While we are updating the algorithm requirements for the ESP and AH, I think we should also update the RFC4307 too at the same time, as a separate document.
I think the changes we would like to do there are: Downgrade Diffie-Hellman group 2 (1024-bits) from MUST- to SHOULD. Upgrade Diffie-Hellman group 14 (2048-bits) from SHOULD+ to MUST. Downgrade ENCR_3DES from MUST- to MAY Fix ENCR_NULL from MAY to MUST NOT (already MUST NOT in errata) Upgrade ENCR_AES_CBC from SHOULD+ to MUST Fix PRF_AES128_CBC to PRF_AES128_XCBC and downgrade it from SHOULD+ to SHOULD. Downgrade AUTH_AES_XCBC_96 from SHOULD+ to SHOULD. Then we might want to think whether we want to add new algorithms, i.e. "AES_GCM with a 8/12/16 octect ICV", PRF_HMAC_SHA2_256/384/512, or AUTH_HMAC_SHA2_256_128/384_192/512_256. In all of those I think we might want to pick one length and make that SHOULD... -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
