On 2008-02-26 10:24, Manfredi, Albert E wrote: >> -----Original Message----- >> From: Duncan, Richard J CTR DISA JITC > >> John- >> >> I can give you the 2 documents: >> >> DoD IPv6 Standards Profile, Version 2: >> http://jitc.fhu.disa.mil/apl/ipv6/pdf/disr_ipv6_product_profile_v2.pdf >> >> US Government IPv6 Profile Version 1, Draft 2: >> http://www.antd.nist.gov/usgv6/usgv6-v1-draft2.pdf >> >> I would suggest you look at it in the context of the RFC. >> The reason is >> because these two are different as well. > > I would agree that someone should reconcile, or at least identify, all > the differences, although I don't know that it should be the IETF. I > would expect that the rationale for the differences does not lie within > the IETF?
The IETF's job is to make the Internet work better (RFC 3935) so we obviously have to give that priority. It would certainly be useful to understand why the DISA and NIST profiles differ from the IETF's profile, but aligning with DISA and NIST shouldn't be a goal in itself as far as I can see. > > One difference between RFC 4294 and I-D 4294-bis is that AH was demoted > from a MUST to a MAY. Is a specific reference identitied, and I just > missed it maybe? I noticed that the latest NIST IPv6 Profile > accommodates this change. As does IPsec (RFC 4301 section 3.2 first paragraph). > > One MUST that the NIST IPv6 Profile introduced was mandating of OSPFv3 > as the routing protocol. Is this because RIPng is not beiong adopted in > practice? Small networks should do well with RIPng, I would think, > unless RIPng is never used in practice. And in principle, there could be > a case made for static routing tables in special cases. I'm not sure why > the routing protocol mandate for all Government nets. > > Same applies to IKEv2. The IETF does not mandate its use, while NIST > does. See RFC 4301 section 3.2 *last* paragraph. The problem is that the real world is slow to move to IKEv2. It's important to describe what's real, I think. The NIST requirement is "interesting" given the state of products. > > One detail I'm not clear on is whether or why routers, which may well be > in non-secure spaces, are required to support ESP. I-D 4294-bis doesn't > elaborate - it just says "nodes" must. Older versions of the NIST IPv6 > Profile said that routers had to support AH to protect the routing > protocols. My assumption is that this rationale, protection of routing > protocols, is why now NIST is mandating that routers support ESP, now > that AH has been demoted to a MAY. A brief clarification would be > welcome. Would you want to ship a router that couldn't protect the network layer? > Another mandate in the NIST IPv6 Profile is that both tunneling and dual > stack mechanisms be supported in Government networks. But what about > small networks that already support dual stacks? They should have no > reason to use tunneling as a mechanism for IPv6 transition? That's an operational issue, not a node requirement. Would you want to ship a stack that could support a dual stack but not use it to tunnel? Brian -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
