It doesn't seem to me that this WG is chartered to change the normative requirements of IPsec.
Brian On 2008-03-07 16:43, Vishwas Manral wrote: > Hi Tony, > > You bring forward a very good point, I had raised the same issue about > 3 years back in the IPsec list. There are now some drafts to add > support for the same in IPv6. The basic idea is that a middle-box(like > a firewall) should be able to identify a NULL encrypted packet. > > I was however told that with some basic checks like checking some > bytes in the packet can help in determining if the upper layer packet > (and if the payload is encrypted or not). Not all firewalls currently > support this. > > Thanks, > Vishwas > > On Thu, Mar 6, 2008 at 5:49 PM, Tony Hain <[EMAIL PROTECTED]> wrote: >> ESP == MUST && AH == MUST >> >> There is a major problem with ESP/NULL & firewalls, so AH has to be there. >> The crap about lack of an API as a reason to downgrade the requirement for >> both of these is nothing more than a concession to IETF politics, where 'we >> don't define APIs' was the mantra at the point in time this was played out >> before. >> >> You will never make progress if you constantly retreat in the face of >> resistance... >> >> Tony >> >> >> >> > -----Original Message----- >> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of >> >>> [EMAIL PROTECTED] >> > Sent: Wednesday, March 05, 2008 12:15 PM >> > To: [EMAIL PROTECTED] >> > Cc: ipv6@ietf.org >> >> >>> Subject: RE: Security Requirements for IPv6 Node Req summary >> > >> > Sorry, that was a cut & paste mistake. AH is a MAY. >> > >> > John >> > >> > >-----Original Message----- >> > >From: ext Vishwas Manral [mailto:[EMAIL PROTECTED] >> > >Sent: 05 March, 2008 12:12 >> > >To: Loughney John (Nokia-OCTO/PaloAlto) >> > >Cc: ipv6@ietf.org >> > >Subject: Re: Security Requirements for IPv6 Node Req summary >> > > >> > >Hi John, >> > > >> > >RFC4301 states AH is optional. Is there a reason why we are >> > >making it a MUST be supported feature. Below quoting RFC4301: >> > > >> > >"IPsec implementations MUST support ESP and MAY >> > > support AH." >> > > >> > >Thanks, >> > >Vishwas >> > > >> > >On Wed, Mar 5, 2008 at 11:46 AM, <[EMAIL PROTECTED]> wrote: >> > >> Hi all, >> > >> >> > >> The RFC 4294-bis draft has the following requirement, which comes >> > >> from the initial RFC. >> > >> >> > >> 8.1. Basic Architecture >> > >> >> > >> Security Architecture for the Internet Protocol [RFC-4301] MUST >> > be >> > >> supported. >> > >> >> > >> 8.2. Security Protocols >> > >> >> > >> ESP [RFC-4303] MUST be supported. AH [RFC-4302] MUST be >> > >supported. >> > >> >> > >> We have had a lot of discussion that people basically feel >> > >that these >> > >> requirements are not applicable and should be moved to SHOULD. I >> > >> would say that there is rough WG Consensus on this. Do >> > >people feel >> > >> if there should be additional text to explain this? >> > >> >> > >> I suggest that the WG Chairs and our ADs discuss this with the >> > >> Security ADs to ensure that this is a reasonable consensus >> > >to adopt >> > >> - so that we do not run into issues during the eventual IETF/IESG >> > >> review. I am not sure that we can go much further in >> > >discussions in >> > >> the WG. >> > >> >> > >> Does anyone have comments on this approach? >> > >> >> > >> John >> > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------