Re: MUST implement AES-CBC for IPsec ESP
Lakshminath Dondeti <ldondeti@qualcomm.com> Sat, 20 January 2007 21:36 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H8Nsm-0006hq-Gl; Sat, 20 Jan 2007 16:36:16 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H8Nsk-0006hc-6W; Sat, 20 Jan 2007 16:36:14 -0500
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H8Nsh-0000Kb-Q9; Sat, 20 Jan 2007 16:36:14 -0500
Received: from totoro.qualcomm.com (totoro.qualcomm.com [129.46.61.158]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id l0KLa9Pq016520 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 20 Jan 2007 13:36:10 -0800
Received: from [10.50.72.98] (qconnect-10-50-72-98.qualcomm.com [10.50.72.98]) by totoro.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id l0KLa8Ks008418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 20 Jan 2007 13:36:09 -0800 (PST)
Message-ID: <45B28AFE.6090204@qualcomm.com>
Date: Sat, 20 Jan 2007 13:34:54 -0800
From: Lakshminath Dondeti <ldondeti@qualcomm.com>
User-Agent: Thunderbird 2.0b1 (Windows/20061206)
MIME-Version: 1.0
To: Russ Housley <housley@vigilsec.com>
References: <7.0.0.16.2.20070117095212.04035c38@vigilsec.com>
In-Reply-To: <7.0.0.16.2.20070117095212.04035c38@vigilsec.com>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a7d6aff76b15f3f56fcb94490e1052e4
Cc: ipsec@ietf.org, saag@mit.edu, ietf@ietf.org
Subject: Re: MUST implement AES-CBC for IPsec ESP
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
What are the export implications due to this? A compliant ESP implementation MUST include the DES cipher due to this change. With status quo, a compliant ESP implementation can be used for integrity protection alone with NULL encryption. regards, Lakshminath Russ Housley wrote: > During the IETF Last Call for draft-manral-ipsec-rfc4305-bis-errata, we > received a comment that deserves wide exposure. > > For ESP encryption algorithms, the document that was sent out for Last > Call contains the following table: > > Requirement Encryption Algorithm (notes) > ----------- -------------------- > MUST NULL (1) > MUST- TripleDES-CBC [RFC2451] > SHOULD+ AES-CBC with 128-bit keys [RFC3602] > SHOULD AES-CTR [RFC3686] > SHOULD NOT DES-CBC [RFC2405] (3) > > The Last Call comment suggests changing the "SHOULD+" for AES-CBC to > "MUST." > > I support this proposed change, and I have asked the author to make this > change in the document that will be submitted to the IESG for > consideration on the Telechat on January 25th. If anyone has an > objection to this change, please speak now. Please send comments on > this proposed change to the iesg@ietf.org or ietf@ietf.org mailing lists > by 2007-01-24. > > Russ Housley > Security AD > > > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf > _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- MUST implement AES-CBC for IPsec ESP Russ Housley
- Re: MUST implement AES-CBC for IPsec ESP Lakshminath Dondeti
- RE: MUST implement AES-CBC for IPsec ESP Lawrence Rosen
- [Ipsec] Re: MUST implement AES-CBC for IPsec ESP Paul Hoffman
- Re: MUST implement AES-CBC for IPsec ESP Steven M. Bellovin
- Re: MUST implement AES-CBC for IPsec ESP Steven M. Bellovin
- Re: MUST implement AES-CBC for IPsec ESP Lakshminath Dondeti
- RE: MUST implement AES-CBC for IPsec ESP Contreras, Jorge
- RE: MUST implement AES-CBC for IPsec ESP Lawrence Rosen
- RE: MUST implement AES-CBC for IPsec ESP Yaakov Stein
- RE: MUST implement AES-CBC for IPsec ESP Russ Housley
- Re: [saag] MUST implement AES-CBC for IPsec ESP Nicolas Williams
- Re: [Ipsec] RE: MUST implement AES-CBC for IPsec … Vishwas Manral
- Re: [Ipsec] Re: MUST implement AES-CBC for IPsec … Bart Preneel