IETF Logo Mail Archive

Re: MUST implement AES-CBC for IPsec ESP

Lakshminath Dondeti <ldondeti@qualcomm.com> Sat, 20 January 2007 21:36 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H8Nsm-0006hq-Gl; Sat, 20 Jan 2007 16:36:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H8Nsk-0006hc-6W; Sat, 20 Jan 2007 16:36:14 -0500
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H8Nsh-0000Kb-Q9; Sat, 20 Jan 2007 16:36:14 -0500
Received: from totoro.qualcomm.com (totoro.qualcomm.com [129.46.61.158]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id l0KLa9Pq016520 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 20 Jan 2007 13:36:10 -0800
Received: from [10.50.72.98] (qconnect-10-50-72-98.qualcomm.com [10.50.72.98]) by totoro.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id l0KLa8Ks008418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 20 Jan 2007 13:36:09 -0800 (PST)
Message-ID: <45B28AFE.6090204@qualcomm.com>
Date: Sat, 20 Jan 2007 13:34:54 -0800
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
User-Agent: Thunderbird 2.0b1 (Windows/20061206)
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
References: <7.0.0.16.2.20070117095212.04035c38@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20070117095212.04035c38@vigilsec.com>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc: ipsec@ietf.org, saag@mit.edu, ietf@ietf.org
Subject: Re: MUST implement AES-CBC for IPsec ESP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

What are the export implications due to this?  A compliant ESP 
implementation MUST include the DES cipher due to this change.   With 
status quo, a compliant ESP implementation can be used for integrity 
protection alone with NULL encryption.

regards,
Lakshminath

Russ Housley wrote:
> During the IETF Last Call for draft-manral-ipsec-rfc4305-bis-errata, we 
> received a comment that deserves wide exposure.
> 
> For ESP encryption algorithms, the document that was sent out for Last 
> Call contains the following table:
> 
>       Requirement    Encryption Algorithm (notes)
>       -----------    --------------------
>       MUST           NULL (1)
>       MUST-          TripleDES-CBC [RFC2451]
>       SHOULD+        AES-CBC with 128-bit keys [RFC3602]
>       SHOULD         AES-CTR [RFC3686]
>       SHOULD NOT     DES-CBC [RFC2405] (3)
> 
> The Last Call comment suggests changing the "SHOULD+" for AES-CBC to 
> "MUST."
> 
> I support this proposed change, and I have asked the author to make this 
> change in the document that will be submitted to the IESG for 
> consideration on the Telechat on January 25th.  If anyone has an 
> objection to this change, please speak now.  Please send comments on 
> this proposed change to the iesg@ietf.org or ietf@ietf.org mailing lists 
> by 2007-01-24.
> 
> Russ Housley
> Security AD
> 
> 
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf
> 

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email