Hi Thomas, Thomas Narten wrote: > > Hi Julien. > > Just commenting on your last point.. > > > We should still make sure that every IPv6 node has means to protect > > its network layer, and make both IPsec and IKEv2 MUST implement. I'd > > be fine with documenting an exception for constrained nodes where it > > is not possible to fulfill the requirements, e.g., "Support of both > > IPsec and IKEv2 is a MUST for IPv6 nodes, except for constrained > > devices that cannot support implementations of IPsec and IKE." > > The difficulty with such wording is we now start arguing about what a > "constrained device" is. This is a judgement call, and is often not > about whether it can be done, but whether it should be done at the > expense of some other feature deemed more valuable to device's main > function. Or by increasing the cost of the device (by adding more > memory, etc.)
If we make it a SHOULD it is going to be a judgment call as well when one has to decide whether to implement IPsec or not on a given devices. And people will find themselves arguing whether there "exist valid reasons in particular circumstances to ignore" the requirement to support IPsec. Also, we might actually not need to argue for the majority of cases since there are plenty of arguably unconstrained devices, such as my cell phone that embeds a 200MHz modem processor and a 1GHz application processor. So if we could come up with processing power and memory values under which a device is considered constrained (e.g., less than 50MHz and 8MB memory) and IPsec downgrades from a MUST to a SHOULD it seems to me we'd have cleared the way. > I do like the idea of clarifying that network layer security is a good > general thing and that IPsec/IKE is the solution for that. But this > still begs the question in that network layer security is simply not a > requirement for all applications and usages of an IP device (IMO). Agree. But having a MUST gives choice to customers/designers. They can choose to use network layer security or not, because it is implemented. --julien -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
