Margaret,
Another important reference is in RFC2401, "Security Architecture for the Internet Protocol" 10. Conformance Requirements All IPv4 systems that claim to implement IPsec MUST comply with all requirements of the Security Architecture document. All IPv6 systems MUST comply with all requirements of the Security Architecture document. There was a thread along these lines a few months back, the conclusion of which was that full implementations of IPv6 must implement IPsec, but that use of IPsec was not mandatory. So the cellular hosts document may choose to distinguish between implementation and use also. Tim On Mon, 4 Mar 2002, Margaret Wasserman wrote: > > And the next issue, IP Security... > > > > - Situation where IP Security should be optional/disabled > > > (and the whole distinction between "Core IP" and > > > "IP Security") > > > >=> The distinction between IP security and core IP > >is merely an editorial distinction. For example > >you can see that in 'core IP' we list all the > >IPv6 WG RFCs. > > Publishing a document that makes this distinction, however, will give > the impression that IP Security (AKA IPSec) is not a _core_ part of > IPv6. Some people may take that to mean that they can produce a > complete IPv6 implementation that does not include IP Security. > > >As to whether IP security (I assume you mean IPsec) > >should be mandated or not, we can discuss that. > >But some questions that we would need to answer: > > > >- By 'mandated' do we mean implementation or use? > >- What should be mandated? > >- Why should it be mandated? > > RFC 2460 says: > > "A full implementation of IPv6 includes implementation of the > following extension headers: > > Hop-by-Hop Options > Routing (Type 0) > Fragment > Destination Options > Authentication > Encapsulating Security Payload > > The first four are specified in this document; the last two are > specified in [RFC-2402] and [RFC-2406], respectively." > > So, a "full" implementation of IPv6 must include an implementation > of the Authentication and ESP headers from RFCs 2402 and 2406. > > Obviously, it is possible for a host to implement RFCs 2402 and 2406, > but to be configured such that no traffic is ever authenticated and/or > encrypted. > > The draft-ietf-ipv6-cellular-host-00.txt document, however, seems to > assume that there may be hosts that do not implement these headers. > It says: > > " - AH and ESP headers: In the case of the Core IP functionality > only, AH and ESP headers are treated as if the Security > Association had not existed, i.e. - packets with these headers > are dropped. When the IP Security functionality is in use, they > are processed as specified in RFCs 2401, 2402, and 2406." > > I am not sure about the wording here, but this paragraph implies to > me that cellular hosts that only implement the "Core IP" functionality > may not actually implement AH or ESP processing. This conflicts > directly with RFC 2460. > > Now, I don't actually live under a rock, so I do understand that most > of today's IPv6 nodes don't actually implement IP Security. In the > past, however, the IESG had mandated that IP Security would be a > mandatory part of IPv6, and I don't believe that they've changed that > statement. > > So, where do we go from here? > > No document can be published as an RFC without IESG approval, and I don't > think that we'll get IESG approval for a document that says (or even > strongly implies) that IP Security is optional in IPv6. Maybe our > ADs could comment on this? > > Margaret > > > > > > > > > > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
