On Feb 27, 2008, at 9:20 AM, James Carlson wrote: > It's not a good argument for "everyone must implement security in all > cases in order to be considered a good IPv6 citizen, even if they have > no plans to use those security protocols, so there."
As I understand it, the current architecture of the Internet explicitly allows for local optimization everywhere but IP itself - IP is the one place where global functionality and interoperability trumps local optimization. In defining the requirements for IP nodes, we are (I think) essentially defining the properties of the Internet itself. In this case, I tend to think that there should be a mandatory security mechanism at the IP layer, at least for any IPv6 node that is connected to the global Internet (or might be connected in the future). It is less clear to me that IPsec is the best mechanism to provide this functionality, but changing to a new mechanism now may be worse than just sticking with IPsec. quick poll - for those opposed to a MUST requirement for IPsec, what is your driving objection? 1. the Internet *does not* need a mandatory security mechanism at the IP layer 2. the Internet *does* need a mandatory security mechanism at the IP layer, but IPsec is not the right one because it is too heavyweight 3. the Internet *does* need a mandatory security mechanism at the IP layer, but IPsec *alone* is insufficient (without IKE, key mgmt, etc) 4. I don't care about the architecture of the Internet, because I intend to develop devices that are never connected to the global Internet (and therefore play no role in defining the Internet architecture or adhering to Internet best practices). R, Dow -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
