From IPSec VPN Gateway Security Technical Implementation Guide
Part of SHA is not used for IPSec hashing operations.
Associated with IA controls: ECSC-1
Because hash algorithms create a short fixed-length hash value to represent data of any size, there are far more possible input values than there are unique hash values. Hence, multiple input values exist that will produce the same hash value. This is known as a collision. For a hash function to be deemed cryptographically secure and collision resistant, it has to be hard to find two inputs that hash to the same output. Various methods have been published stating that an MD5 collision has been found in less than a minute. Therefore MD5 is considered cryptographically broken and should not be used—and certainly not for security-based services relying on collision resistance. Hence Secure Hash Algorithm (SHA) must be used for IPSec cryptographic hashing operations required for authentication and integrity verification.
Review all transform sets defined in IPSec profiles and crypto maps and verify SHA has been enabled for performing cryptographic hashing operations.
Configure all IPSec transform sets to use SHA for performing cryptographic hashing operations.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer