Thomas, >As a general "node requirement", SHOULD is the right level, not MUST.
I veer to being somewhat conservative in this area. I don't think that we should be re-interpreting Standards-track RFCs in the Node Req document. I think that we can only refer to what the base standards track RFCs state, and provide some text to guide the reader. I still tend to think that IPSec is a good enabler to have, on a hw or sw platform, for example. Whether it is activiated or used is another story. Also, understanding the overall security solutions that should be used in different deployments are quite complicated, and can only get worse if certain solutions are not available. At a high-level, creating any IPv6 implementation without any security solutions is a problematic, IMO. If IBM, Nokia or any other company would sell an IPv6 stack as part of a solution that provided no security, I don't think that would be very good or useful. I think some aspects of security needs to be a MUST as part of an overall IPv6 stack, however, there are many choices and parts of a potential solution. I think we should look at what the overall IETF concensus for a minimum requirement would be. My question is, does the IETF have any such consensus? John >-----Original Message----- >From: ext Thomas Narten [mailto:[EMAIL PROTECTED] >Sent: 26 February, 2008 08:19 >To: Nobuo OKABE >Cc: [EMAIL PROTECTED]; Loughney John >(Nokia-OCTO/PaloAlto); ipv6@ietf.org; [EMAIL PROTECTED] >Subject: Re: Making IPsec *not* mandatory in Node Requirement > >IMO, we need to get over the idea that IPsec is mandatory in >IPv6. Really. Or that mandating IPsec is actually useful in practice. > >It is the case that mandating IPsec as part of IPv6 has >contributed to the hype about how great IPv6 is and how one >will get better security with IPv6. Unfortunately, that myth >has also harmed the overall IPv6 deployment effort, as people >look more closely and come to understand that deploying IPv6 >doesn't automatically/easily yield improved security. > >We all know the reality of security is very different and much >more complicated/nuanced then just saying "use IPsec". > >Consider: > >IPsec by itself (with no key management) is close to useless. >The average person cannot configure static keys, so the result is (in >effect) a useless mandate (as a broad mandate for ALL nodes). > >What applications actually make use of IPsec for security? A >lot fewer than one might think. For many IPv6 devices/nodes, >if one actually looks at the applications that will be used on >them, they do not use IPsec today for security. And, there are >strong/compelling arguments for why IPsec is not the best >security solution for many applications. >Thus, requiring IPsec is pointless. > >To be truly useful, we (of course) need key management. If we >want to mandate key management, the stakes go way up. IKEv1/v2 >is not a small implementation effort. And, we are now in the >funny situation where >IKEv1 has been implemented, but due to shortcomings, IKEv2 has >already been developed. IKEv2 has been out for over 2 years, >but implementations are not widespread yet. So, would we >mandate IKEv1 (which is obsoleted and has documented issues), >or do we mandate IKEv2, even though it is clear it is not >widely available yet? > >IMO, we should drop the MUST language surrounding IPsec. The >technical justification for making it MUST are simply not >compelling. It seems to me that the MUST is there primarily >for historical/marketing reasons. > >Note that dropping the MUST will not mean people stop >implementing IPsec, where there is compelling benefit. Indeed, >note that the USG has already moved away from IKEv1 and has >strongly signalled that it will require IKEv2 going forward. >So I am confident that IPsec (and >IKE) will get implemented going forward. > >But there is no reason why IPsec should be mandated in devices >where it is clear (based on the function/purpose of the >device) that IPsec will in fact not actually be used. > >As a general "node requirement", SHOULD is the right level, not MUST. > >Thomas > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
