And the next issue, IP Security...
> > - Situation where IP Security should be optional/disabled
> > (and the whole distinction between "Core IP" and
> > "IP Security")
>
>=> The distinction between IP security and core IP
>is merely an editorial distinction. For example
>you can see that in 'core IP' we list all the
>IPv6 WG RFCs.
Publishing a document that makes this distinction, however, will give
the impression that IP Security (AKA IPSec) is not a _core_ part of
IPv6. Some people may take that to mean that they can produce a
complete IPv6 implementation that does not include IP Security.
>As to whether IP security (I assume you mean IPsec)
>should be mandated or not, we can discuss that.
>But some questions that we would need to answer:
>
>- By 'mandated' do we mean implementation or use?
>- What should be mandated?
>- Why should it be mandated?
RFC 2460 says:
"A full implementation of IPv6 includes implementation of the
following extension headers:
Hop-by-Hop Options
Routing (Type 0)
Fragment
Destination Options
Authentication
Encapsulating Security Payload
The first four are specified in this document; the last two are
specified in [RFC-2402] and [RFC-2406], respectively."
So, a "full" implementation of IPv6 must include an implementation
of the Authentication and ESP headers from RFCs 2402 and 2406.
Obviously, it is possible for a host to implement RFCs 2402 and 2406,
but to be configured such that no traffic is ever authenticated and/or
encrypted.
The draft-ietf-ipv6-cellular-host-00.txt document, however, seems to
assume that there may be hosts that do not implement these headers.
It says:
" - AH and ESP headers: In the case of the Core IP functionality
only, AH and ESP headers are treated as if the Security
Association had not existed, i.e. - packets with these headers
are dropped. When the IP Security functionality is in use, they
are processed as specified in RFCs 2401, 2402, and 2406."
I am not sure about the wording here, but this paragraph implies to
me that cellular hosts that only implement the "Core IP" functionality
may not actually implement AH or ESP processing. This conflicts
directly with RFC 2460.
Now, I don't actually live under a rock, so I do understand that most
of today's IPv6 nodes don't actually implement IP Security. In the
past, however, the IESG had mandated that IP Security would be a
mandatory part of IPv6, and I don't believe that they've changed that
statement.
So, where do we go from here?
No document can be published as an RFC without IESG approval, and I don't
think that we'll get IESG approval for a document that says (or even
strongly implies) that IP Security is optional in IPv6. Maybe our
ADs could comment on this?
Margaret
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
