Paul Wouters writes: > On Tue, 29 Jan 2019, Tero Kivinen wrote: > > > In "Transform Type 2 - Pseudorandom Function Transform IDs" of > > "Internet Key Exchange Version 2 (IKEv2) Parameters" add note as > > follows: > > > > To find out requirement levels for PRFs for IKEv2 see RFC > > 8247. > > Requirement for what? I don't think the IANA reader will know these > are vendor build support requirements, and not default case runtime > requirements ?
Iana registry is only for vendors, normal users should ever need to check them ever. Why would some user need to know that PRF_HMAC_SHA1 maps to number 2 on the wire? Only vendors need that information. If users require that information there is something seriously wrong with the user interface of the implementation. Anyways RFC8247 do explain that already: ---------------------------------------------------------------------- 1.4. Document Audience The recommendations of this document mostly target IKEv2 implementers who need to create implementations that meet both high security expectations as well as high interoperability between various vendors and with different versions. Interoperability requires a smooth move to more secure cipher suites. This may differ from a user point of view that may deploy and configure IKEv2 with only the safest cipher suite. This document does not give any recommendations for the use of algorithms, it only gives implementation recommendations regarding implementations. The use of algorithms by a specific user is dictated by their own security policy requirements, which are outside the scope of this document. ---------------------------------------------------------------------- If we add any recommendations for algoritms in the IANA registry we would also need to include such explination there and I do not think we want to copy RFC8247 to iana registry. > I don't object, but I obviously think it is better for implementers > to be able to look at the IANA registry with clickable references > to the RFC that obsoleted/deprecated an algorithm. Sure. Write draft-ietf-ipsecme-ikev2-des-md5-die-die-die and we can use that RFC number for them. Or we can change the reference column for those to point to RFC8221/RFC8247 for those where they say it is MUST NOT. That is something that is easy to do with just sending request to iana. Earlier I understood that you wanted to add some new column there which would add new information that is copied from RFC8221/8247. -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
