IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Straw Poll on group name



At the end of this message, you'll find a summary from Tero Kivinen of
the usage by other protocols of the common MODP groups on the saag
list; I think it conclusively demonstrates that every user of the MODP
groups is doing something different.

That only leaves

straw poll:
	[A] we should use small integers to refer to common groups
		[sample] diffie-hellman-group2-sha1

	[B] we should refer to groups by size:
		[sample] diffie-hellman-group2048-sha1

	[C] we should refer to groups by the ike number
		[sample] diffie-hellman-group14-sha1

In your response to the poll, please:
 a) explain the one you prefer and why.
 b) list any options you find unacceptable and explain why.

I'll use this to gauge consensus.
						- Bill


------- Forwarded Message

From: Tero Kivinen <kivinen%iki.fi@localhost>
To: sommerfeld%sun.com@localhost
Cc: saag%mit.edu@localhost
Subject: [saag] naming/use of rfc2412/rfc3526 groups by other protocols
In-Reply-To: <200408252136.i7PLaoOY023143%thunk.east.sun.com@localhost>
References: <200408252136.i7PLaoOY023143%thunk.east.sun.com@localhost>
X-Mailer: VM 7.17 under Emacs 21.3.1
X-Edit-Time: 19 min
X-Total-Time: 29 min
Sender: kivinen%iki.fi@localhost
Content-Length: 2079

Bill Sommerfeld writes:
> rfc2412 (oakley) defines several "MODP" diffie-hellman groups of
> varying sizes in appendix E.  Several larger groups were defined in
> RFC3526.

And their numbers are handled by the IANA registry for the Internet
Key Exchange (IKE) attributes
(http://www.iana.org/assignments/ipsec-registry).

> SSHv2 uses one of these groups, and also includes an extension to
> allow the group to be dynamically negotiated.
> 
> Muddying the waters, SSHv2 defined its own group-numbering space;
> diffie-hellman-group1-sha1 is the same as IKE's "group 2".

Yes, that is correct, it should use its own number space, as it wants
to control what groups are allowed etc. Thats why it should have its
own registry listing the groups. 

> Do any protocols other than SSHv2 reuse IKE's MODP Diffie-Hellman
> groups?

Yes. 

> If so, what naming convention, if any, is used in that protocol?

iSCSI RFC 3723 (Securing Block Storage Protocols over IP) uses same
prime number, but different generator for those groups, and names them
with nameslike "MODP-XXXX" where XXXX is the number of bits. Their
groups are named in their own IANA registry
(http://www.iana.org/assignments/iscsi-parameters). 

draft-clancy-eap-pax-00.txt uses the 3072 bit group and gives it
number 0x01. 

draft-moskowitz-hip-09.txt uses 1536-8192 bit groups, and gives them
their own numbers from 3-6.

draft-riikonen-silc-ke-auth-08.txt uses 1024-2048 bit groups, and
gives them their own name diffie-hellman-group1 - diffie-hellman-group3.

draft-tuexen-sctp-auth-chunk-01.txt uses all IKE modp groups, and uses
the same numbers than IKE, but it seems they will allocate their own
IANA registry for number, the initial values will simply be same. 

draft-cam-winget-eap-fast-00.txt uses 2048 bit group, but I think they
send the whole group every time, i.e the groups do not have registry
or name.

draft-ietf-tls-srp-07.txt also uses 3072-8192 bit groups, but
different generators, and they send the whole group every time (I
think), thus there is no registry or name. 
- -- 
kivinen%safenet-inc.com@localhost

------- End of Forwarded Message




Home | Main Index | Thread Index | Old Index