Re: I-D ACTION:draft-ietf-ipsec-esp-ah-algorithms-00.txt

[Paul Hoffman / VPNC <paul.hoffman@vpnc.org>]

At 5:09 PM -0800 12/18/03, chris stillson wrote:
>The +/- distinction is splitting hairs. MUST/SHOULD/MAY are enough to
>convey any distinctions.

Errrr, the WG already agreed to these when we moved 
draft-ietf-ipsec-ikev2-algorithms-04.txt out of the WG. The use in 
this draft seems identical (other than the gratuitous SHOULD NOT for 
DES).

>  Also, although MD5 has some know problems,
>the fact that it's faster than SHA1 and provides enough security for
>most uses implies that it should be a "SHOULD", if not a "MUST"

The fact is that MD5 doesn't have the strength of SHA-1 (128 bits vs 
160 bits). That is why SHA-1 is preferred in this context.

>Also, AES-CBC should be a "MUST".

This was discussed many times on the mailing list before WG last call 
on the main algorithms document. When they all go into IETF Last 
Call, you might want to bring it up again, but it would be a Really 
Bad Thing to have the AH and ESP document have different requirements 
than the algorithms document.

--Paul Hoffman, Director
--VPN Consortium