Folks, Tony is right that cable is a closed environment. I am a cable CMTS router developer talking here. Also cable has its own security with BPI+ between the cable modem and CMTS (Cable Modem Termination System). See http://www.cablemodem.com/downloads/specs/CM-SP-BPI+_I12-050812.pdf. BPI+ is not IPSec, but the security is fairly similar. Public keys are negotiated between modem and CMTS and data traffic is encrypted between modem and the CMTS once keys are negotiated. When modem traffic reaches the CMTS, if the traffic has to be forwarded out from CMTS the packet is decrypted and sent in the clear. It's a CMTS configuration that mandates if the traffic from CMTS to the Internet core gets further encrypted if any IPSec is used between CMTS and the WAN/core router.
Hemant -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Hain Sent: Wednesday, February 27, 2008 5:20 AM To: ipv6@ietf.org Subject: RE: Making IPsec *not* mandatory in Node Requirement Brian Dickson wrote: > ... > Any of a bunch of other kinds of security can do the job, from TLS to > SSH to use of out-of-band channels. For those that have forgotten, the entire reason for mandating IPsec is to get away from the 47 flavors of security that are never really configured correctly or completely understood. Yes for any given situation someone can design an optimized protocol, but as soon as the situation changes the optimization no longer applies, and may expose unexpected holes. This was in fact happening at the time the mandate was put in. > > And *this* is why I think that IPsec ought to be downgraded to SHOULD > for IPv6 node requirements. As I recall we had a lengthy argument about this, and really don't need to reopen it now. If there is not a single mandatory-to-implement protocol, there is no way to assure that two random products will have a common means of secure communication. Again, for a specific deployment or application, they can do whatever they want, but that does not remove the need for a common security protocol when it is not known which other device might need to talk to it 6 months down the road. Alain's original post is completely bogus. If his devices don't need IPsec, he is free to tell his vendors not to load it in the image. That is not a reason to change node-requirements. He is in a closed environment and knows that a random device will not appear that doesn't speak the security protocol for that closed environment. The IETF is defining requirements for IPv6 nodes that will appear in arbitrary environments, where there is no means to know the availability of a common security protocol, unless it was specified up front. Making it a SHOULD only ensures that vendors will never implement it, and force the 47 flavors of not-quite-security. Tony -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------