MUST implement AES-CBC for IPsec ESP

To: ipsec at ietf.org,saag at mit.edu,ietf at ietf.org
Subject: MUST implement AES-CBC for IPsec ESP
From: Russ Housley <housley at vigilsec.com>
Date: Wed, 17 Jan 2007 10:02:14 -0500
Cc:
List-help: <mailto:ietf-request@ietf.org?subject=help>
List-id: IETF-Discussion <ietf.ietf.org>
List-post: <mailto:ietf@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>

During the IETF Last Call for draft-manral-ipsec-rfc4305-bis-errata, we received a comment that deserves wide exposure.

For ESP encryption algorithms, the document that was sent out for Last Call contains the following table:

      Requirement    Encryption Algorithm (notes)
      -----------    --------------------
      MUST           NULL (1)
      MUST-          TripleDES-CBC [RFC2451]
      SHOULD+        AES-CBC with 128-bit keys [RFC3602]
      SHOULD         AES-CTR [RFC3686]
      SHOULD NOT     DES-CBC [RFC2405] (3)

The Last Call comment suggests changing the "SHOULD+" for AES-CBC to "MUST."

I support this proposed change, and I have asked the author to make this change in the document that will be submitted to the IESG for consideration on the Telechat on January 25th. If anyone has an objection to this change, please speak now. Please send comments on this proposed change to the iesg at ietf.org or ietf at ietf.org mailing lists by 2007-01-24.

Russ Housley
Security AD


_______________________________________________
Ietf mailing list
Ietf at ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

Follow-Ups:
- Re: MUST implement AES-CBC for IPsec ESP
  - From: Lakshminath Dondeti

Prev by Date: Re: [EAI] Last Call: draft-ietf-eai-framework -- editor's notes
Next by Date: Re: Tracking resolution of DISCUSSes
Previous by thread: Re: [EAI] Last Call: draft-ietf-eai-framework (Overview and Framework for Internationalized Email) to Informational RFC
Next by thread: Re: MUST implement AES-CBC for IPsec ESP
Index(es):
- Date
- Thread

Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.

MUST implement AES-CBC for IPsec ESP

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.