Re: draft-ietf-ipsec-ikev2-algorithms-00.txt

[Barbara Fraser <byfraser@cisco.com>]

I agree. Jeff indicated in a conversation earlier this week
that he is updating his draft accordingly. 

thanks,
Barb

At 06:46 AM 5/30/2003, Stephen Kent wrote:

At 11:33 AM -0400 5/23/03, Russ Housley wrote:

I am glad to see that this draft was finally posted, but it does not reflect my recollection of the working group consensus prior to the San Francisco IETF meeting.

I am very pleaded to see SHOULD+, SHOULD-, and MUST-.  These provide important guidance to product planners.

In section 4.1.1 on IKEv2 Encrypted Payload Algorithms, I expected:

        MUST            Three-key Triple-DES in CBC mode
        SHOULD+ 128-bit AES in CBC mode

In section 4.1.2, I expected no mention of elliptic curves.  The working group abandoned work in this area many months ago.  Also, I expected:

        MUST            1024
        SHOULD  1536
        SHOULD+ 2048

In section  4.1.3 on IKEv2 Transfer Type 1 Algorithms, I expected two of the entries to have different requirements:

        MUST            ENCR_3DES (assuming that this is 3-key 3DES in CBC mode)
        SHOULD+ ENCR_AES_128_CBC

In section 4.1.4 on IKEv2 Transfer Type 2 Algorithms, I expected two of the entries to have different requirements:

        MAY             PRF_HMAC_MD5
        SHOULD  PRF_AES128_CBC

I also thought that we were going to define a shorthand way to configure different devices to use the same selections from the a la carte menu.  At a minimum, we should come up with a name for the collection of MUST algorithms.

Do others have different recollections and expectiations?

Russ

Russ,

Your comments above match my recollection of what was agreed upon and documented in earlier drafts by Paul.

Steve