Tim - Thanks for putting your concern out on the list. If after reviewing http://tools.ietf.org/html/draft-ietf-6man-node-req-bis-08 you are not happy with the security references, then as I said at the mic, this is something better addressed in either v6ops or 6man, since they own the implementation/maintenance of the protocol. This draft is not the correct location to fix any perceived lack of clarity around IPv6 security considerations, because it is not implementing anything new. That said, the draft is certainly open to other suggested references to address your concern, including additional text within the security considerations section that reference useful info in other drafts/standards. If there are additional informative references beyond what is currently found in the draft ( http://tools.ietf.org/html/draft-george-ipv6-required-01#page-6 ) I'm glad to have them.
Thanks, Wes George -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Tim Shepard Sent: Tuesday, March 29, 2011 8:59 AM To: [email protected] Subject: [Int-area] draft-george-ipv6-required-01.txt --- what about IPsec ? The Security Considerations section in draft-george-ipv6-required-01 says: 5. Security Considerations There are no direct security considerations generated by this document, but existing documented security considerations for implementing IPv6 will apply. At a minimum, your Security Considerations should contain a pointer to where those existing security considerations for implementing IPv6 are fully documented. Reading the above Security Considerations section reminded me that I once heard a rumor that IPsec is required in IPv6. It would be nice to know if that rumor is (still) true. I spent about 10 minutes before the int-area meeting started trying to figure out what I should read to know if IPsec is required in IPv6. I didn't find anything that was completely clear about that. The Security Considerations section of RFC 2460 says just this one sentence: "The security features of IPv6 are described in the Security Architecture for the Internet Protocol [RFC-2401]." That seems to be less than the full story. RFC 2401 is obsoleted by RFC 4301. RFC 2401 and RFC 4301 both contain this identical sentence: "This section defines Security Association management requirements for all IPv6 implementations and for those IPv4 implementations that implement AH, ESP, or both AH and ESP." This seems to imply IPsec is required in all implementations of IPv6. But I observe there is almost no use of IPsec today, on IPv4 or IPv6, other than for VPN tunnels. I've seen plenty of use of IPv6, but don't believe I've ever seen IPsec over IPv6. I fear "IPsec required for IPv6" would slow deployment of IPv6. More widespread implementation of IPv6 even if IPsec is not included would be a good thing. -Tim Shepard [email protected] _______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Int-area mailing list [email protected] https://www.ietf.org/mailman/listinfo/int-area
