MUST implement AES-CBC for IPsec ESP
Russ Housley <housley@vigilsec.com> Wed, 17 January 2007 15:02 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H7CJ1-000408-Nd; Wed, 17 Jan 2007 10:02:27 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H7CIz-0003vO-4S for ietf@ietf.org; Wed, 17 Jan 2007 10:02:25 -0500
Received: from woodstock.binhost.com ([66.150.120.2]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1H7CIw-0000I4-SW for ietf@ietf.org; Wed, 17 Jan 2007 10:02:25 -0500
Received: (qmail 12128 invoked by uid 0); 17 Jan 2007 15:02:15 -0000
Received: from unknown (HELO THINKPADR52.vigilsec.com) (71.246.224.157) by woodstock.binhost.com with SMTP; 17 Jan 2007 15:02:15 -0000
Message-Id: <7.0.0.16.2.20070117095212.04035c38@vigilsec.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.0.0.16
Date: Wed, 17 Jan 2007 10:02:14 -0500
To: ipsec@ietf.org, saag@mit.edu, ietf@ietf.org
From: Russ Housley <housley@vigilsec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: ffa9dfbbe7cc58b3fa6b8ae3e57b0aa3
Cc:
Subject: MUST implement AES-CBC for IPsec ESP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
During the IETF Last Call for draft-manral-ipsec-rfc4305-bis-errata,
we received a comment that deserves wide exposure.
For ESP encryption algorithms, the document that was sent out for
Last Call contains the following table:
Requirement Encryption Algorithm (notes)
----------- --------------------
MUST NULL (1)
MUST- TripleDES-CBC [RFC2451]
SHOULD+ AES-CBC with 128-bit keys [RFC3602]
SHOULD AES-CTR [RFC3686]
SHOULD NOT DES-CBC [RFC2405] (3)
The Last Call comment suggests changing the "SHOULD+" for AES-CBC to "MUST."
I support this proposed change, and I have asked the author to make
this change in the document that will be submitted to the IESG for
consideration on the Telechat on January 25th. If anyone has an
objection to this change, please speak now. Please send comments on
this proposed change to the iesg@ietf.org or ietf@ietf.org mailing
lists by 2007-01-24.
Russ Housley
Security AD
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
- MUST implement AES-CBC for IPsec ESP Russ Housley
- Re: MUST implement AES-CBC for IPsec ESP Lakshminath Dondeti
- RE: MUST implement AES-CBC for IPsec ESP Lawrence Rosen
- [Ipsec] Re: MUST implement AES-CBC for IPsec ESP Paul Hoffman
- Re: MUST implement AES-CBC for IPsec ESP Steven M. Bellovin
- Re: MUST implement AES-CBC for IPsec ESP Steven M. Bellovin
- Re: MUST implement AES-CBC for IPsec ESP Lakshminath Dondeti
- RE: MUST implement AES-CBC for IPsec ESP Contreras, Jorge
- RE: MUST implement AES-CBC for IPsec ESP Lawrence Rosen
- RE: MUST implement AES-CBC for IPsec ESP Yaakov Stein
- RE: MUST implement AES-CBC for IPsec ESP Russ Housley
- Re: [saag] MUST implement AES-CBC for IPsec ESP Nicolas Williams
- Re: [Ipsec] RE: MUST implement AES-CBC for IPsec … Vishwas Manral
- Re: [Ipsec] Re: MUST implement AES-CBC for IPsec … Bart Preneel