Tim, The last rev of the IPv6 node requirements document states that IPsec is no longer required but only recommended for IPv6:
>From http://tools.ietf.org/html/draft-ietf-6man-node-req-bis-08 Previously, IPv6 mandated implementation of IPsec and recommended the key management approach of IKE. This document updates that recommendation by making support of the IP Security Architecture [RFC 4301] a SHOULD for all IPv6 nodes. --julien On Tue, Mar 29, 2011 at 5:59 AM, Tim Shepard <s...@alum.mit.edu> wrote: > > > The Security Considerations section in draft-george-ipv6-required-01 > says: > > 5. Security Considerations > > There are no direct security considerations generated by this > document, but existing documented security considerations for > implementing IPv6 will apply. > > > At a minimum, your Security Considerations should contain a pointer to > where those existing security considerations for implementing IPv6 are > fully documented. > > > Reading the above Security Considerations section reminded me that I > once heard a rumor that IPsec is required in IPv6. > > It would be nice to know if that rumor is (still) true. > > I spent about 10 minutes before the int-area meeting started trying to > figure out what I should read to know if IPsec is required in IPv6. I > didn't find anything that was completely clear about that. > > The Security Considerations section of RFC 2460 says just this one > sentence: "The security features of IPv6 are described in the > Security Architecture for the Internet Protocol [RFC-2401]." That > seems to be less than the full story. > > RFC 2401 is obsoleted by RFC 4301. RFC 2401 and RFC 4301 both contain > this identical sentence: "This section defines Security Association > management requirements for all IPv6 implementations and for those > IPv4 implementations that implement AH, ESP, or both AH and ESP." > This seems to imply IPsec is required in all implementations of IPv6. > > But I observe there is almost no use of IPsec today, on IPv4 or IPv6, > other than for VPN tunnels. I've seen plenty of use of IPv6, but > don't believe I've ever seen IPsec over IPv6. > > I fear "IPsec required for IPv6" would slow deployment of IPv6. More > widespread implementation of IPv6 even if IPsec is not included would > be a good thing. > > > -Tim Shepard > s...@alum.mit.edu > _______________________________________________ > Int-area mailing list > Int-area@ietf.org > https://www.ietf.org/mailman/listinfo/int-area > _______________________________________________ Int-area mailing list Int-area@ietf.org https://www.ietf.org/mailman/listinfo/int-area
