[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ciphersuites MUSTs and SHOULDs

To: "Theodore Ts'o" <tytso@mit.edu>, ipsec@lists.tislabs.com
Subject: Ciphersuites MUSTs and SHOULDs
From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>
Date: Fri, 31 Jan 2003 10:15:55 -0800
In-Reply-To: <E18eNcL-0004sj-00@think.thunk.org>
References: <E18eNcL-0004sj-00@think.thunk.org>
Sender: owner-ipsec@lists.tislabs.com

Wearing his WG chair hat, Ted said:

>I have adjusted the MUST/SHOULD from Paul's message since I believe that
>for implementations that will be moving to implement IKEv2, it is
>reasonable to require the implementation of AES, as it as so many
>advantages over 3DES.

The current proposal contains not only a list of MUSTs and SHOULDs, 
it has language that is supposed to go into the document about them. 
The counter-proposal doesn't change the support language. The 
counter-proposal offers no security or interoperability rationale. 
For example, the counter-proposal mandates both 3DES and AES. How 
does that help interoperability or security?

Ted's proposal (which is certainly not based on any consensus from 
the mailing list) essentially prevents any currently-deployed IPsec 
system that has 3DES-acceleration from running IKEv2 sensibly. The 
vendor would have to offer AES in software next to 3DES in hardware, 
and hopefully explain to the user what the difference is.

Is this what the WG wants? Or would the WG prefer a set of MUSTs and 
SHOULDs that allow vendors to update currently-deployed systems with 
IKEv2?

--Paul Hoffman, Director
--VPN Consortium

Prev by Date: Revised identity, again
Next by Date: Re: Modefg considered harmful
Prev by thread: Re: Revised identity, again
Next by thread: Re: new to VPN
Index(es):
- Date
- Thread