ietf
[Top] [All Lists]

MUST implement AES-CBC for IPsec ESP

2007-01-17 08:03:49
During the IETF Last Call for draft-manral-ipsec-rfc4305-bis-errata, we received a comment that deserves wide exposure.

For ESP encryption algorithms, the document that was sent out for Last Call contains the following table:

      Requirement    Encryption Algorithm (notes)
      -----------    --------------------
      MUST           NULL (1)
      MUST-          TripleDES-CBC [RFC2451]
      SHOULD+        AES-CBC with 128-bit keys [RFC3602]
      SHOULD         AES-CTR [RFC3686]
      SHOULD NOT     DES-CBC [RFC2405] (3)

The Last Call comment suggests changing the "SHOULD+" for AES-CBC to "MUST."

I support this proposed change, and I have asked the author to make this change in the document that will be submitted to the IESG for consideration on the Telechat on January 25th. If anyone has an objection to this change, please speak now. Please send comments on this proposed change to the iesg(_at_)ietf(_dot_)org or ietf(_at_)ietf(_dot_)org mailing lists by 2007-01-24.

Russ Housley
Security AD


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

<Prev in Thread] Current Thread [Next in Thread>