In your previous mail you wrote: But we should avoid adding other mechanisms that we do not need.
=> we need IPsec and we need even other mechanisms because IPsec is not all the security. For instance for mails between humans we need PGP or S/MIME too. > Security should not be a compromise! Please note that I do NOT want to say that we shouldn't use IPsec. Rather, you could say that I'd like to get a more appropriate applicability statement for it than we currently have. => there is an IAB statement about security. IPsec support was made mandatory according to this statement and IMHO this was a big step forward. There are other security mechanisms, including some at the transport layer (SSL/TLS, IMHO IPsec is better but real world considerations have to be considered :-) and some at the application layer, with in some cases a very different usage (PGP). I have in favor of to make all core security mechanisms mandatory (MUST or strong SHOULD), cf RFC 2316 section 10. IPsec is only the first in the list. For instance, the recommendations we have in some base IPv6 RFCs on the use of IPsec for ICMP protection are at least misleading -- and this is from personal experience on actually trying to do that. Have you tried it? => yes, ICMP is hard to protect and to use it for small services does not make things simpler... Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
