On Nov 10, 2013, at 10:12 AM, Tero Kivinen <[email protected]> wrote: > Paul Hoffman writes: >>> No. Because the mess with RFC5903 and RFC 4753, i.e. reusing the same >>> IANA values for two different non-interoperable uses of the groups, I >>> cannot say there is enough interoperable use for that RFC. >> >> Nor can you say that there is *not* enough interoperable use. As >> others have pointed out, there are lots implementations, and as far >> as I have heard, all current implementations are using RFC 5930. > > I agree there is enough interoperable implementations, I do not know > if they are "widely used". As far as I know people are still using > MODP DH groups when they are actually using IKEv2 in the field.
Given that you told your customers not to the ECDSA curves, it seems sensible that you would not hear them saying that they were disagreeing with you. :-) >>> I have recommended everybody not to use them, as you never know if >>> they work, as you do not know if the other end is upgraded to Errata >>> version of 4753 (i.e. RFC5903). >> >> That's fine if you want to recommend it; many implementors are >> ignoring you and interoperating just fine. > > Again I did not recommend implementors not to implement it or fix > their code to use RFC5930 way of doing thigs, I was recommending users > not to use them unless they are sure all their environment is updated > to latest versions (which usually is not the case). > > You are confusing the "use" vs "implementation" here. No, I'm not. > There needs to > be "widespread deployment and successful operational experience.", and > that at least for me would mean that actually would need to use that > feature, not just that it might be complied in to the implementation. Correct. And some US government installations are seeing both, most likely because they are requiring it. >> That may all be true, but it is also irrelevant to whether the RFC >> itself should advance. The IANA values are not in question: only the >> bits on the wire are covered in the RFCs. The bits on the wire in >> RFC 5930 are highly interoperable, as shown by many different >> implementations (possibly even yours). > > And how does that point there is "successful operational experience" > for those groups? I didn't say that it did; so, see above. There has been both conformance and interoperability testing for those curves, and day-to-day deployment. (Which is more than you can probably show for some of the two largest MODP groups in RFC 3526, but I think it is fine to leave them in because there was limited interop testing for them a decade ago and that's good enough.) --Paul Hoffman _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
