[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Eliminating "SHOULD-" from draft-ietf-ipsec-algorithms
Greetings again. draft-ietf-ipsec-algorithms uses the standard
definitions for MUST, SHOULD, and so on. It adds three new terms:
SHOULD+ This term means the same as SHOULD. However it is
likely that an algorithm marked as SHOULD+ will be
promoted at some future time to be a MUST
SHOULD- This terms means the same as SHOULD. However an
algorithm marked as SHOULD- may be deprecated to a
MAY in a future version of this document.
MUST- This term means the same as MUST. However we expect
at some point that this algorithm will no longer be
a MUST in a future document. Although its status
will be determined at a later time, it is
reasonable to expect that if a future revision of a
document alters the status of a MUST- algorithm, it
will remain at least a SHOULD or a SHOULD-.
The concept of SHOULD+ and MUST- is good, but SHOULD- is not useful
and is confusing to implementers. In the current draft, there are
only two items that are marked as SHOULD-:
ENCR_DES_IV64 1 [RFC1827] SHOULD-
ENCR_DES 2 [RFC2405] SHOULD-
There is no good reason for DES to be a SHOULD or a SHOULD-. No one
who cares about security would use it, and the only reason we see it
in use in IPsec today is that it is still the MUST for IKEv1. Any use
of DES should be a MAY.
If IKEv2 lists DES as MAY instead of SHOULD-, that will hasten the
demise of the use of DES in environments that should be using
stronger keys. An additional benefit would be to make this RFC more
understandable.
(In less polite terms: let's finally dump DES from any level of requirement!)
--Paul Hoffman, Director
--VPN Consortium