[IPsec] Update to RFC4307 too?
Tero Kivinen <kivinen@iki.fi> Wed, 09 October 2013 16:14 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B973E21F9ED4 for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 09:14:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R8XP4v+9zdWk for <ipsec@ietfa.amsl.com>; Wed, 9 Oct 2013 09:14:46 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 42CD611E81BA for <ipsec@ietf.org>; Wed, 9 Oct 2013 09:14:43 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id r99GEd9M025164 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <ipsec@ietf.org>; Wed, 9 Oct 2013 19:14:39 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id r99GEcuP015102; Wed, 9 Oct 2013 19:14:38 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21077.33006.734392.994194@fireball.kivinen.iki.fi>
Date: Wed, 09 Oct 2013 19:14:38 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: ipsec@ietf.org
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 8 min
Subject: [IPsec] Update to RFC4307 too?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2013 16:14:46 -0000
While we are updating the algorithm requirements for the ESP and AH, I think we should also update the RFC4307 too at the same time, as a separate document. I think the changes we would like to do there are: Downgrade Diffie-Hellman group 2 (1024-bits) from MUST- to SHOULD. Upgrade Diffie-Hellman group 14 (2048-bits) from SHOULD+ to MUST. Downgrade ENCR_3DES from MUST- to MAY Fix ENCR_NULL from MAY to MUST NOT (already MUST NOT in errata) Upgrade ENCR_AES_CBC from SHOULD+ to MUST Fix PRF_AES128_CBC to PRF_AES128_XCBC and downgrade it from SHOULD+ to SHOULD. Downgrade AUTH_AES_XCBC_96 from SHOULD+ to SHOULD. Then we might want to think whether we want to add new algorithms, i.e. "AES_GCM with a 8/12/16 octect ICV", PRF_HMAC_SHA2_256/384/512, or AUTH_HMAC_SHA2_256_128/384_192/512_256. In all of those I think we might want to pick one length and make that SHOULD... -- kivinen@iki.fi
- [IPsec] Update to RFC4307 too? Tero Kivinen
- Re: [IPsec] Update to RFC4307 too? Paul Wouters
- Re: [IPsec] Update to RFC4307 too? Tero Kivinen
- Re: [IPsec] Update to RFC4307 too? Michael Richardson
- Re: [IPsec] Update to RFC4307 too? Yoav Nir
- Re: [IPsec] Update to RFC4307 too? Michael Richardson
- Re: [IPsec] Update to RFC4307 too? Tero Kivinen
- Re: [IPsec] Update to RFC4307 too? Yaron Sheffer