IETF Logo Mail Archive

Re: Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt

"Steven M. Bellovin" <smb@cs.columbia.edu> Mon, 11 December 2006 16:08 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GtnhW-0006CP-N9; Mon, 11 Dec 2006 11:08:22 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GtnhT-0006BX-W1; Mon, 11 Dec 2006 11:08:19 -0500
Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GtnhR-0003wP-Kt; Mon, 11 Dec 2006 11:08:19 -0500
Received: by machshav.com (Postfix, from userid 512) id D7696FB3C4; Mon, 11 Dec 2006 16:08:12 +0000 (UTC)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 2C1B4FB374; Mon, 11 Dec 2006 16:08:12 +0000 (UTC)
Received: by berkshire.machshav.com (Postfix, from userid 54047) id 046763C0318; Mon, 11 Dec 2006 11:08:11 -0500 (EST)
Date: Mon, 11 Dec 2006 11:08:10 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20061211155532.GB26832@binky.Central.Sun.COM>
References: <20061211155532.GB26832@binky.Central.Sun.COM>
Organization: Columbia University
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; i386--netbsdelf)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <20061211160811.046763C0318@berkshire.machshav.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93238566e09e6e262849b4f805833007
Cc: secdir@mit.edu, iesg@ietf.org, vishwas@ipinfusion.com, ietf@ietf.org
Subject: Re: Review of draft-manral-ipsec-rfc4305-bis-errata-02.txt
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

On Mon, 11 Dec 2006 09:55:33 -0600
Nicolas Williams <Nicolas.Williams@sun.com> wrote:


> Also, I'm not sure that the use of "MUST-" and "SHOULD+" is actually
> useful.  In this update no algorithms previously classified as MUST-
> have been downgraded, and no algorithms previously classified as
> SHOULD+ have been upgraded.  It seems likely to me some AES cipher
> mode will eventually become a MUST, but it's not clear to me that
> AES-CBC, for example, which is marked SHOULD+, will be it.  Therefore
> I would argue that these designations should be changed to MUST and
> SHOULD, respectively.  Or perhaps this I-D is a good opportunity to
> downgrade TripleDES-CBC to SHOULD or MAY and upgrade either AES-CBC
> and/or AES-CTR to MUST?
> 

I'm not sure it's feasible yet to make 3DES a SHOULD; it's quite clear
to me that AES-CBC should become a MUST.  We can't make AES-CTR the
only MUST unless we abolish manual keying.  I could probably deal with
AES-CTR and AES-CBC both being mandated, but I'm really not a fan of
counter mode; it's just too easy to make bad mistakes.


		--Steve Bellovin, http://www.cs.columbia.edu/~smb

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email