Re: SHOULD NOT DES (was RE: Editorial: Use of MAY...)

[Bill Sommerfeld <sommerfeld@east.sun.com>]

> The FreeS/WAN project dropped single-DES support over four years ago, at
> management insistence.  This caused surprisingly few interoperability
> problems.  (There were one or two.)  I think it is now quite safe to say
> that DES-only environments involve either obsolete software or specialized
> requirements -- a perfect case for SHOULD NOT.

It appears that the US government agrees with your management on this
point.

section 12 of FIPS 46-3 (issued in 1999) says, in part:

   Single DES (i.e., DES) will be permitted for legacy systems only. New
   procurements to support legacy systems should, where feasible, use
   Triple DES products running in the single DES configuration.

Since there is no installed base of IKEv2 to interoperate with, this
FIPS would appear to prohibit use of single-DES with IKEv2 for
government use.

One more vote for SHOULD NOT.

						- Bill