Eliminating "SHOULD-" from draft-ietf-ipsec-algorithms

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

Greetings again. draft-ietf-ipsec-algorithms uses the standard 
definitions for MUST, SHOULD, and so on. It adds three new terms:

  SHOULD+            This term means the same as SHOULD. However it is
                     likely that an algorithm marked as SHOULD+ will be
                     promoted at some future time to be a MUST
  SHOULD-            This terms means the same as SHOULD. However an
                     algorithm marked as SHOULD- may be deprecated to a
                     MAY in a future version of this document.
  MUST-              This term means the same as MUST. However we expect
                     at some point that this algorithm will no longer be
                     a MUST in a future document. Although its status
                     will be determined at a later time, it is
                     reasonable to expect that if a future revision of a
                     document alters the status of a MUST- algorithm, it
                     will remain at least a SHOULD or a SHOULD-.

The concept of SHOULD+ and MUST- is good, but SHOULD- is not useful 
and is confusing to implementers. In the current draft, there are 
only two items that are marked as SHOULD-:

       ENCR_DES_IV64            1         [RFC1827]       SHOULD-
       ENCR_DES                 2         [RFC2405]       SHOULD-

There is no good reason for DES to be a SHOULD or a SHOULD-. No one 
who cares about security would use it, and the only reason we see it 
in use in IPsec today is that it is still the MUST for IKEv1. Any use 
of DES should be a MAY.

If IKEv2 lists DES as MAY instead of SHOULD-, that will hasten the 
demise of the use of DES in environments that should be using 
stronger keys. An additional benefit would be to make this RFC more 
understandable.

(In less polite terms: let's finally dump DES from any level of requirement!)

--Paul Hoffman, Director
--VPN Consortium