Thanks for pointing this out Richard. I agree with you. I (and at least one more guy I know) had the same confusion. We could not figure out what the whole section meant :-(
ext Richard Nelson wrote: > I've read this a couple of times and I find the security section (sec 8) > quite confusing. I am not a security expert but it appears to me that > it is not consistent. > > In particular sec 8.2 says "AH [RFC-2402] must be supported." It then > goes on to say "there is no real need for AH" and in both section 8.1 > and 8.3 there are items that "MUST be supported if AH is implemented". > It would seem the if is redundant or something is wrong. > > Equally, section 8.1 says that "IPSec tunnel mode MUST be supported" > and then goes on to say "case .... MUST be supported if IPSec tunnel > mode is implemented." > > The first paragraph of section 8.3 finishes with the sentance "Note that > the IPSec WG also recommends not using this algorithm." It is not clear > to me which of the three algorithms mentioned in that paragraph this > sentance refers to. > > It seems from section 8.3 that there are four encryption algorithms that > must be supported AES-128-CBC, HMAC-SHA-1-96, HMAC-MD5-96 and > HMAC-SHA-256. I think this section could however be worded more > clearly. It would also be good if the appropriate RFCs were referenced > in the text. > > From the point of view of very small devices, whilst I understand that > IPSec support is a requirement, it seems that requiring transport mode > and tunnel mode, AH and ESP and four algorithms (plus null encryption) > seems onerous. I wasn't part of any discussion on this, but I would > appreciate it if someone would explain particularly why so many > algorithms are required. > > Finally a small editorial nit. There are lots of "is MUST"s and few > "is SHOULD"s in the document that should be "MUST"s and "SHOULD"s. > > Richard. > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------