Yes, you can sort-of negotiate DH groups, but you don't have the "New Group Mode" that we had in section 5.6 or RFC 2409.
So with RFC 4306, you're stuck with only those groups that appear in the IANA registry, rather than your own pet DH groups. On Mar 2, 2010, at 10:49 PM, Yaron Sheffer wrote: > > > By the way, IKEv2 does allow for negotiation of the DH group using the ugly > INVALID_KE_PAYLOAD hack. > > >> RFC 2409 supported negotiation of various parameters, like the group >> used for the Diffie-Hellman key exchange. That was removed in RFC 4306. >> All of the candidate exchanges listed in draft-sheffer-ipsecme-pake- >> criteria do some sort of discrete logarithm cryptography and therefore >> it would be useful to list whether the candidate algorithm can use >> any of the groups either negotiated or asserted by IKE(v2). _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
