Securing Block Storage Protocols over IP: RFC 3723 Requirements Update for IPsec v3
RFC 7146
Yes
No Objection
Note: This ballot was opened for revision 03 and is now closed.
(Martin Stiemerling; former steering group member) Yes
(Adrian Farrel; former steering group member) No Objection
(Barry Leiba; former steering group member) No Objection
This has to be a record for the length of an "updates" list. Nice!
(Brian Haberman; former steering group member) No Objection
(Jari Arkko; former steering group member) No Objection
(Joel Jaeggli; former steering group member) No Objection
given the breadth of the changes, I'm not sure why this document doesn't simply obsolete 3723 supplanting it with 3723 text+updates rather than simply enumerating the changes.
(Pete Resnick; former steering group member) No Objection
I want to reiterate and amplify Joel's comment: I think it would be better in the end to re-publish 3723 with these changes and obsolete it rather than doing this as an update. I hate for our tools to drive these sorts of decisions, but if you obsolete 3723 with a new document, the next time someone tries to refer to 3723, the nits tool will say, "Hey, that's obsoleted; do you want to refer to the newer one?" That won't happen if it's just an update. You still want to update all of the docs that normatively refers to the IPSec stuff in 3723, but obsoleting 3723 would be better. Please consider it.
(Richard Barnes; former steering group member) No Objection
(Sean Turner; former steering group member) (was Discuss) No Objection
Like Spencer, I'd like to see the changes agreed by Tom and David to be incorporated, but I trust that the responsible AD will ensure that gets done so no need for me to hold a discuss on it. s2.2: I think you need to add normative references to [RFC3602] for AES-128-CBC: OLD: AES in CBC mode MUST be implemented. AES CBC implementations MUST support 128-bit keys and MAY support other key sizes. NEW: AES in CBC mode MUST be implemented [RFC3602]. AES CBC implementations MUST support 128-bit keys and MAY support other key sizes. s2.2: r/implement" requirement) ./implement" requirement). s2.2: r/AES in Counter mode MAY/AES in Counter mode (AES CTR) MAY s3: Maybe with more teeth: OLD: Use of 1024 bit D-H groups with 3DES CBC and HMAC- SHA1 is no longer recommended, NEW: Use of 1024 bit D-H groups with 3DES CBC and HMAC- SHA1 is NOT RECOMMENDED, s3: r/use of IPsec v3 is recommended./use of IPsec v3 is RECOMMENDED. ? s3.1: Is it worth mentioning the OCSP extension mechanism to check the validity of the certificates?
(Spencer Dawkins; former steering group member) No Objection
I think the resolutions David and Tom Yu arrived at while chatting about Tom's SECDIR review are helpful and support them being in the RFC.
(Stewart Bryant; former steering group member) No Objection