IPsec and IKEv2 are network layer protocols that are available in the security toolkit. And so are TLS, ssh, Kerberos etc.
The IETF cannot force the choice of a security protocol on applications or other protocols that need security. The choice of using IPsec and IKEv2 is available at all times. But it may not be the best fit in all cases. SDOs, application and protocol developers should be free to choose from the available options. An application may be deployed with different security mechanisms in different environments. A good example is IPsec VPNs as well as SSL VPNs. Use of IPsec on host devices today is primarily for a single usecase, i.e VPN connectivity. IPsec is used within the core of a network for many purposes. Some end-hosts may be constrained and mandating IPsec/IKEv2 in order to be IPv6 compliant is unwarranted. And other end-hosts which do support IPsec/IKEv2 may use it for some use cases and applications. But it should not be the IETFs role to mandate that it be the security protocol used in all cases. Hence a SHOULD require is sufficient in the context of IPv6 node-requirements. -Raj -----Original Message----- From: ipv6-boun...@ietf.org [mailto:ipv6-boun...@ietf.org] On Behalf Of ext Thomas Narten Sent: Wednesday, July 21, 2010 3:12 PM To: Laganier, Julien Cc: ipv6@ietf.org Subject: Re: Node Requirements: Issue 17 - IPsec/IKE Hi Julien. Just commenting on your last point.. > We should still make sure that every IPv6 node has means to protect > its network layer, and make both IPsec and IKEv2 MUST implement. I'd > be fine with documenting an exception for constrained nodes where it > is not possible to fulfill the requirements, e.g., "Support of both > IPsec and IKEv2 is a MUST for IPv6 nodes, except for constrained > devices that cannot support implementations of IPsec and IKE." The difficulty with such wording is we now start arguing about what a "constrained device" is. This is a judgement call, and is often not about whether it can be done, but whether it should be done at the expense of some other feature deemed more valuable to device's main function. Or by increasing the cost of the device (by adding more memory, etc.) I do like the idea of clarifying that network layer security is a good general thing and that IPsec/IKE is the solution for that. But this still begs the question in that network layer security is simply not a requirement for all applications and usages of an IP device (IMO). Thomas -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
