Yes, you can sort-of negotiate DH groups, but you don't have the New Group
Mode that we had in section 5.6 or RFC 2409.
So with RFC 4306, you're stuck with only those groups that appear in the IANA
registry, rather than your own pet DH groups.
On Mar 2, 2010, at 10:49 PM, Yaron Sheffer wrote:
Yoav Nir writes:
Yes, you can sort-of negotiate DH groups, but you don't have the
New Group Mode that we had in section 5.6 or RFC 2409.
Yes, that was left out but as it was seen that nobody will accept new
group proposed from unknown party without checking it first, and
checking that the
Hello,
There are other criteria that should be evaluated in making a
decision, such as how well does the solution fits into IKE(v2) and
does it support crypto agility.
RFC 2409 supported negotiation of various parameters, like the group
used for the Diffie-Hellman key exchange. That was
At 12:12 PM -0800 3/2/10, Dan Harkins wrote:
There are other criteria that should be evaluated in making a
decision, such as how well does the solution fits into IKE(v2) and
does it support crypto agility.
...and what we mean by agility. To some, that means in-protocol negotiation
of
] On Behalf
Of Dan Harkins
Sent: Tuesday, March 02, 2010 22:12
To: Paul Hoffman
Cc: IPsecme WG; c...@irtf.org
Subject: Re: [IPsec] Beginning discussion on secure password-only
authentication for IKEv2
Hello,
There are other criteria that should be evaluated in making a
decision, such as how
-boun...@ietf.org] On Behalf Of Dan
Harkins
Sent: Tuesday, March 02, 2010 5:55 PM
To: Paul Hoffman
Cc: IPsecme WG; c...@irtf.org; Dan Harkins
Subject: Re: [IPsec] Beginning discussion on secure password-only
authentication for IKEv2
Hi Paul,
On Tue, March 2, 2010 1:37 pm, Paul
Greetings again. This message is cross-posted to both the IPsecME WG and the
CFRG because it pertains to both groups.
The recently-revised IPsecME charter has a new work item in it:
==
- IKEv2 supports mutual authentication with a shared secret, but this
mechanism is intended for strong