For defense in depth scenarios I disagree in the case for the MN to verify with the HA. But I see your point. /jim
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Basavaraj Patil > Sent: Tuesday, February 26, 2008 12:58 PM > To: Thomas Narten; Nobuo OKABE > Cc: John Loughney; ipv6@ietf.org; [EMAIL PROTECTED] > Subject: Re: Making IPsec *not* mandatory in Node Requirement > > > I agree with Thomas about his views on IPsec being a > mandatory and default component of the IPv6 stack. > Because of this belief, Mobile IPv6 (RFC3775) design relied > on IPsec for securing the signaling. This has lead to > complexity of the protocol and not really helped either in > adoption or implementation. > IPsec based security is an overkill for Mobile IPv6 and > illustrates the point that you do not have to use it simply > because it happens to be an integral part of IPv6. > > -Basavaraj > > > On 2/26/08 10:18 AM, "ext Thomas Narten" <[EMAIL PROTECTED]> wrote: > > > IMO, we need to get over the idea that IPsec is mandatory in IPv6. > > Really. Or that mandating IPsec is actually useful in practice. > > > > It is the case that mandating IPsec as part of IPv6 has > contributed to > > the hype about how great IPv6 is and how one will get > better security > > with IPv6. Unfortunately, that myth has also harmed the > overall IPv6 > > deployment effort, as people look more closely and come to > understand > > that deploying IPv6 doesn't automatically/easily yield improved > > security. > > > > We all know the reality of security is very different and much more > > complicated/nuanced then just saying "use IPsec". > > > > Consider: > > > > IPsec by itself (with no key management) is close to useless. The > > average person cannot configure static keys, so the result is (in > > effect) a useless mandate (as a broad mandate for ALL nodes). > > > > What applications actually make use of IPsec for security? > A lot fewer > > than one might think. For many IPv6 devices/nodes, if one actually > > looks at the applications that will be used on them, they > do not use > > IPsec today for security. And, there are strong/compelling > arguments > > for why IPsec is not the best security solution for many > applications. > > Thus, requiring IPsec is pointless. > > > > To be truly useful, we (of course) need key management. If > we want to > > mandate key management, the stakes go way up. IKEv1/v2 is > not a small > > implementation effort. And, we are now in the funny situation where > > IKEv1 has been implemented, but due to shortcomings, IKEv2 > has already > > been developed. IKEv2 has been out for over 2 years, but > > implementations are not widespread yet. So, would we mandate IKEv1 > > (which is obsoleted and has documented issues), or do we mandate > > IKEv2, even though it is clear it is not widely available yet? > > > > IMO, we should drop the MUST language surrounding IPsec. > The technical > > justification for making it MUST are simply not compelling. > It seems > > to me that the MUST is there primarily for historical/marketing > > reasons. > > > > Note that dropping the MUST will not mean people stop implementing > > IPsec, where there is compelling benefit. Indeed, note that the USG > > has already moved away from IKEv1 and has strongly > signalled that it > > will require IKEv2 going forward. So I am confident that IPsec (and > > IKE) will get implemented going forward. > > > > But there is no reason why IPsec should be mandated in > devices where > > it is clear (based on the function/purpose of the device) > that IPsec > > will in fact not actually be used. > > > > As a general "node requirement", SHOULD is the right level, > not MUST. > > > > Thomas > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
