On Wed, 11 May 2016, Dang, Quynh (Fed) wrote:
As I explained before, the group numbers 5 and 2 should become "MUST NOT" because they don't provide 112 bits of security.
Checking RFC 4307, group 2 was MUST- so it should go to SHOULD NOT but _maybe_ can go to MUST NOT. For some reason, group 5 was not listed in RFC 4307, so it mist have been a MAY, which would allow us to go to MUST NOT. But it would be weird to have group 2 SHOULD NOT and group 5 MUST NOT. Personally, I have no problem with IKEv2 dropping group 2/5. All IKEv2 clients should have defaulted to group 14 for years now. Obviously, I won't kick group 2/5 out of IKEv1.
And, all signatures with SHA1 should become "MUST NOT".
SHA1 was a MUST, so we cannot go to MUST NOT. Instead of MUST- we could go to SHOULD NOT. But I don't know how widespread SHA1 is with IKEv2. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
