Re: [IPsec] AD review of draft-ietf-ipsecme-ikev1-algo-to-historic-06
Paul Wouters <paul@nohats.ca> Tue, 11 October 2022 20:16 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBC5C14CE39 for <ipsec@ietfa.amsl.com>; Tue, 11 Oct 2022 13:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeJdxy9XT7iH for <ipsec@ietfa.amsl.com>; Tue, 11 Oct 2022 13:16:26 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A91A7C14CE31 for <ipsec@ietf.org>; Tue, 11 Oct 2022 13:16:26 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4Mn6Vv24MBz7bn; Tue, 11 Oct 2022 22:16:23 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1665519383; bh=+lGstGI8Q6xKiGdFYCc6tVqpcfxYX81sZah979NK7lw=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=rqfGVH05RflY25JR+1hMD6dd6/xmTBxZtvgyrwvT69fjZTBCg8j3Wgz5rL0Az+Lag Cayl1Falyr9T8BA2I//xF17nb/sjfqEpo2Nx1LWBYxKu00DdY0Y1QpYN12Hx/Zko9U ShD8X4ysI65r7YFInlOHe/BigDoNVNHStQJNyKHM=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id tQADusEBMOXV; Tue, 11 Oct 2022 22:16:21 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 11 Oct 2022 22:16:21 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id B69453F137B; Tue, 11 Oct 2022 16:16:20 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id B29EB3F137A; Tue, 11 Oct 2022 16:16:20 -0400 (EDT)
Date: Tue, 11 Oct 2022 16:16:20 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Wouters <paul.wouters=40aiven.io@dmarc.ietf.org>
cc: Roman Danyliw <rdd@cert.org>, "ipsec@ietf.org WG" <ipsec@ietf.org>
In-Reply-To: <CAGL5yWYzTEp+UPs+1a9cxxjyyobpKdUMpnwLH854jUv1tSdv8A@mail.gmail.com>
Message-ID: <a68b9e70-9b3d-667e-a056-471daa323c87@nohats.ca>
References: <BN2P110MB1107B26385B3570CA30E4A22DC8B9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM> <CAGL5yWYzTEp+UPs+1a9cxxjyyobpKdUMpnwLH854jUv1tSdv8A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/4gnNpMTXj35kF6M671W7qvojX7M>
Subject: Re: [IPsec] AD review of draft-ietf-ipsecme-ikev1-algo-to-historic-06
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2022 20:16:31 -0000
On Tue, 11 Oct 2022, Paul Wouters wrote: > I'm not following the text saying that "algorithms [are left] in a state of 'MAY be used'". For example, the following Type 3 transforms are > deprecated in Section 7 of this document: AUTH_HMAC_MD5_96, AUTH_DES_MAC and AUTH_KPDK_MD5. However, Section 2.3 of RFC8247 seems very clear > that AUTH_HMAC_MD5_96, AUTH_DES_MAC and AUTH_KPDK_MD5 are already "MUST NOT". Where is the "MAY be used" flexibility coming from? > > > In your example sub registry, there was nothing left in the state mentioned. But if you look at: > > https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-ikev1-algo-to-historic-06#section-5 > > then you can see a number of them. This is right. > > +------------------------+----------+---------+ > | Name | Status | Comment | > +------------------------+----------+---------+ > | AUTH_HMAC_SHA2_256_128 | MUST | | > | AUTH_HMAC_SHA2_512_256 | SHOULD | | > | AUTH_HMAC_SHA1_96 | MUST- | | > | AUTH_AES_XCBC_96 | SHOULD | (IoT) | > | AUTH_HMAC_MD5_96 | MUST NOT | | > | AUTH_DES_MAC | MUST NOT | | > | AUTH_KPDK_MD5 | MUST NOT | | > > > The reason for listing the entire table is that we ask IANA for the Status column for population, and so we give the entire table even if there were no > entries for this specific table that changed between 8221 + 8247 and this document. This is not. I got confused. That Status column is not with IANA. Paul
- [IPsec] AD review of draft-ietf-ipsecme-ikev1-alg… Roman Danyliw
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev1… Paul Wouters
- Re: [IPsec] AD review of draft-ietf-ipsecme-ikev1… Paul Wouters