This version includes changes from the WGLC. Changes include:
- In section 1.2 changed the "set to MAY" to "denoted here as MAY" (Yaron). - Added text to end of 1.2: "Requirement levels that are marked as "IoT" apply to IoT devices and to server-side implementations that might presumably need to interoperate with them, including any general- purpose VPN gateways." (Yaron). - Removed text from section 1.3 saying that recommendations are useful for users, i.e., the text now says: "On the other hand, comments from this document are also expected to be useful for such users.". I.e., this tries to clarify that recommendations are for implementors, the comments for algorithms are something that are useful for users too. (Quynh) - Reformatted the AUTH_DES_MAC text a bit. Mention that both MD5 and DES are being deprecated. Even if the last sentence only covers MD5 it does not matter, as it clearly says that sentence covers MD5 only. (Yaron) Current text is AUTH_DES_MAC, AUTH_HMAC_MD5_96, and AUTH_KPDK_MD5 were not mentioned in RFC4307 so their default status ware MAY. They have been downgraded to MUST NOT. There is an industry-wide trend to deprecate DES and MD5. MD5 support is being removed from cryptographic libraries in general because its non-HMAC use is known to be subject to collision attacks, for example as mentioned in [TRANSCRIPTION]. - Changed 4.2 text has been changed to clarify that all these are only for "Digital Signatures authentication method" (Valery) - Changed RSASSA-PSS with SHA-256 to MUST from SHOULD as now it is clear that this table is only applied if Digital Signature authentication method is implemented. (Valery) [email protected] writes: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the IP Security Maintenance and Extensions of > the IETF. > > Title : Algorithm Implementation Requirements and Usage > Guidance for IKEv2 > Authors : Yoav Nir > Tero Kivinen > Paul Wouters > Daniel Migault > Filename : draft-ietf-ipsecme-rfc4307bis-08.txt > Pages : 16 > Date : 2016-05-11 > > Abstract: > The IPsec series of protocols makes use of various cryptographic > algorithms in order to provide security services. The Internet Key > Exchange (IKE) protocol is used to negotiate the IPsec Security > Association (IPsec SA) parameters, such as which algorithms should be > used. To ensure interoperability between different implementations, > it is necessary to specify a set of algorithm implementation > requirements and usage guidance to ensure that there is at least one > algorithm that all implementations support. This document defines > the current algorithm implementation requirements and usage guidance > for IKEv2. This document does not update the algorithms used for > packet encryption using IPsec Encapsulated Security Payload (ESP). > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-ipsecme-rfc4307bis/ > > There's also a htmlized version available at: > https://tools.ietf.org/html/draft-ietf-ipsecme-rfc4307bis-08 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-rfc4307bis-08 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > IPsec mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ipsec -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
