[Ipsec] Re: MUST implement AES-CBC for IPsec ESP
"Steven M. Bellovin" <smb@cs.columbia.edu> Sat, 20 January 2007 23:30 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H8Pf3-0006Ic-Hp; Sat, 20 Jan 2007 18:30:13 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H8Pf1-0006Fp-Ev; Sat, 20 Jan 2007 18:30:11 -0500
Received: from machshav.com ([147.28.0.16]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H8Pez-0000As-HB; Sat, 20 Jan 2007 18:30:11 -0500
Received: by machshav.com (Postfix, from userid 512) id 39ACAFB432; Sat, 20 Jan 2007 23:30:09 +0000 (UTC)
Received: from berkshire.machshav.com (localhost [127.0.0.1]) by machshav.com (Postfix) with ESMTP id 4C812FB41B; Sat, 20 Jan 2007 23:30:08 +0000 (UTC)
Received: by berkshire.machshav.com (Postfix, from userid 54047) id 0BD537660C0; Sat, 20 Jan 2007 18:30:07 -0500 (EST)
Date: Sat, 20 Jan 2007 18:30:06 -0500
From: "Steven M. Bellovin" <smb@cs.columbia.edu>
To: Lakshminath Dondeti <ldondeti@qualcomm.com>
In-Reply-To: <45B28AFE.6090204@qualcomm.com>
References: <7.0.0.16.2.20070117095212.04035c38@vigilsec.com> <45B28AFE.6090204@qualcomm.com>
Organization: Columbia University
X-Mailer: Claws Mail 2.7.1 (GTK+ 2.10.7; i386--netbsdelf)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Message-Id: <20070120233007.0BD537660C0@berkshire.machshav.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465
Cc: ipsec@ietf.org, saag@mit.edu, Russ Housley <housley@vigilsec.com>, ietf@ietf.org
Subject: [Ipsec] Re: MUST implement AES-CBC for IPsec ESP
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Errors-To: ipsec-bounces@ietf.org
On Sat, 20 Jan 2007 13:34:54 -0800 Lakshminath Dondeti <ldondeti@qualcomm.com> wrote: > What are the export implications due to this? A compliant ESP > implementation MUST include the DES cipher due to this change. With > status quo, a compliant ESP implementation can be used for integrity > protection alone with NULL encryption. > I don't understand your question. Apart from the Danvers doctrine -- the IETF makes technically sound decisions without regard to politics -- how do you conclude that DES MUST be included? The new document says SHOULD NOT. > > Russ Housley wrote: > > During the IETF Last Call for > > draft-manral-ipsec-rfc4305-bis-errata, we > received a comment that > > deserves wide exposure. > > > For ESP encryption algorithms, the document that was sent out for > > > Last > Call contains the following table: Requirement > > > Encryption Algorithm (notes) > > ----------- -------------------- > > MUST NULL (1) > > MUST- TripleDES-CBC [RFC2451] > > SHOULD+ AES-CBC with 128-bit keys [RFC3602] > > SHOULD AES-CTR [RFC3686] > > SHOULD NOT DES-CBC [RFC2405] (3) > > > The Last Call comment suggests changing the "SHOULD+" for AES-CBC > > > to > "MUST." I support this proposed change, and I have asked the > > > author to make this > change in the document that will be > > > submitted to the IESG for > consideration on the Telechat on > > > January 25th. If anyone has an > objection to this change, > > > please speak now. Please send comments on > this proposed change > > > to the iesg@ietf.org or ietf@ietf.org mailing lists > by > > > 2007-01-24. Russ Housley > > Security AD > > > > _______________________________________________ > > Ietf mailing list > > Ietf@ietf.org > > https://www1.ietf.org/mailman/listinfo/ietf > > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www1.ietf.org/mailman/listinfo/ietf > --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ipsec mailing list Ipsec@ietf.org https://www1.ietf.org/mailman/listinfo/ipsec
- [Ipsec] MUST implement AES-CBC for IPsec ESP Russ Housley
- [Ipsec] Re: MUST implement AES-CBC for IPsec ESP Lakshminath Dondeti
- [Ipsec] Re: MUST implement AES-CBC for IPsec ESP Paul Hoffman
- [Ipsec] Re: MUST implement AES-CBC for IPsec ESP Steven M. Bellovin
- [Ipsec] Re: MUST implement AES-CBC for IPsec ESP Steven M. Bellovin
- [Ipsec] Re: MUST implement AES-CBC for IPsec ESP Lakshminath Dondeti
- [Ipsec] RE: MUST implement AES-CBC for IPsec ESP Russ Housley
- Re: [Ipsec] RE: MUST implement AES-CBC for IPsec … Vishwas Manral
- [Ipsec] Re: [saag] MUST implement AES-CBC for IPs… Nicolas Williams