Hi, The IPsec and IKE document roadmap (RFC 6071) is a good summary about the required crypto-algorithms, among other things.
Bill Fischofer wrote: > On Wed, May 17, 2017 at 7:07 PM, Dmitry Eremin-Solenikov < > [email protected]> wrote: > > > I think, linux-generic should support the following algorihms: > > > > Cipher: > > > > - AES-CBC (MUST) > > - AES-CTR (MAY) > > - 3DES-CBC (MAY) > > > > 3DES appears to be nearing end of life, especially with the recent sweet32 > [1] attacks so this may be more of a "nice to have", though I see no harm > in including it for compatibility. I doubt if many new ODP applications > would use 3DES in preference to AES at this point. > 3DES-CBC is still mandatory in IPsec so it is good to keep it. And besides that, new ODP applications may have to interoperate with other systems in existing network deployments that may still use some of the older algorithms. I think the benefit of removing an existing algorithm implementation is small compared to the trouble it could cause in these cases. > > > > Auth: > > > > - HMAC-SHA1 (MUST) > > - HMAC-SHA256/384/512 (optional) > > - HMAC-MD5 (unspecified, was MAY) > > > > MD5 is already deprecated [2], and SHA-1 doesn't seem to have long to live > either [2]. Enough people still use SHA-1 that it seems we should support > it but I think it is safe to drop MD5 support at this point. HMAC-MD5-96 is optional (MAY) and HMAC-SHA-1-96 is mandatory (MUST) in IPsec. The weaknesses of MD5 used as a hash do not necessarily affect HMAC-MD5. See RFC 4835, RFC 6151. The point about interoperability also applies. Janne > [1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/ > [2] https://www.nsrl.nist.gov/collision.html > [3] http://csrc.nist.gov/groups/ST/hash/policy.html
