Recently we had a discussion about mapping IANA entries to a yang model,
and the question came up whether we sould add a deprecated marker to the
IKE/ESP registries for algorithms.
I thought it was a good idea, but not everyone agreed.
I just stumbled upon RFC 7696: Guidelines for Cryptographic Algorithm Agility
and Selecting Mandatory-to-Implement Algorithms
Section 2.1: Algorithm Identifiers
In the IPsec protocol suite, the Internet Key Exchange Protocol
version 2 (IKEv2) [RFC7296] carries the algorithm identifiers for the
Authentication Header (AH) [RFC4302] and the Encapsulating Security
Payload (ESP) [RFC4303]. Such separation is a completely fine design
choice. [...]
An IANA registry SHOULD be used for these algorithm or suite
identifiers. Once an algorithm identifier is added to the registry,
it should not be changed or removed. However, it is desirable to
mark a registry entry as deprecated when implementation is no longer
advisable.
So there is even an RFC stating that we should really do this :)
I guess the main question is, can we add these via a request to IANA
based on RFC 8221 and 8247, or do we need to write a short RFC with
requests to IANA?
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
