What are the export implications due to this? A compliant ESP
implementation MUST include the DES cipher due to this change. With
status quo, a compliant ESP implementation can be used for integrity
protection alone with NULL encryption.
regards,
Lakshminath
Russ Housley wrote:
During the IETF Last Call for draft-manral-ipsec-rfc4305-bis-errata, we
received a comment that deserves wide exposure.
For ESP encryption algorithms, the document that was sent out for Last
Call contains the following table:
Requirement Encryption Algorithm (notes)
----------- --------------------
MUST NULL (1)
MUST- TripleDES-CBC [RFC2451]
SHOULD+ AES-CBC with 128-bit keys [RFC3602]
SHOULD AES-CTR [RFC3686]
SHOULD NOT DES-CBC [RFC2405] (3)
The Last Call comment suggests changing the "SHOULD+" for AES-CBC to
"MUST."
I support this proposed change, and I have asked the author to make this
change in the document that will be submitted to the IESG for
consideration on the Telechat on January 25th. If anyone has an
objection to this change, please speak now. Please send comments on
this proposed change to the iesg@xxxxxxxx or ietf@xxxxxxxx mailing lists
by 2007-01-24.
Russ Housley
Security AD
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf