core3.amsl.com>; Thu, 9 Jul 2009 18:26:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.235
X-Spam-Level:
X-Spam-Status: No, score=-6.235 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HR3MM6RW4xYB for <ipsec@core3.amsl.com>; Thu, 9 Jul 2009 18:26:55 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 181BB3A6870 for <ipsec@ietf.org>; Thu, 9 Jul 2009 18:26:55 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id D0D7B10224074; Thu, 9 Jul 2009 18:27:22 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Thu, 9 Jul 2009 18:27:22 -0700 (PDT)
Message-ID: <19d0f0d561d7f5968851c362136ba194.squirrel@www.trepanning.net>
In-Reply-To: <20090706201610.049289A4772@odin.smetech.net>
References: <B500CA54-010F-469F-AFA2-92AB44F71D54@stratussolutions.com> <p062408b4c672f6178fca@[10.20.30.158]> <7D42CBF1-5BEB-4EE3-93E2-754A4BC2764A@stratussolutions.com> <p062408e0c67317806446@[10.20.30.158]> <OF3AB4DB32.79E9CCEB-ON852575E9.00403C25-852575E9.0040606B@us.ibm.com> <p06240816c6751e1439fb@[10.20.30.158]> <7F9A6D26EB51614FBF9F81C0DA4CFEC8E8ABD59519@il-ex01.ad.checkpoint.com> <20090706201610.049289A4772@odin.smetech.net>
Date: Thu, 09 Jul 2009 18:27:22 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Russ Housley <housley@vigilsec.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "ipsec@ietf.org" <ipsec@ietf.org>
Subject: Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140-2, etc.
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2009 01:26:55 -0000
Hi, RFC 5114 claims it defines new ECP groups 19, 20, and 21 for IKE but so does RFC 4753. Interestingly the curve definitions are different but the orders are the same (maybe it's just interesting because I don't understand why). RFC 5114 also defines some new MODP groups but RFC 4753 does not. One nice thing about RFC 5114 is that it updates the IANA repositories for TLS, SSH, and SMIME as well as IKE so these groups can be used by other IETF protocols that require them. RFC 4753 only defines their use in IKE. If there is no cryptographic difference between ECP curve 19 (20 and 21) as defined in RFC 5114 and RFC 4753 then can some mention be made in this draft to that effect? And can it then obsolete RFC 5114 as well as RFC 4753? It just seems strange to have two RFCs defining the same group differently. And can this I-D also include IANA considerations for TLS, SSH, and SMIME if it's going to obsolete RFC 5114? regards, Dan. On Mon, July 6, 2009 1:15 pm, Russ Housley wrote: > I think a fix is already in the works: > https://datatracker.ietf.org/doc/draft-solinas-rfc4753bis/ > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec >
- [IPsec] IKE's DH groups 19-21, NIST, FIPS 140-2, … Scott C Moonen
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Paul Hoffman
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Scott C Moonen
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Sean Kevin O'Keeffe
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Paul Hoffman
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Sean Kevin O'Keeffe
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Paul Hoffman
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Scott C Moonen
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Paul Hoffman
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Yaron Sheffer
- Re: [IPsec] IKE's DH groups 19-21 Scott C Moonen
- Re: [IPsec] IKE's DH groups 19-21 Russ Housley
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Russ Housley
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Dan Harkins
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Paul Hoffman
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Dan Harkins
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Paul Hoffman
- Re: [IPsec] IKE's DH groups 19-21, NIST, FIPS 140… Dan Harkins