Re: Remove little-used algorithms from IKEv2

[Dan McDonald <danmcd@east.sun.com>]

> Any reason for keeping the MD5 algorithms given their somewhat compromised
> status?
> 
> MD5 and SHA are pretty close and share the same internal structure so I
> don't think we can really justify MD5 as a fallback to SHA-1, particularly
> in the light of the Dobbertin results.

Hmmm, I thought HMAC prevented these problems.  Here's a note from a w3c list
that forwards a conversation between Dobbertin and IPsec list regular Hugo
Krawczyk:

	http://lists.w3.org/Archives/Public/ietf-tls/1996AprJun/0111.html

MD5 is a far better peformer than SHA-1 - especially if you work around MD5's
poor assumptions that all-the-world's-an-Intel.

> We should anticipate that the AES based SHA-2 algorithms will appear in due
> course so it is not as if there would only be one algorithm

Now _this_ is a better point, but removing MD5 from IKE based on just
Dobbertin is not sufficient, IMHO.

Also, these proposed removals are for IKE only, not for AH/ESP, correct?
HMAC-MD5 is still quite sufficient for packet integrity, and like I said, it
smokes compared with SHA.

Perhaps we should be looking at UMAC for future AH/ESP secure hashes?

Dan