[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt

To: chris.stillson@xxxxxxx, ipsec@xxxxxxxxxxxxxxxxx
Subject: Re: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt
From: Paul Hoffman / VPNC <paul.hoffman@xxxxxxxx>
Date: Thu, 18 Dec 2003 18:15:44 -0800
In-reply-to: <>
References: <> <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 5:09 PM -0800 12/18/03, chris stillson wrote:

The +/- distinction is splitting hairs. MUST/SHOULD/MAY are enough to
convey any distinctions.

Errrr, the WG already agreed to these when we moved draft-ietf-ipsec-ikev2-algorithms-04.txt out of the WG. The use in this draft seems identical (other than the gratuitous SHOULD NOT for DES).

 Also, although MD5 has some know problems,
the fact that it's faster than SHA1 and provides enough security for
most uses implies that it should be a "SHOULD", if not a "MUST"

The fact is that MD5 doesn't have the strength of SHA-1 (128 bits vs 160 bits). That is why SHA-1 is preferred in this context.

Also, AES-CBC should be a "MUST".

This was discussed many times on the mailing list before WG last call on the main algorithms document. When they all go into IETF Last Call, you might want to bring it up again, but it would be a Really Bad Thing to have the AH and ESP document have different requirements than the algorithms document.

--Paul Hoffman, Director
--VPN Consortium

References:
- I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt
  - From: Internet-Drafts
- Re: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt
  - From: chris stillson

Prev by Date: Re: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt
Next by Date: Re: Clarification of EAP authentication in IKEv2?
Previous by thread: Re: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt
Next by thread: Re: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt
Index(es):
- Date
- Thread