[Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-algorithms-00.txt

Tero Kivinen <kivinen@iki.fi> Tue, 05 October 2004 08:56 UTC

Received: from megatron.ietf.org (megatron.ietf.org [132.151.6.71]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA04270 for <ipsec-archive@lists.ietf.org>; Tue, 5 Oct 2004 04:56:00 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CEl3P-0001in-1X; Tue, 05 Oct 2004 04:52:15 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CEl1V-0001Qf-26 for ipsec@megatron.ietf.org; Tue, 05 Oct 2004 04:50:19 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA03919 for <ipsec@ietf.org>; Tue, 5 Oct 2004 04:50:15 -0400 (EDT)
Received: from [83.145.195.1] (helo=mail.kivinen.iki.fi) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CElAk-0003oe-Ap for ipsec@ietf.org; Tue, 05 Oct 2004 04:59:51 -0400
Received: from fireball.kivinen.iki.fi (localhost [IPv6:::1]) by mail.kivinen.iki.fi (8.12.11/8.12.10) with ESMTP id i958o9th022716 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 5 Oct 2004 11:50:09 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.12.11/8.12.6/Submit) id i958o6U5022713; Tue, 5 Oct 2004 11:50:06 +0300 (EEST)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <16738.24637.920951.642302@fireball.kivinen.iki.fi>
Date: Tue, 05 Oct 2004 11:50:05 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Subject: [Ipsec] Fwd: I-D ACTION:draft-hoffman-ikev1-algorithms-00.txt
In-Reply-To: <p06110486bd80ed90fe5c@[10.20.30.249]>
References: <p06110486bd80ed90fe5c@[10.20.30.249]>
X-Mailer: VM 7.17 under Emacs 21.3.1
X-Edit-Time: 12 min
X-Total-Time: 21 min
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Content-Transfer-Encoding: 7bit
Cc: IPsec WG <ipsec@ietf.org>
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IP Security <ipsec.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
Sender: ipsec-bounces@ietf.org
Errors-To: ipsec-bounces@ietf.org
Content-Transfer-Encoding: 7bit

Paul Hoffman / VPNC writes:
> Greetings again. We have talked for over five years about getting rid 
> of 56-bit DES in IKEv1. So, I have (belatedly) written a draft on 
> doing this at the same time as updating the other algorithm MUSTs and 
> SHOULDs. This is a personal draft, not a WG item, but it can be 
> discussed on this list before I turn it into the IESG as a personal 
> submission.
> 
> Comments are appreciated.

The document seems fine. Perhaps add reference to the NIST
announcement of documenting the removal of DES or so might be good
idea. Also adding "authentication via pre-shareed keys" to both
sections 2 and 3 would be good, so all the requirements are there. Now
that is the only one that is left out, as it is not changing. 

I would actually like to make AES a next MUST cipher, and I do not see
problem that we refer new documents here. We are still updating
RFC2409 aren't we?

Anyways, this will update the ciphers used in the IKEv1 SA, but it
does not change the ciphers used in the IPsec SAs. If you want to do
that too, you need to update the RFC2407 too.

RFC2407 current lists mandatory algorithms as AH with MD5, AH with
SHA1, ESP with DES and HMAC-MD5, ESP with NULL cipher.

The RFC2406 also lists mandatory algorithms for ESP, i.e it lists: DES
in CBC mode, HMAC with MD5, HMAC with SHA-1, NULL authentication
algorithm and NULL encryption algorithm.

And the RFC2402 lists mandatory algorithms for AH, i.e. it lists; HMAC
with MD5 and SHA-1.
-- 
kivinen@safenet-inc.com

_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec