On Thu, 8 Dec 2016, Tero Kivinen wrote:
How about a new section between section 2 and 3:
Manual Keying
Manual Keying should not be used as it is inherently dangerous. Without
any keying protocol, it does not offer Perfect Forward Secrecy
protection. Deployments tend to never be reconfigured with fresh session
keys. It also fails to scale and keeping SPI's unique amongst many servers
is impractical. This document was written for deploying ESP/AH using IKE
(RFC7298) and assumes that keying happens using IKEv2.
If manual keying is used anyway, ENCR_AES_CBC MUST be used, and
ENCR_AES_CCM, ENCR_AES_GCM and ENCR_CHACHA20_POLY1305 MUST NOT
be used as these algorithms require IKE.
I think that kind of addition the rfc7321bis would be in order. Can
you add that text and resubmit?
[note the first "should not" is in lower case in purpose, so we don't
actually need to update 4301]
Perhaps not using word "should" is better. Something like "Manual
Keying is not to be used as ...". Then we do not need to explain why
it is not uppercase SHOULD...
done:
https://www.ietf.org/rfcdiff?url2=draft-ietf-ipsecme-rfc7321bis-01
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
