> On 18 Oct 2016, at 13:33, Tero Kivinen <kivi...@iki.fi> wrote:
> Yoav Nir writes:
>> I’m not entirely comfortable with calling something a MUST NOT when all we
>> have is conjecture, but I have no love and no need of those DH groups.
> Same here, and it also makes it so that we cannot say our
> implementation is conforming rfc4307bis, even when we do already have
> support for AES, SHA2, 2048-bit DH, i.e. all the mandatory to
> implement algorithms in the new document, but we do also have code to
> propose the RFC5114 MODP groups, if user configures them to be used.

I don’t think that’s the right way to interpret compliance with RFC4307bis. If 
you can configure your implementation to support only algorithms that are MUST, 
SHOULD, or MAY in the document, then you can configure your implementation to 
comply with 4307bis. I don’t think implementation compliance requires pulling 
out code.

Our implementation allows the user to key in long hex strings to construct MODP 
groups that are not available out of the box. With your interpretation we can 
never be compliant because they can always make up their own 512-bit group and 
add that to the available groups.


IPsec mailing list

Reply via email to