Good point and Gordon Bell has almost always been right for me so I know I listen to him. The key is do these low power and restricted sensor components require security at the IP layer? If IEEE xxx is secure can we conclude the IP layer is not relevant for sensors, but I would suggest they are for any sensor gateway nodes. Or can we develop in industry a micro-kernel IPsec implementation in hardware that can be cost effectively added to a sensor or set of sensor unions for a network? Clearly we are seeing this type of hardware development on microprocessors with the exponential appearance of deep packet inspection providers into the market that are not router/switch vendors. But is IPsec the right answer is the right question for lowpan for engineering cost reasons as opposed to is it possible?
/jim > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Jonathan Hui > Sent: Tuesday, February 26, 2008 6:57 PM > To: ipv6@ietf.org > Subject: IPsec and 6LoWPAN (was: Re: Making IPsec *not* > mandatory in Node Requirement) > > > I won't argue against the fact that security is an important > part of a complete solution. The question for me is whether > IPsec is the most appropriate solution for highly constrained > embedded devices (constrained in energy, memory, compute, and > link capabilities). From the few implementation numbers > thrown around this thread, it sounds like IPsec is not an > option for low-power wireless nodes with 8K RAM, 48K ROM, > 128B link MTU, and not to mention that any implementation > should leave enough space for an interesting application and > should operate for multiple years on modest batteries. > > One nice thing is that, given some application scenarios, > there are other ways to incorporate sufficient security > without the need for IPsec. For example, link-layer security > may be sufficient for private networks. Link-layer security > may also be sufficient if border routers/gateways attach to > other traditional IP networks via encrypted tunnels. > > I'm not a security expert, nor do I know the complete > workings of IPsec. > But I'd be curious if people strongly believe or have ideas > on ways to squeeze IPsec into devices that I'm interested in. > If not, is it at all possible to consider developing an > alternative end-to-end security mechanism that is > lightweight. I'm not arguing that this should be used between > two traditional IP hosts, but that it can be used between a > traditional IP host communicating with a low-power, wireless > device or two low-power wireless devices communicating directly. > > Gordon Bell observed that we've seen a new class of computing > form about every decade. IP has so far been able to follow > these trends, including hand held devices. Now we are at the > beginning of yet another class with low-power wireless > devices based on IEEE 802.15.4, and the 6lowpan effort within > the IETF has set out to bring IPv6 to this new class. I'd be > disappointed if we couldn't come to an agreement on how we > can appropriately bring this new class into the IP framework. > > -- > Jonathan Hui > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
