Hi, 2008/2/26, Basavaraj Patil <[EMAIL PROTECTED]>: > > It is not the load or processing that is the issue really which I think you > are alluding to. It is just the complexity of integrating a protocol like > Mobile IPv6 with IPsec and IKE/IKEv2. > Mobile IPv6 signaling can be secured via simpler mechanisms.
More you have different mechanisms to secure service, more you will have complexity and more you will have a security hole somewhere ... > But because of > the prevailing thinking that IPsec MUST be used as the security mechanism, > we stuck with it and are lets say not too happy about it. Sorry, but who are "we"? Best regards. JMC. > > > -Basavaraj > > > > On 2/26/08 12:13 PM, "ext Vishwas Manral" <[EMAIL PROTECTED]> wrote: > > > Hi Basavraj, > > > > But isn't that something IPsec needs to improve on. We already have > > efforts like BTNS with "connection latching" in IPsec which may help > > to ease the load on the end devices, which seems to have been the main > > issue raised. > > > > Thanks, > > Vishwas > > > > On Tue, Feb 26, 2008 at 9:58 AM, Basavaraj Patil > > <[EMAIL PROTECTED]> wrote: > >> > >> I agree with Thomas about his views on IPsec being a mandatory and > default > >> component of the IPv6 stack. > >> Because of this belief, Mobile IPv6 (RFC3775) design relied on IPsec for > >> securing the signaling. This has lead to complexity of the protocol and > not > >> really helped either in adoption or implementation. > >> IPsec based security is an overkill for Mobile IPv6 and illustrates the > >> point that you do not have to use it simply because it happens to be an > >> integral part of IPv6. > >> > >> -Basavaraj > >> > >> > >> > >> > >> On 2/26/08 10:18 AM, "ext Thomas Narten" <[EMAIL PROTECTED]> wrote: > >> > >>> IMO, we need to get over the idea that IPsec is mandatory in > >>> IPv6. Really. Or that mandating IPsec is actually useful in practice. > >>> > >>> It is the case that mandating IPsec as part of IPv6 has contributed to > >>> the hype about how great IPv6 is and how one will get better security > >>> with IPv6. Unfortunately, that myth has also harmed the overall IPv6 > >>> deployment effort, as people look more closely and come to understand > >>> that deploying IPv6 doesn't automatically/easily yield improved > >>> security. > >>> > >>> We all know the reality of security is very different and much more > >>> complicated/nuanced then just saying "use IPsec". > >>> > >>> Consider: > >>> > >>> IPsec by itself (with no key management) is close to useless. The > >>> average person cannot configure static keys, so the result is (in > >>> effect) a useless mandate (as a broad mandate for ALL nodes). > >>> > >>> What applications actually make use of IPsec for security? A lot fewer > >>> than one might think. For many IPv6 devices/nodes, if one actually > >>> looks at the applications that will be used on them, they do not use > >>> IPsec today for security. And, there are strong/compelling arguments > >>> for why IPsec is not the best security solution for many applications. > >>> Thus, requiring IPsec is pointless. > >>> > >>> To be truly useful, we (of course) need key management. If we want to > >>> mandate key management, the stakes go way up. IKEv1/v2 is not a small > >>> implementation effort. And, we are now in the funny situation where > >>> IKEv1 has been implemented, but due to shortcomings, IKEv2 has already > >>> been developed. IKEv2 has been out for over 2 years, but > >>> implementations are not widespread yet. So, would we mandate IKEv1 > >>> (which is obsoleted and has documented issues), or do we mandate > >>> IKEv2, even though it is clear it is not widely available yet? > >>> > >>> IMO, we should drop the MUST language surrounding IPsec. The technical > >>> justification for making it MUST are simply not compelling. It seems > >>> to me that the MUST is there primarily for historical/marketing > >>> reasons. > >>> > >>> Note that dropping the MUST will not mean people stop implementing > >>> IPsec, where there is compelling benefit. Indeed, note that the USG > >>> has already moved away from IKEv1 and has strongly signalled that it > >>> will require IKEv2 going forward. So I am confident that IPsec (and > >>> IKE) will get implemented going forward. > >>> > >>> But there is no reason why IPsec should be mandated in devices where > >>> it is clear (based on the function/purpose of the device) that IPsec > >>> will in fact not actually be used. > >>> > >>> As a general "node requirement", SHOULD is the right level, not MUST. > >>> > >>> Thomas > >>> -------------------------------------------------------------------- > >>> IETF IPv6 working group mailing list > >>> ipv6@ietf.org > >>> Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >>> -------------------------------------------------------------------- > >> > >> -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list > >> ipv6@ietf.org > >> Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >> -------------------------------------------------------------------- > >> > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
