[Openswan dev] Related to RFC 5114
Paul Wouters
paul at xelerance.com
Mon Feb 15 15:19:30 EST 2010
On Thu, 11 Feb 2010, Avesh Agarwal wrote:
> RFC 5114 defines some new dh groups. Any plans to support them?
Some.
There are no plans to incorporate any Elliptic Curve as of yet. This
is mostly because of the patent minefield, and partially because
we would need to investigate in existing compatible libraries to use
for this to avoid writing our own EC code.
The non-EC groups could be added. Though since for IKEv1, you have
to send full proposal sets, it would be bad to add more proposals
to the default, so I would not add those to the default proposal list.
For IKEv2 this could be done, as not full proposal sets needs to
be exchanged, just the allowed proposal components.
We would also have to come up with a naming scheme for these in
the config file to distinguish these from the existing modp groups
of the same bit size. I think at this point, it might be easier to
switch the modp syntax to some group syntax, so we can just use
the registry group numbers, as listed by IANA:
http://www.iana.org/assignments/ipsec-registry
Perhaps something like phase2alg=aes256-sha1;group22 ?
Paul
More information about the Dev
mailing list