Is less about what is deprecated and more about what HW support is available on already deployed solutions.
On 18 May 2017 at 10:27, Peltonen, Janne (Nokia - FI/Espoo) <[email protected]> wrote: > Hi, > > The IPsec and IKE document roadmap (RFC 6071) is a good summary about > the required crypto-algorithms, among other things. > > Bill Fischofer wrote: >> On Wed, May 17, 2017 at 7:07 PM, Dmitry Eremin-Solenikov < >> [email protected]> wrote: >> >> > I think, linux-generic should support the following algorihms: >> > >> > Cipher: >> > >> > - AES-CBC (MUST) >> > - AES-CTR (MAY) >> > - 3DES-CBC (MAY) >> > >> >> 3DES appears to be nearing end of life, especially with the recent sweet32 >> [1] attacks so this may be more of a "nice to have", though I see no harm >> in including it for compatibility. I doubt if many new ODP applications >> would use 3DES in preference to AES at this point. >> > > 3DES-CBC is still mandatory in IPsec so it is good to keep it. > > And besides that, new ODP applications may have to interoperate with > other systems in existing network deployments that may still use some > of the older algorithms. I think the benefit of removing an existing > algorithm implementation is small compared to the trouble it could > cause in these cases. > >> > >> > Auth: >> > >> > - HMAC-SHA1 (MUST) >> > - HMAC-SHA256/384/512 (optional) >> > - HMAC-MD5 (unspecified, was MAY) >> > >> >> MD5 is already deprecated [2], and SHA-1 doesn't seem to have long to live >> either [2]. Enough people still use SHA-1 that it seems we should support >> it but I think it is safe to drop MD5 support at this point. > > HMAC-MD5-96 is optional (MAY) and HMAC-SHA-1-96 is mandatory (MUST) in IPsec. > The weaknesses of MD5 used as a hash do not necessarily affect HMAC-MD5. > See RFC 4835, RFC 6151. > > The point about interoperability also applies. > > Janne > >> [1] https://www.openssl.org/blog/blog/2016/08/24/sweet32/ >> [2] https://www.nsrl.nist.gov/collision.html >> [3] http://csrc.nist.gov/groups/ST/hash/policy.html
