Paul Wouters writes:
> > Or we can change the reference column for those to point to
> > RFC8221/RFC8247 for those where they say it is MUST NOT.
> > That is something that is easy to do with just sending request to
> > iana.
>
> Either works, that was what we were trying to do :)
Ok, then I misunderstood what people were saying earlier, I understood
some people wanted to have similar new column that TLS had..
> > Earlier I understood that you wanted to add some new column there
> > which would add new information that is copied from RFC8221/8247.
>
> No, just having the registry confirm which things you should not
> implement is what I was looking for. Although there is one important
> difference with 8221/8246, which is what to do with MAY algorithms
> that we found no strong reason for to MUST NOT, but which should really
> be retired too. Like CAST for example. But I guess formally, a bis
> document should move those MAY's to MUST NOT.
Ok, so the following change would be better:
----------------------------------------------------------------------
In Bangkok we discussed that I would like to put reference to RFC8221
and RFC8247 to IKEv2 cryptographic algorithms registries. This would
include notes as follows:
--
In "Transform Type 1 - Encryption Algorithm Transform IDs" of
"Internet Key Exchange Version 2 (IKEv2) Parameters" add note as
follows:
To find out requirement levels for encryption algorithms for
ESP see RFC 8221, and for IKEv2 see RFC 8247.
Also as RFC8221 and RFC8247 marked some of those documents as MUST
NOT, we need to change the reference for those algorithms to refer to
those documents instead of the original documents. I.e., change
following algorithm references as follows:
ESP Reference IKEv2 reference
ENCR_DES_IV64 [RFC8221] -
ENCR_DES [RFC8221] [RFC8247]
ENCR_BLOWFISH [RFC8221] [RFC7296]
ENCR_3IDEA [RFC8221] [RFC7296]
ENCR_DES_IV32 [RFC8221] -
I.e., for all of those algorithms change the ESP refence to RFC8221
which marks those algorithms as MUST NOT for ESP, and for ENCR_DES
change the refence for IKEv2 to RFC8247. For ENCR_DES_IV64,
ENCR_BLOWFISH, ENCR_3IDEA and ENCR_DES_IV32 keep the IKEv2 references
as they are now.
--
In "Transform Type 2 - Pseudorandom Function Transform IDs" of
"Internet Key Exchange Version 2 (IKEv2) Parameters" add note as
follows:
To find out requirement levels for PRFs for IKEv2 see RFC
8247.
Also as RFC8247 marked PRF_HMAC_MD5 as MUST NOT, we need to change the
reference for that to refer to RFC8247 instead of the original
documents. I.e., change following algorithm references as follows:
Reference
PRF_HMAC_MD5 [RFC8247]
--
In "Transform Type 3 - Integrity Algorithm Transform IDs" of "Internet
Key Exchange Version 2 (IKEv2) Parameters" add note as follows:
To find out requirement levels for encryption algorithms for
ESP/AH see RFC 8221, and for IKEv2 see RFC 8247.
Also as RFC8221 and RFC8247 marked some of those documents as MUST
NOT, we need to change the reference for those algorithms to refer to
those documents instead of the original documents. I.e., change
following algorithm references as follows:
Reference
AUTH_HMAC_MD5_96 [RFC8221][RFC8247]
AUTH_DES_MAC [RFC8221][RFC8247]
AUTH_KPDK_MD5 [RFC8221][RFC8247]
--
In "Transform Type 4 - Diffie-Hellman Group Transform IDs" of
"Internet Key Exchange Version 2 (IKEv2) Parameters" add note as
follows:
To find out requirement levels for Diffie-Hellman groups for
IKEv2 see RFC 8247.
Also as RFC8247 marked some of those algorithms as MUST NOT, we need
to change the reference for those algorithms to refer to RFC8247
instead of the original documents. I.e., change following algorithm
references as follows:
Reference
768-bit MODP Group [RFC8247]
1024-bit MODP Group with 160-bit Prime Order Subgroup [RFC8247]
--
In "IKEv2 Authentication Method" of "Internet Key Exchange Version 2
(IKEv2) Parameters" add note as follows:
To find out requirement levels for IKEv2 authentication
methods see RFC 8247.
--
In "IKEv2 Notification IPCOMP Transform IDs (Value 16387)" of
"Internet Key Exchange Version 2 (IKEv2) Parameters" add note as
follows:
To find out requirement levels for IPCOMP methods see RFC
8221.
Also as RFC8221 marked IPCOMP_OUI as MUST NOT, we need to change the
reference for that to refer to RFC8221 instead of UNSPECIFIED. I.e.,
change following algorithm references as follows:
Reference
IPCOMP_OUI [RFC8221]
--
In "IKEv2 Hash Algorithms" of "Internet Key Exchange Version 2 (IKEv2)
Parameters" add note as follows:
To find out requirement levels for IKEv2 hash algorithms see
RFC 8247.
Also as RFC8247 marked SHA1 as MUST NOT, we need to change the
reference for that to refer to RFC8247 instead of the original
documents. I.e., change following algorithm references as follows:
Reference
SHA1 [RFC8247]
--
[email protected]
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
