Hi, <basavaraj.pa...@nokia.com> writes:
> IPsec and IKEv2 are network layer protocols that are available in the > security toolkit. And so are TLS, ssh, Kerberos etc. TLS, ssh and Kerberos are available in "the security toolkit" but they are not network layer protocols. IP and IPsec are. > The IETF cannot force the choice of a security protocol on > applications or other protocols that need security. That's correct and that's not what the node requirements doc is about: it's about mandating *support*, and not use. > The choice of using IPsec and IKEv2 is available at all times. In order for that to be true, you need system that *support* the protocols, i.e. implement it. This is what you are trying to prevent even for system that have enough resources. > But it may not be the best fit in all cases. SDOs, application and > protocol developers should be free to choose from the available > options. Completely true. And having IPsec and IKEv2 available on a system will never prevent someone to use TLS. It's even likely they will use the same libraries/foundations. > An application may be deployed with different security mechanisms in > different environments. A good example is IPsec VPNs as well as SSL > VPNs. > > Use of IPsec on host devices today is primarily for a single usecase, > i.e VPN connectivity. IPsec is used within the core of a network for > many purposes. That's the point. Having IPsec/IKE *available* on all nodes leaves room for the deployment of the protocol for E2E security. Additionally, it does not prevent at all the use of additional mechanisms. It will never replace TLS or ssh, because they serve different purposes. > Some end-hosts may be constrained and mandating IPsec/IKEv2 in order > to be IPv6 compliant is unwarranted. I think we all agree on that. The problem is not IPsec/IKEv2 here.It's not constrained devices either. It's the fact that we do not have an easy way (in RFC keywords) to mandate support for all devices if they can reasonably do it w/o making constrained devices look like they are not IPv6 nodes because they cannot have it. > And other end-hosts which do support IPsec/IKEv2 may use it for some > use cases and applications. But it should not be the IETFs role to > mandate that it be the security protocol used in all cases. Again, I don't understand your position: having IPsec/IKEv2 available on systems that have sufficient resources to run those does not impose its *use*. It just guarantees that it is available if you need it. Cheers, a+ -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
