[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Suggested wording for weak key lengths in IKEv2
Greetings again. Now that the WG last call is finished , it seems
like having proposed wording might help resolve some of the open
issues on Angelos' issue list. (You all are watching
<https://roundup.machshav.com/ipsec/index>, yes?)
The issue that has the most issue numbers is the deprecating DES and
weak keys issue in the ipsec-ikev2-algorithms document. To resolve
it, I propose the following changes for section 4.1.3:
- ENCR_DES_IV64 and ENCR_DES be listed as "SHOULD NOT"
- A sentence be added to the end of that section as a free-standing
paragraph that says: "Implementations that use algorithms with
variable-length keys SHOULD NOT use keys that are weaker than the
effective strength of ENCR_3DES."
If we do this, we can eliminate the definition of "SHOULD-", because
it was only used for the two DES algorithms.
--Paul Hoffman, Director
--VPN Consortium