Julien, > That being said I agree that for constrained devices it might be desirable > not to implement IPsec and IKE. The question is, should we lower the node > requirements bar for all devices because of constrained devices. I don't > think so.
>From RFC2119 the definition of MUST and SHOULD are: 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification. 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. The discussion is about changing the required level from MUST to SHOULD. SHOULD is a strong recommendation. It says that you should implement IPSEC and IKE except if you have a good reason (e.g., constrained implementation). This seems appropriate to me. > >> Thus, it is my recommendation that the next version of the node >> requirements document make support for IPsec and IKE both SHOULDs >> only, with a lot more explanatory text that makes it clear that there >> are some types of devices where IPsec is not necessarily the best >> choice. > > From my perspective IPsec is only choice for network layer security. There > are some scenarios where network layer security is not the best choice to > secure a system, and there one can choose to use application or transport > layer security. > > We should still make sure that every IPv6 node has means to protect its > network layer, and make both IPsec and IKEv2 MUST implement. I'd be fine with > documenting an exception for constrained nodes where it is not possible to > fulfill the requirements, e.g., "Support of both IPsec and IKEv2 is a MUST > for IPv6 nodes, except for constrained devices that cannot support > implementations of IPsec and IKE." > That is the definition of SHOULD. By the way, I talked to a Smart Grid vendor a few weeks ago. They are using IPv6 exclusively in their AMI network (great news) and using IPSEC to secure the communication. However, they are not using IKE and instead use manual keys. That makes a lot of sense for them. I think this is a good example of what is being discussed. Bob -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
