svn commit: r348205 - head/sys/netipsec
John Baldwin
jhb at FreeBSD.org
Fri May 24 14:44:45 UTC 2019
On 5/23/19 6:34 PM, Rodney W. Grimes wrote:
> I did not need that info, just a list of IANA assigned numbers
> of things you can not find in RFC/Ietf documents. I'll do the
> leg work from the other side and if Ietf/Iana documents need
> fixed I'll get that in process.
Oh, to be clear, that specific language is direct from RFC 8221.
For example, in section 5 after the table of encryption algorithms:
<quote>
IANA has allocated codes for cryptographic algorithms that have not
been specified by the IETF. Such algorithms are noted as
UNSPECIFIED. Usually, the use of these algorithms is limited to
specific cases, and the absence of specification makes
interoperability difficult for IPsec communications. These
algorithms were not mentioned in [RFC7321], and this document
clarifies that such algorithms MUST NOT be implemented for IPsec
communications.
Similarly, IANA also allocated code points for algorithms that are
not expected to be used to secure IPsec communications. Such
algorithms are noted as non-IPsec. As a result, these algorithms
MUST NOT be implemented.
Various ciphers that are older, not well tested, and never widely
implemented have been changed to MUST NOT.
</quote>
On my (8th?) reading though, it may be that the first paragraph is only
applying to the algorithms marked UNSPECIFIED in the earlier table
which would cover des-32iv and possibly des-deriv in which case the
wording I used in the commit log isn't quite clear. Also, just to make
it clear, I don't care about IANA numbers, I was merely referencing
the RFC's wording as the "why".
--
John Baldwin
More information about the svn-src-all
mailing list