If we write a SHOULD we really do need some guidance as to when it doesn't apply. Otherwise we make it too easy for product managers to simply cross it off the list. How about
The normal expectation is that a complete IPv6 stack includes an implementation of ESP. However, it is recognized that some stacks, implemented for low-end devices that will be deployed for special purposes where strong security is provided by other protocol layers, may omit ESP. Regards Brian Carpenter University of Auckland On 2008-03-06 09:14, [EMAIL PROTECTED] wrote: > Sorry, that was a cut & paste mistake. AH is a MAY. > > John > >> -----Original Message----- >> From: ext Vishwas Manral [mailto:[EMAIL PROTECTED] >> Sent: 05 March, 2008 12:12 >> To: Loughney John (Nokia-OCTO/PaloAlto) >> Cc: ipv6@ietf.org >> Subject: Re: Security Requirements for IPv6 Node Req summary >> >> Hi John, >> >> RFC4301 states AH is optional. Is there a reason why we are >> making it a MUST be supported feature. Below quoting RFC4301: >> >> "IPsec implementations MUST support ESP and MAY >> support AH." >> >> Thanks, >> Vishwas >> >> On Wed, Mar 5, 2008 at 11:46 AM, <[EMAIL PROTECTED]> wrote: >>> Hi all, >>> >>> The RFC 4294-bis draft has the following requirement, which comes >>> from the initial RFC. >>> >>> 8.1. Basic Architecture >>> >>> Security Architecture for the Internet Protocol [RFC-4301] MUST be >>> supported. >>> >>> 8.2. Security Protocols >>> >>> ESP [RFC-4303] MUST be supported. AH [RFC-4302] MUST be >> supported. >>> We have had a lot of discussion that people basically feel >> that these >>> requirements are not applicable and should be moved to SHOULD. I >>> would say that there is rough WG Consensus on this. Do >> people feel >>> if there should be additional text to explain this? >>> >>> I suggest that the WG Chairs and our ADs discuss this with the >>> Security ADs to ensure that this is a reasonable consensus >> to adopt >>> - so that we do not run into issues during the eventual IETF/IESG >>> review. I am not sure that we can go much further in >> discussions in >>> the WG. >>> >>> Does anyone have comments on this approach? >>> >>> John >>> >>> -------------------------------------------------------------------- >>> IETF IPv6 working group mailing list >>> ipv6@ietf.org >>> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 >>> -------------------------------------------------------------------- >>> > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
