Good recap on why Tony it is very important for us to hear this input and quite valid. thanks /jim
> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Tony Hain > Sent: Wednesday, February 27, 2008 5:20 AM > To: ipv6@ietf.org > Subject: RE: Making IPsec *not* mandatory in Node Requirement > > Brian Dickson wrote: > > ... > > Any of a bunch of other kinds of security can do the job, > from TLS to > > SSH to use of out-of-band channels. > > For those that have forgotten, the entire reason for > mandating IPsec is to get away from the 47 flavors of > security that are never really configured correctly or > completely understood. Yes for any given situation someone > can design an optimized protocol, but as soon as the > situation changes the optimization no longer applies, and may > expose unexpected holes. This was in fact happening at the > time the mandate was put in. > > > > > And *this* is why I think that IPsec ought to be downgraded > to SHOULD > > for IPv6 node requirements. > > As I recall we had a lengthy argument about this, and really > don't need to reopen it now. If there is not a single > mandatory-to-implement protocol, there is no way to assure > that two random products will have a common means of secure > communication. Again, for a specific deployment or > application, they can do whatever they want, but that does > not remove the need for a common security protocol when it is > not known which other device might need to talk to it 6 > months down the road. > > > Alain's original post is completely bogus. If his devices > don't need IPsec, he is free to tell his vendors not to load > it in the image. That is not a reason to change > node-requirements. He is in a closed environment and knows > that a random device will not appear that doesn't speak the > security protocol for that closed environment. The IETF is > defining requirements for > IPv6 nodes that will appear in arbitrary environments, where > there is no means to know the availability of a common > security protocol, unless it was specified up front. Making > it a SHOULD only ensures that vendors will never implement > it, and force the 47 flavors of not-quite-security. > > > Tony > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
