Francis Dupont wrote: > I agree with you and Hesham: IPsec is required for any compliant > IPv6 implementations and we should not accept an exemption for > a device which can get a global address in the Internet. > BTW the complexity argument is not very sound because IPsec > with IKE is already available on PalmPilot and PSions (cf ipsec > wg mailing list).
True, and I've personally done even smaller implementations of IPsec... however this isn't really the point. The point is the use of appropriate mechanisms for the task at hand. Even the other mechanisms may be complex and troublesome to implement. But we should avoid adding other mechanisms that we do not need. > Security should not be a compromise! I agree. However, I disagree with the thinking that e.g. my web-browsing-phone has somehow compromised on security when it implemented TLS instead of IPsec. Please note that I do NOT want to say that we shouldn't use IPsec. Rather, you could say that I'd like to get a more appropriate applicability statement for it than we currently have. For instance, the recommendations we have in some base IPv6 RFCs on the use of IPsec for ICMP protection are at least misleading -- and this is from personal experience on actually trying to do that. Have you tried it? Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
