Re: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-algorithms-00.txt
Paul Hoffman / VPNC <paul.hoffman@vpnc.org> Tue, 05 October 2004 18:44 UTC
Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA24300 for <ipsec-archive@lists.ietf.org>; Tue, 5 Oct 2004 14:44:34 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CEu61-0006X4-60; Tue, 05 Oct 2004 14:31:33 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CEtyV-0005Ld-Pw for ipsec@megatron.ietf.org; Tue, 05 Oct 2004 14:23:47 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA22624 for <ipsec@ietf.org>; Tue, 5 Oct 2004 14:23:46 -0400 (EDT)
Received: from above.proper.com ([208.184.76.39]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CEu7q-0005OD-Cn for ipsec@ietf.org; Tue, 05 Oct 2004 14:33:27 -0400
Received: from [10.20.30.249] (user-2ivfinm.dialup.mindspring.com [165.247.202.246]) (authenticated bits=0) by above.proper.com (8.12.11/8.12.9) with ESMTP id i95INa6j040516; Tue, 5 Oct 2004 11:23:40 -0700 (PDT) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
X-Sender: phoffvpnc@mail.vpnc.org
Message-Id: <p06110409bd8892e7a2ab@[10.20.30.249]>
In-Reply-To: <16738.24637.920951.642302@fireball.kivinen.iki.fi>
References: <p06110486bd80ed90fe5c@[10.20.30.249]> <16738.24637.920951.642302@fireball.kivinen.iki.fi>
Date: Tue, 05 Oct 2004 11:14:57 -0700
To: Tero Kivinen <kivinen@iki.fi>
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-algorithms-00.txt
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 2.9 (++)
X-Scan-Signature: f607d15ccc2bc4eaf3ade8ffa8af02a0
Cc: IPsec WG <ipsec@ietf.org>
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
At 11:50 AM +0300 10/5/04, Tero Kivinen wrote: >The document seems fine. Thanks! > Perhaps add reference to the NIST >announcement of documenting the removal of DES or so might be good >idea. I'm not so hot on this, because we should also then talk about why MD5 is now not as fine as it was a few months ago, and why MODP Group 1 is not as fine, and so on. If we start doing that, what do I say about moving Tiger to "MAY"? Was that because no one implemented it, or because no one implemented it because no one was confident in its crypto properties? Then there's the question about elliptic curves. I'd kinda rather leave the crypto reasoning vague unless others here really think it is needed for the document. > Also adding "authentication via pre-shareed keys" to both >sections 2 and 3 would be good, so all the requirements are there. Now >that is the only one that is left out, as it is not changing. Good point, thanks. >I would actually like to make AES a next MUST cipher, and I do not see >problem that we refer new documents here. We are still updating >RFC2409 aren't we? No, that's extending RFC 2409. AES was not listed (for obvious historical reasons), so this would be a clear extension. We *can* extend RFC 2409, of course, but that would mean something very different for the process, I think. If we extend it, we probably would need to wind in all the extensions that we have created over the past six years. Yuck. >Anyways, this will update the ciphers used in the IKEv1 SA, but it >does not change the ciphers used in the IPsec SAs. If you want to do >that too, you need to update the RFC2407 too. > >RFC2407 current lists mandatory algorithms as AH with MD5, AH with >SHA1, ESP with DES and HMAC-MD5, ESP with NULL cipher. > >The RFC2406 also lists mandatory algorithms for ESP, i.e it lists: DES >in CBC mode, HMAC with MD5, HMAC with SHA-1, NULL authentication >algorithm and NULL encryption algorithm. Of course. I wanted to be sure we were on the right track with this one. Doing the same thing for 2406 and 2407 is trivial if we agree on what we are doing here. >And the RFC2402 lists mandatory algorithms for AH, i.e. it lists; HMAC >with MD5 and SHA-1. But there is no problem with its requirements, is there? --Paul Hoffman, Director --VPN Consortium _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-algor… Paul Hoffman / VPNC
- Re: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-a… Paul Hoffman / VPNC
- RE: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-a… Paul Hoffman / VPNC
- [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-algor… Tero Kivinen
- Re: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-a… Paul Hoffman / VPNC
- Re: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-a… Tero Kivinen
- Re: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-a… Paul Hoffman / VPNC