Hi Paul, We should explain that current MTI group is the group 2. However, users shall not use that group and the group. We should create a similar statement for SHA1 in signatures.
If a system has interoperability issue with the requirement, a user needs to upgrade his or her system. If she or he ignores our requirement/recommendation and uses the group 2 (or group 5), none of us can stop them from doing that and our requirement would become a great reminder to her or him that what he or she is doing is bad and does not comply with our recommendations. Regards, Quynh. ________________________________________ From: Paul Wouters <[email protected]> Sent: Wednesday, May 11, 2016 11:50:09 AM To: Dang, Quynh (Fed) Cc: IPsecME WG Subject: Re: [IPsec] I-D Action: draft-ietf-ipsecme-rfc4307bis-08.txt On Wed, 11 May 2016, Dang, Quynh (Fed) wrote: > As I explained before, the group numbers 5 and 2 should become "MUST NOT" > because they don't provide 112 bits of security. Checking RFC 4307, group 2 was MUST- so it should go to SHOULD NOT but _maybe_ can go to MUST NOT. For some reason, group 5 was not listed in RFC 4307, so it mist have been a MAY, which would allow us to go to MUST NOT. But it would be weird to have group 2 SHOULD NOT and group 5 MUST NOT. Personally, I have no problem with IKEv2 dropping group 2/5. All IKEv2 clients should have defaulted to group 14 for years now. Obviously, I won't kick group 2/5 out of IKEv1. > And, all signatures with SHA1 should become "MUST NOT". SHA1 was a MUST, so we cannot go to MUST NOT. Instead of MUST- we could go to SHOULD NOT. But I don't know how widespread SHA1 is with IKEv2. Paul _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
