Sorry for the slow response; several things colluded to keep me
unavailable. For bonus fun, mutt crashed trying to send this so I get to
try to reconstruct from scrollback history. Hopefully nothing important
gets garbled along the way...
Do note that this is not really my area of expertise and
It seems like the conversation here stalled out a bit.
From my perspective, the feeling in the working group is that the functionality
described in the document for dealing with Split-DNS and DNSSEC is the best
thing we can do given enterprise deployment models, as long as it is clear that
Thanks for your comments Valery. The new version [1] has teh two paragraphs
in the security consideration.
Yours,
Daniel
[1] https://datatracker.ietf.org/doc/draft-ietf-ipsecme-implicit-iv/
On Wed, Jun 27, 2018 at 3:26 AM, Valery Smyslov
wrote:
> HI Daniel,
>
>
>
> I still think the “NOT
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the IP Security Maintenance and Extensions WG of
the IETF.
Title : Implicit IV for Counter-based Ciphers in
Encapsulating Security Payload (ESP)
Authors
HI Daniel,
I still think the “NOT RECOMMENDED” wording is a bit confusing.
I’d suggest to change this para to be more explicit:
As the IV must not repeat for one SA when Counter-Mode ciphers are
used, Implicit IV as described in this document MUST NOT be used in
setups with the