ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: MUST implement AES-CBC for IPsec ESP

2007-01-20 15:51:40
from [Lawrence Rosen] [Permanent Link] 
For ESP encryption algorithms, the document that was sent out for Last
Call contains the following table:

      Requirement    Encryption Algorithm (notes)
      -----------    --------------------
      MUST           NULL (1)
      MUST-          TripleDES-CBC [RFC2451]
      SHOULD+        AES-CBC with 128-bit keys [RFC3602]
      SHOULD         AES-CTR [RFC3686]
      SHOULD NOT     DES-CBC [RFC2405] (3)

The Last Call comment suggests changing the "SHOULD+" for AES-CBC to
"MUST."


Are any of these encryption algorithms patented?

/Larry Rosen

Lawrence Rosen
Rosenlaw & Einschlag, a technology law firm (www.rosenlaw.com)
Stanford University, Lecturer in Law
3001 King Ranch Road, Ukiah, CA 95482
707-485-1242 * cell: 707-478-8932 * fax: 707-485-1243
Skype: LawrenceRosen
Author of "Open Source Licensing: Software Freedom and 
                Intellectual Property Law" (Prentice Hall 2004)


-----Original Message-----
From: Lakshminath Dondeti [mailto:ldondeti(_at_)qualcomm(_dot_)com]
Sent: Saturday, January 20, 2007 1:35 PM
To: Russ Housley
Cc: ipsec(_at_)ietf(_dot_)org; saag(_at_)mit(_dot_)edu; 
ietf(_at_)ietf(_dot_)org
Subject: Re: MUST implement AES-CBC for IPsec ESP

What are the export implications due to this?  A compliant ESP
implementation MUST include the DES cipher due to this change.   With
status quo, a compliant ESP implementation can be used for integrity
protection alone with NULL encryption.

regards,
Lakshminath

Russ Housley wrote:

During the IETF Last Call for draft-manral-ipsec-rfc4305-bis-errata, we
received a comment that deserves wide exposure.

For ESP encryption algorithms, the document that was sent out for Last
Call contains the following table:

      Requirement    Encryption Algorithm (notes)
      -----------    --------------------
      MUST           NULL (1)
      MUST-          TripleDES-CBC [RFC2451]
      SHOULD+        AES-CBC with 128-bit keys [RFC3602]
      SHOULD         AES-CTR [RFC3686]
      SHOULD NOT     DES-CBC [RFC2405] (3)

The Last Call comment suggests changing the "SHOULD+" for AES-CBC to
"MUST."

I support this proposed change, and I have asked the author to make this
change in the document that will be submitted to the IESG for
consideration on the Telechat on January 25th.  If anyone has an
objection to this change, please speak now.  Please send comments on
this proposed change to the iesg(_at_)ietf(_dot_)org or 
ietf(_at_)ietf(_dot_)org mailing lists
by 2007-01-24.

Russ Housley
Security AD


_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf



_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MUST implement AES-CBC for IPsec ESP, Lakshminath Dondeti
Next by Date:  [Ipsec] Re: MUST implement AES-CBC for IPsec ESP, Paul Hoffman
Previous by Thread:  Re: MUST implement AES-CBC for IPsec ESP, Lakshminath Dondeti
Next by Thread:  Re: MUST implement AES-CBC for IPsec ESP, Steven M. Bellovin
Indexes:  [Date] [Thread] [Top] [All Lists]