Brian Dickson wrote: > ... > Any of a bunch of other kinds of security can do the job, from TLS to > SSH to use of > out-of-band channels.
For those that have forgotten, the entire reason for mandating IPsec is to get away from the 47 flavors of security that are never really configured correctly or completely understood. Yes for any given situation someone can design an optimized protocol, but as soon as the situation changes the optimization no longer applies, and may expose unexpected holes. This was in fact happening at the time the mandate was put in. > > And *this* is why I think that IPsec ought to be downgraded to SHOULD > for IPv6 node > requirements. As I recall we had a lengthy argument about this, and really don't need to reopen it now. If there is not a single mandatory-to-implement protocol, there is no way to assure that two random products will have a common means of secure communication. Again, for a specific deployment or application, they can do whatever they want, but that does not remove the need for a common security protocol when it is not known which other device might need to talk to it 6 months down the road. Alain's original post is completely bogus. If his devices don't need IPsec, he is free to tell his vendors not to load it in the image. That is not a reason to change node-requirements. He is in a closed environment and knows that a random device will not appear that doesn't speak the security protocol for that closed environment. The IETF is defining requirements for IPv6 nodes that will appear in arbitrary environments, where there is no means to know the availability of a common security protocol, unless it was specified up front. Making it a SHOULD only ensures that vendors will never implement it, and force the 47 flavors of not-quite-security. Tony -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
