On Wed, Jul 21, 2010 at 1:36 PM, Bob Hinden <bob.hin...@gmail.com> wrote: > Julien, > >> That being said I agree that for constrained devices it might be desirable >> not to implement IPsec and IKE. The question is, should we lower the node >> requirements bar for all devices because of constrained devices. I don't >> think so. > > From RFC2119 the definition of MUST and SHOULD are: > > 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that the > definition is an absolute requirement of the specification. > > 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there > may exist valid reasons in particular circumstances to ignore a > particular item, but the full implications must be understood and > carefully weighed before choosing a different course. > > The discussion is about changing the required level from MUST to SHOULD. > SHOULD is a strong recommendation. It says that you should implement IPSEC > and IKE except if you have a good reason (e.g., constrained implementation). > This seems appropriate to me. >
I agree on these grounds as well. SHOULD is the best term. I am currently going through a project where IPsec on mobile devices has been ruled-out by the handset manufacturers and application level encryption will be used to move foreword. Cameron >> >>> Thus, it is my recommendation that the next version of the node >>> requirements document make support for IPsec and IKE both SHOULDs >>> only, with a lot more explanatory text that makes it clear that there >>> are some types of devices where IPsec is not necessarily the best >>> choice. >> >> From my perspective IPsec is only choice for network layer security. There >> are some scenarios where network layer security is not the best choice to >> secure a system, and there one can choose to use application or transport >> layer security. >> >> We should still make sure that every IPv6 node has means to protect its >> network layer, and make both IPsec and IKEv2 MUST implement. I'd be fine >> with documenting an exception for constrained nodes where it is not possible >> to fulfill the requirements, e.g., "Support of both IPsec and IKEv2 is a >> MUST for IPv6 nodes, except for constrained devices that cannot support >> implementations of IPsec and IKE." >> > > That is the definition of SHOULD. > > By the way, I talked to a Smart Grid vendor a few weeks ago. They are using > IPv6 exclusively in their AMI network (great news) and using IPSEC to secure > the communication. However, they are not using IKE and instead use manual > keys. That makes a lot of sense for them. I think this is a good example of > what is being discussed. > > Bob > > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > ipv6@ietf.org > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------