draft-ietf-ipsec-ikev2-algorithms-00.txt

[Russ Housley <housley@vigilsec.com>]

I am glad to see that this draft was finally posted, but it does not 
reflect my recollection of the working group consensus prior to the San 
Francisco IETF meeting.

I am very pleaded to see SHOULD+, SHOULD-, and MUST-.  These provide 
important guidance to product planners.

In section 4.1.1 on IKEv2 Encrypted Payload Algorithms, I expected:

	MUST		Three-key Triple-DES in CBC mode
	SHOULD+	128-bit AES in CBC mode

In section 4.1.2, I expected no mention of elliptic curves.  The working 
group abandoned work in this area many months ago.  Also, I expected:

	MUST		1024
	SHOULD	1536
	SHOULD+	2048

In section  4.1.3 on IKEv2 Transfer Type 1 Algorithms, I expected two of 
the entries to have different requirements:

	MUST		ENCR_3DES (assuming that this is 3-key 3DES in CBC mode)
	SHOULD+	ENCR_AES_128_CBC

In section 4.1.4 on IKEv2 Transfer Type 2 Algorithms, I expected two of the 
entries to have different requirements:

	MAY		PRF_HMAC_MD5
	SHOULD	PRF_AES128_CBC

I also thought that we were going to define a shorthand way to configure 
different devices to use the same selections from the a la carte menu.  At 
a minimum, we should come up with a name for the collection of MUST algorithms.

Do others have different recollections and expectiations?

Russ