On Sat, Apr 22, 2017 at 2:56 AM, Stephan Müller <smueller@xxxxxxxxxx> wrote: > Am Freitag, 21. April 2017, 17:25:41 CEST schrieb Stephan Müller: > Just for the records: for FIPS 140-2 rules, cipher_null is to be interpreted > as a memcpy on SGLs. Thus it is no cipher even though it sounds like one. > > cipher_null is also needed for seqiv which is required for rfc4106(gcm(aes)), > which is an approved cipher. Also, it is needed for authenc() which uses it > for copying the AAD from src to dst. > > That said, cipher_null must not be used for "encryption" operation but rather > for handling data that is not subjected to FIPS 140-2 rules. In the FreeS/WAN project, back around the turn of the century, we refused to implement several things required by the RFCs because we thought they were insecure: null cipher, single DES & 768-bit DH Group 1. At that time, not having DES did cause some problems in interoperating with other IPsec implementations, but I doubt it would today. Neither of the other dropped items caused any problems at all. Today I'd say drop all of those plus the 1024-bit Group 2, and then look at whether others should go as well. As of 2001 or so, the 1536-bit Group 5 was very widely used, so dropping it might well be problematic, but I am not certain if it is either secure or widely used now.