> -----Original Message----- > From: Sean Lawless [mailto:[EMAIL PROTECTED]
> Kevin and many others against mandating (MUST) for IPSec have a valid > point. Many sensors and other potential IPv6 nodes do not have the > hardware resources to support IPSec, or those resources are > better spent > at other tasks. This may fall under #4 in Dow Street's driving > objection to RFC 4294 wording of MUST, but not necessarily. With the > simplicity of securing IP at the edge router with an IPSec > tunnel, the > point of mandating IPSec for nodes appears unwarranted. I agree with > Kevin that IPSec be SHOULD for hosts (but remain a MUST for > routers). I strongly disagree. If IPsec is not mandatory for hosts, then it MUST (if anything) be mandatory for security gateways, NOT routers, with the exception perhaps of securing the routing protocols. Reason being, you cannot achieve security unless cybertext only goes through non-secure networks. What you call "edge routers" I call security gateways. These are likely routers, but they must not be confused with just any ole ISP router, or router in any other core network that is not "secure" as far as the client is concerned. I think it's important not to give anyone the illusion of security. Bert -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
