Re: Remove little-used algorithms from IKEv2

Paul Hoffman / VPNC <paul.hoffman@vpnc.org> Fri, 15 March 2002 04:51 UTC

Received: from lists.tislabs.com (portal.gw.tislabs.com [192.94.214.101]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g2F4pQ406837; Thu, 14 Mar 2002 20:51:26 -0800 (PST)
Received: by lists.tislabs.com (8.9.1/8.9.1) id XAA08811 Thu, 14 Mar 2002 23:19:58 -0500 (EST)
Mime-Version: 1.0
X-Sender: phoffvpnc@mail.vpnc.org
Message-Id: <p0510141db8b728fc66ee@[165.227.249.20]>
In-Reply-To: <3C9176B6.23706837@lucent.com>
References: <2F3EC696EAEED311BB2D009027C3F4F405869A08@vhqpostal.verisign.com> <p05101410b8b6caac4c2b@[165.227.249.20]> <3C9176B6.23706837@lucent.com>
Date: Thu, 14 Mar 2002 20:31:29 -0800
To: Uri Blumenthal <uri@lucent.com>
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: Re: Remove little-used algorithms from IKEv2
Cc: "Hallam-Baker, Phillip" <pbaker@verisign.com>, ipsec@lists.tislabs.com
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ipsec@lists.tislabs.com
Precedence: bulk

At 11:21 PM -0500 3/14/02, Uri Blumenthal wrote:
>Considering how close internally MD5 and SHA-1 are - I'd expect
>that any real "catastrophic" failure of one will affect the
>other...

I hear a theme here. :-) OK, if that is true, then it is fine to 
remove MD5 as long as there is at least one other unrelated hash 
algorithm that can be widely implemented in an interoperable fashion.

>  > MD5 has a huge amount of implementation experience behind it.
>
>Why is this of importance...?

Because falling back to an algorithm for which there is bad 
interoperability is bad. It does not serve the IPsec users.

--Paul Hoffman, Director
--VPN Consortium