On Tue, 11 Oct 2022, Paul Wouters wrote:
I'm not following the text saying that "algorithms [are left] in a state of
'MAY be used'". For example, the following Type 3 transforms are
deprecated in Section 7 of this document: AUTH_HMAC_MD5_96, AUTH_DES_MAC
and AUTH_KPDK_MD5. However, Section 2.3 of RFC8247 seems very clear
that AUTH_HMAC_MD5_96, AUTH_DES_MAC and AUTH_KPDK_MD5 are already "MUST NOT".
Where is the "MAY be used" flexibility coming from?
In your example sub registry, there was nothing left in the state mentioned.
But if you look at:
https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-ikev1-algo-to-historic-06#section-5
then you can see a number of them.
This is right.
+------------------------+----------+---------+
| Name | Status | Comment |
+------------------------+----------+---------+
| AUTH_HMAC_SHA2_256_128 | MUST | |
| AUTH_HMAC_SHA2_512_256 | SHOULD | |
| AUTH_HMAC_SHA1_96 | MUST- | |
| AUTH_AES_XCBC_96 | SHOULD | (IoT) |
| AUTH_HMAC_MD5_96 | MUST NOT | |
| AUTH_DES_MAC | MUST NOT | |
| AUTH_KPDK_MD5 | MUST NOT | |
The reason for listing the entire table is that we ask IANA for the Status
column for population, and so we give the entire table even if there were no
entries for this specific table that changed between 8221 + 8247 and this
document.
This is not. I got confused. That Status column is not with IANA.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
