Hi Brian, BTNS extensions to IPsec provide out-of-band security authentication (its not always in-band like you state). We can replicate the behavior of TLS/ SSL using IPsec. Have a look at:
http://www.ietf.org/internet-drafts/draft-ietf-btns-prob-and-applic-06.txt Thanks, Vishwas On Tue, Feb 26, 2008 at 12:19 PM, Brian Dickson <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] wrote: > > Julien and Alain, > > > > My high-level question to you both is, for sensors and set-top > > boxes - do you feel that you do not need security for any > > reason? Is this a long-term issue or a short-term issue. > > > > > Let me answer on everyone's behalf: > > IPsec is an end-to-end security protocol. > > For many environments, such as set-top boxes and the like, the box has > its own ability > to secure itself (or make itself unusable), and the L0/L1/L2 portion of > the network > is under the provider's physical control. > > So, for a substantial portion of deployed equipment (cable/dsl boxes, > embedded systems), > with no user-serviceable parts, *how* security is handled, is orthogonal > to the issue > of whether it needs security. > > Suggesting that in-band, network-wide, heavy-weight security (IPsec) is > the *only* > solution to the requirement, doesn't fly. > > Any of a bunch of other kinds of security can do the job, from TLS to > SSH to use of > out-of-band channels. > > And *this* is why I think that IPsec ought to be downgraded to SHOULD > for IPv6 node > requirements. > > Brian Dickson > > > > I can't really think of a reason why security would not be an > > issue, but I could be wrong. > > > > John > > > > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > >> Behalf Of ext Julien Abeille (jabeille) > >> Sent: 26 February, 2008 11:12 > >> To: Bound, Jim; Patil Basavaraj (NSN - US/Irving); Thomas > >> Narten; Nobuo OKABE > >> Cc: Loughney John (Nokia-OCTO/PaloAlto); ipv6@ietf.org; Fred > >> Baker (fred) > >> Subject: RE: Making IPsec *not* mandatory in Node Requirement > >> > >> Hi all, > >> > >> To come back to constrained device, as I already mentionned on > >> the list within 6lowpan, we are working on a draft which > >> documents the cost of each feature mandated by RFC4294, from > >> an implementation perspective (target platform is 8bit > >> microcontroller, few 10K ROM, few K RAM). I guess as soon as > >> we have results, this might help the discussion. > >> > >> To give a bit of insight on sensor industry, the market is > >> highly fragmented in terms of technology. Most vendors have > >> proprietary L3, sometimes proprietary L2, and there are a > >> bunch of standards coming, like ZigBee, Z-Wave, ISA, HART... > >> One reason for people not to go for IPv6 is "Oh this is too > >> big for a sensor", also because they are not always familiar with IP. > >> > >> What I want to say is that this kind of question (do we > >> mandate IPSec) is critical for a domain which promises > >> billions of device. > >> > >> Cheers, > >> Julien > >> > >> > >> > >> > >> Julien Abeillé > >> Software Engineer > >> Technology Center > >> [EMAIL PROTECTED] > >> Fax:+41 21 822 1604 > >> Cisco Systems International Sàrl > >> Av. des Uttins 5 > >> 1180 Rolle > >> Switzerland (FR) > >> www.cisco.com > >> > >> > >> This e-mail may contain confidential and privileged material > >> for the sole use of the intended recipient. Any review, use, > >> distribution or disclosure by others is strictly prohibited. > >> If you are not the intended recipient (or authorized to > >> receive for the recipient), please contact the sender by reply > >> e-mail and delete all copies of this message. > >> > >> > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > >> Behalf Of Bound, Jim > >> Sent: mardi 26 février 2008 19:50 > >> To: Basavaraj Patil; Thomas Narten; Nobuo OKABE > >> Cc: John Loughney; ipv6@ietf.org; Fred Baker (fred) > >> Subject: RE: Making IPsec *not* mandatory in Node Requirement > >> > >> For defense in depth scenarios I disagree in the case for the > >> MN to verify with the HA. But I see your point. > >> /jim > >> > >> > >>> -----Original Message----- > >>> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > >>> Of Basavaraj Patil > >>> Sent: Tuesday, February 26, 2008 12:58 PM > >>> To: Thomas Narten; Nobuo OKABE > >>> Cc: John Loughney; ipv6@ietf.org; [EMAIL PROTECTED] > >>> Subject: Re: Making IPsec *not* mandatory in Node Requirement > >>> > >>> > >>> I agree with Thomas about his views on IPsec being a mandatory and > >>> default component of the IPv6 stack. > >>> Because of this belief, Mobile IPv6 (RFC3775) design relied on IPsec > >>> for securing the signaling. This has lead to complexity of the > >>> protocol and not really helped either in adoption or implementation. > >>> IPsec based security is an overkill for Mobile IPv6 and illustrates > >>> the point that you do not have to use it simply because it > >>> > >> happens to > >> > >>> be an integral part of IPv6. > >>> > >>> -Basavaraj > >>> > >>> > >>> On 2/26/08 10:18 AM, "ext Thomas Narten" <[EMAIL PROTECTED]> wrote: > >>> > >>> > >>>> IMO, we need to get over the idea that IPsec is mandatory in IPv6. > >>>> Really. Or that mandating IPsec is actually useful in practice. > >>>> > >>>> It is the case that mandating IPsec as part of IPv6 has > >>>> > >>> contributed to > >>> > >>>> the hype about how great IPv6 is and how one will get > >>>> > >>> better security > >>> > >>>> with IPv6. Unfortunately, that myth has also harmed the > >>>> > >>> overall IPv6 > >>> > >>>> deployment effort, as people look more closely and come to > >>>> > >>> understand > >>> > >>>> that deploying IPv6 doesn't automatically/easily yield improved > >>>> security. > >>>> > >>>> We all know the reality of security is very different and > >>>> > >> much more > >> > >>>> complicated/nuanced then just saying "use IPsec". > >>>> > >>>> Consider: > >>>> > >>>> IPsec by itself (with no key management) is close to useless. The > >>>> average person cannot configure static keys, so the result is (in > >>>> effect) a useless mandate (as a broad mandate for ALL nodes). > >>>> > >>>> What applications actually make use of IPsec for security? > >>>> > >>> A lot fewer > >>> > >>>> than one might think. For many IPv6 devices/nodes, if one actually > >>>> looks at the applications that will be used on them, they > >>>> > >>> do not use > >>> > >>>> IPsec today for security. And, there are strong/compelling > >>>> > >>> arguments > >>> > >>>> for why IPsec is not the best security solution for many > >>>> > >>> applications. > >>> > >>>> Thus, requiring IPsec is pointless. > >>>> > >>>> To be truly useful, we (of course) need key management. If > >>>> > >>> we want to > >>> > >>>> mandate key management, the stakes go way up. IKEv1/v2 is > >>>> > >>> not a small > >>> > >>>> implementation effort. And, we are now in the funny situation where > >>>> IKEv1 has been implemented, but due to shortcomings, IKEv2 > >>>> > >>> has already > >>> > >>>> been developed. IKEv2 has been out for over 2 years, but > >>>> implementations are not widespread yet. So, would we mandate IKEv1 > >>>> (which is obsoleted and has documented issues), or do we mandate > >>>> IKEv2, even though it is clear it is not widely available yet? > >>>> > >>>> IMO, we should drop the MUST language surrounding IPsec. > >>>> > >>> The technical > >>> > >>>> justification for making it MUST are simply not compelling. > >>>> > >>> It seems > >>> > >>>> to me that the MUST is there primarily for historical/marketing > >>>> reasons. > >>>> > >>>> Note that dropping the MUST will not mean people stop implementing > >>>> IPsec, where there is compelling benefit. Indeed, note > >>>> > >> that the USG > >> > >>>> has already moved away from IKEv1 and has strongly > >>>> > >>> signalled that it > >>> > >>>> will require IKEv2 going forward. So I am confident that IPsec (and > >>>> IKE) will get implemented going forward. > >>>> > >>>> But there is no reason why IPsec should be mandated in > >>>> > >>> devices where > >>> > >>>> it is clear (based on the function/purpose of the device) > >>>> > >>> that IPsec > >>> > >>>> will in fact not actually be used. > >>>> > >>>> As a general "node requirement", SHOULD is the right level, > >>>> > >>> not MUST. > >>> > >>>> Thomas > >>>> > >>>> > >> -------------------------------------------------------------------- > >> > >>>> IETF IPv6 working group mailing list ipv6@ietf.org Administrative > >>>> Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >>>> > >>>> > >> -------------------------------------------------------------------- > >> > >>> -------------------------------------------------------------------- > >>> IETF IPv6 working group mailing list > >>> ipv6@ietf.org > >>> Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >>> -------------------------------------------------------------------- > >>> > >>> > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> ipv6@ietf.org > >> Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> ipv6@ietf.org > >> Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > >> > >> > > -------------------------------------------------------------------- > > IETF IPv6 working group mailing list > > ipv6@ietf.org > > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------