Russ has 3 points in his DISCUSS on the Node Requirements. Here are the resolution for them, I need to check with the WG if these proporsals are OK:
Russ Housley: Discuss: I had many, many comments on section 8.3. My comments were longer than the section itself. Given that, I decided to provide replacement text instead of the comments. The basis of most of these changes is alignment with draft-ietf-ipsec-esp-ah-algorithms-01, which is has just been forwarded to the IESG by the IPsec WG. Here is my proposed text: Current IPsec RFCs specify the support of transforms and algorithms for use with AH and ESP: NULL encryption, DES-CBC, HMAC-SHA-1-96, and HMAC-MD5-96. However, "Cryptographic Algorithm Implementation Requirements For ESP And AH" [CRYPTREQ] contains the current set of mandatory to implement algorithms for ESP and AH. It also specifies algorithms that should be implemented because they are likely to be promoted to mandatory at some future time. IPv6 nodes SHOULD conform to the requirements in [CRYPTREQ] as well as the requirements specified below. Since ESP encryption and authentication are both optional, support for the NULL encryption algorithm [RFC-2410] and the NULL authentication algorithm [RFC-2406] MUST be provided to maintain consistency with the way these services are negotiated. However, while authentication and encryption can each be NULL, they MUST NOT both be NULL. The NULL encryption algorithm is also useful for debugging. The DES-CBC encryption algorithm [RFC-2405] SHOULD NOT be supported within ESP. Security issues related to the use of DES are discussed in [DESDIFF], [DESINT], [DESCRACK]. DES-CBC is still listed as required by the existing IPsec RFCs, but updates to these RFCs will be published soon. DES provides 56 bits of protection, which is no longer considered sufficient. The use of HMAC-SHA-1-96 algorithm [RFC-2404] within AH and ESP MUST be supported. The use of HMAC-MD5-96 algorithm [RFC-2403] within AH and ESP MAY also be supported. The 3DES-CBC encryption algorithm [RFC-2451] does not suffer from the same security issues as DES-CBC, and the 3DES-CBC algorithm within ESP MUST MUST be supported to ensure interoperability. The AES-128-CBC algorithm [RFC-3602] MUST also be supported within ESP. AES-128 is expected to be a widely available, secure, and efficient algorithm. While AES-128-CBC is not required by the current IPsec RFCs, it is expected to become required in the future. -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------