Re: [node req] Question on Security considerations.
Russ Housley <housley@vigilsec.com> Fri, 13 February 2004 22:08 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA10331 for <ipv6-archive@odin.ietf.org>; Fri, 13 Feb 2004 17:08:45 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ArlTt-0001yb-Le for ipv6-archive@odin.ietf.org; Fri, 13 Feb 2004 17:08:18 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1DM8GQ0007591 for ipv6-archive@odin.ietf.org; Fri, 13 Feb 2004 17:08:16 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ArlTr-0001yM-Mi for ipv6-web-archive@optimus.ietf.org; Fri, 13 Feb 2004 17:08:15 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA10283 for <ipv6-web-archive@ietf.org>; Fri, 13 Feb 2004 17:08:12 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1ArlTp-0002ZI-00 for ipv6-web-archive@ietf.org; Fri, 13 Feb 2004 17:08:13 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1ArlSr-0002SD-00 for ipv6-web-archive@ietf.org; Fri, 13 Feb 2004 17:07:14 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1ArlRu-0002Jd-00 for ipv6-web-archive@ietf.org; Fri, 13 Feb 2004 17:06:14 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1ArlRj-0001NH-2Z; Fri, 13 Feb 2004 17:06:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Arfcl-00072s-Pa for ipv6@optimus.ietf.org; Fri, 13 Feb 2004 10:53:03 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA15966 for <ipv6@ietf.org>; Fri, 13 Feb 2004 10:52:59 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Arfcj-0004TI-00 for ipv6@ietf.org; Fri, 13 Feb 2004 10:53:01 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Arfbp-0004Px-00 for ipv6@ietf.org; Fri, 13 Feb 2004 10:52:05 -0500
Received: from woodstock.binhost.com ([144.202.240.3]) by ietf-mx with smtp (Exim 4.12) id 1ArfbN-0004MV-00 for ipv6@ietf.org; Fri, 13 Feb 2004 10:51:37 -0500
Received: (qmail 22862 invoked by uid 0); 13 Feb 2004 15:51:34 -0000
Received: from unknown (HELO Russ-Laptop.vigilsec.com) (138.88.147.54) by woodstock.binhost.com with SMTP; 13 Feb 2004 15:51:34 -0000
Message-Id: <5.2.0.9.2.20040213104954.0485f438@mail.binhost.com>
X-Sender: housley@mail.binhost.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Fri, 13 Feb 2004 10:51:35 -0500
To: john.loughney@nokia.com, ipv6@ietf.org
From: Russ Housley <housley@vigilsec.com>
Subject: Re: [node req] Question on Security considerations.
Cc: smb@research.att.com
In-Reply-To: <DADF50F5EC506B41A0F375ABEB320636D44C28@esebe023.ntc.nokia. com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Please take a look at these two documents:
draft-ietf-ipsec-ikev2-algorithms-04.txt
draft-ietf-ipsec-esp-ah-algorithms-01.txt
At 03:07 PM 2/13/2004 +0200, john.loughney@nokia.com wrote:
>Hi all,
>
>The Security AD commented the following:
>
> > For Section 8, RFCs 2401, 2402, and 2406 are currently being revised by
> > the IPsec group; that should be mentioned.
>
>This is no problem.
>
> > The crypto algorithm requirements should be better aligned with
> > recommendations from the IPsec wg. There's a draft that lists 3DES as
> > SHOULD, not MAY.
>
>Would it be appropriate to mention something like:
>
> The Security Area RECOMMENDS the use of 3DES.
>
> > I think that IKEv? should be a SHOULD, not a MAY. While the IESG hasn't
> > yet seen draft-bellovin-mandate-keymgmt, it will soon and it describes
> > automated key management as a "strong SHOULD". That's certainly the
> > consensus in the security area.
>
>I think that the WG has gone through this several times, and SHOULD has
>always seemed problematic for some uses. Does anyone have any suggestions?
>
> > More generically, I don't think that this WG should standardize weaker
> > security requirements than the security area thinks are appropriate,
> > without strong justification. (Stronger requirements are fine -- they
> > may have a different operational environment, or a different threat
> > model.)
>
>My general comment is that if this document can point to existing RFCs
>for the security requirements, then I am happy to mandate whatever
>the pointers suggest (hint to the security area, provide pointers and
>I will include them).
>
>thanks,
>John
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
- [node req] Question on Security considerations. john.loughney
- Re: [node req] Question on Security consideration… Russ Housley
- RE: [node req] Question on Security consideration… john.loughney