Hi Thomas, 2008/2/27, Thomas Narten <[EMAIL PROTECTED]>: > John, >
[snip] > > And even today, IPv6 only mandates IPsec (with manual keys). No key > managment. And if there is one thing we have learned from practical > deployments, it's all about key mangement/distribution. That is the > hard stuff that makes or breaks usability. > > Mandating IPsec with just static keying just isn't useful in practice. > > Thus, continuing to mandate IPsec (while continuing to punt on key > management) just looks silly. IMHO, mandating IPsec allows a "Better-Than-Nothing" security (c) :-) Just a quick example: Assume that one day, someone finds a security hole in a protocol used for a specific service and having its own security mechanism. With IPsec, even with manual configuration, you will be able to continue to provide this service until a review of the protocol because you know that the peers have a IPsec implementation. That should limit a service disruption due to a security issue. Best regards. JMC. > > > Thomas > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
