On 09/03/2017 20:37, Brian E Carpenter wrote:
On 10/03/2017 05:53, Barry Leiba wrote:
> Personal opinion: encryption should be a MUST.
I believe that we will have situations where we have a secured ACP into a NOC
(to an edge router or VM hypervisor), and then we will have some unencrypted,
but secured links to platforms in transition.
It will be easy to add the GRASP daemon to answer resource requests to the
platform, but hard to add the ACP to that platform without a forklift
upgrade.
This is why I think it is a SHOULD, as much as I want it to transition to
being a MUST.
This brings up a common rant that I have:
We should be putting into our protocol specs what we want the protocol
to be, not some compromise that comes from knowing that not everyone
will comply with everything from the start.
If the right thing is to say "MUST encrypt", but we know there'll be a
transition period during which that's not fully practical, then we
should say that. Something like this added to Section 3.5.1:
NEW
In some cases there will be a transition period, in which it might not
be practical to run with strong encryption right away. It's important
to keep this period as short as possible, and to upgrade to a fully
encrypted setup as soon as possible.
END
or perhaps more precisely:
During initialization of nodes there will be a transition period...
Whether this is phrased as an exception to the MUST or as the justification
for ignoring the SHOULD is a matter of taste, I think.
Confused about this last comment. MichaelR pointed out the case of a
legacy network management platform, where you can easily add GRASP, but
not ACP support. I concur with this view: We saw this a lot in customer
deployment discussions.
When you say "during initialization of nodes", Brian, do you mean of
management stations or of nodes out there in the network?
In my understanding I would have written something like "until network
management systems can be upgraded to full ACP support ..."
What am I missing?
Michael
_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima
