>>>>> "david" == david black <david.bl...@emc.com> writes:
david> Assuming 2400-series IPsec is not extinct, the appropriate
requirements may be of
david> roughly the following form (this is a template, see RFC 3720
david> or 3723 for the specific Well, I'm not really sure how to answer your question. There is certainly still lots and lots and lots of 2400-series IPsec in use. I'd say it was the majority in devices which can easily be upgraded, and which aren't because IKEv1 still works well for the solution space out there. Certainly IKEv2 is pretty rare on smartphones, I'd say for *VPN* connectivity. While at the same time, it's required for 3GPP interop (my understanding, I never wrote that code myself) However, we aren't talking about general purpose devices, but rather operating systems, HBA cards, virtualization systems (iSCSI clients) and NAS (iSCSI targets). Presuming that none of these devices is going to want to stop claiming conformance to RFC 3723/RFC 3720, then they will have to continue to implement IPsec-2400 series. The only advantage to implementing IPsec-4300 series would be on newer devices where code space and configuration is an issue, i.e. HBAs. It isn't like an IKEv2 speaking endpoint can't recognize and speak IKEv1, particularly when it is a responder, it doesn't even cost a round trip. I don't know what other things you are updating in this round, so I don't know what other things might drive an implementation to do RFC3720bis, but would prevent it from deploying IKEv2. I therefore think that you should MUST implement 4300 (IKEv2), and MAY implement 2400 series (IKEv1). Note that the *ESP* level things, like extended sequence numbers that appears in 4300 can be negotiated, so it's really not that big a deal to MUST the rest of 4300 stuff in my opinion. All the iSCSI devices that want to support 3723/3720 clients is going to support IKEv1. But, if there is a greenfield implementation of 3720bis, then they could implement only the much simpler IKEv2. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] m...@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition.
pgptbXfCOyK86.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
