Greetings all, I've been reading this group for some time and appreciate everyones work. For the most part I have followed the discussions of the past but would now like to throw in my 2 cents.
Kevin and many others against mandating (MUST) for IPSec have a valid point. Many sensors and other potential IPv6 nodes do not have the hardware resources to support IPSec, or those resources are better spent at other tasks. This may fall under #4 in Dow Street's driving objection to RFC 4294 wording of MUST, but not necessarily. With the simplicity of securing IP at the edge router with an IPSec tunnel, the point of mandating IPSec for nodes appears unwarranted. I agree with Kevin that IPSec be SHOULD for hosts (but remain a MUST for routers). My argument is similar to #5 made by James Carlson. There are many situations were IPv6 will be deployed without IPSec. There is no need to label these devices as non-IPv6 compliant within this hosts requirements document. My gut feeling is that if IPSec MUST be supported then why is using it optional? A MUST that is optional wouldn't be the first in IETF history but let it be known that some objected. Some years ago I thought static keyed IPSec to be better than no security. In reality IPSec can be compromised with enough traffic analysis, especially if portions of the clear text can be discerned (ICMPv6, etc). Operational security depends on key changing and thus key management. Over time, static keyed IPSec is either masochistic to manage or provides only the illusion of security. Thus I also agree with Thomas, Ed and others that mandating static IPSec without key management will result in it's non use and now we're back to a MUST that is optional to deploy. In conclusion I believe RFC 4294 be changed to SHOULD for IPSec because of #3, #4 and #5 of the poll. BR, **Sean Lawless** * | * /*Senior Software Engineer*/ * | * *Blunk Microsystems LLC* <http://www.blunkmicro.com> * | 408.XXX.XXXX* Kevin Kargel wrote: > > > >> quick poll - for those opposed to a MUST requirement for >> IPsec, what is your driving objection? >> >> > My feeling is that we should not introduce mandatory cost factors for > end devices. There are many sensor-ish devices that do not require > strict security. > > If it is possible, could we say that IPSEC is MUST for routing hardware > and SHOULD for end user devices? That way the end-to-end availablity is > still serviced, but low risk devices can stay simple and cheap. > > Kevin > > :$s/worry/happy/g > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
