Hi,
Having been through the whole thread, I have to react to
this last proposal in regards of
operational deployments. I already raised several times the fact that
IPsec on routers in NOT a generic requirement.
If the "requirements" are generic enough to consider the following
realities then I have no more issue
- "Router" definition - it ranges from Core to Edge routers to L3
switches to low cost CPE devices to "a Node that
interconnects sub-networks by packet forwarding." - all those HW
having different capabilities, cost and performances.
so, let's review the use of IPsec on "Routers".
- IPsec can be used by control plane features, such as OSPFv3
Authentication (RFC 4552) or MIPv6 in case the router
act as MIPv6 Home Agent. It is purely a software feature with no real
impact on hardware. But why should I support
IPsec if none of those features are implemented, let's say on a low
cost CPE router?
- IPsec as management feature. As indicated by Fred, it looks to me
that the preferred solution is currently SSH/SSL.
Is everybody agreeing about a potential market shift to IPsec?
- IPsec used by Data plane features, such as router-to-router IPsec
tunnel where encryption could be hardware assisted.
However, if the IPsec tunnel is not terminated on a router, packets
will get forwarded as raw traffic. But why should I
support this on a core router or Layer 3 switches which will never be
configured as tunnel end-point?
- IPsec as end-to-end feature. No question it is used in well
controlled domains but if it is a generic requirement to
not interact with traffic protected by IPsec, could we indicate that
all features such as packet filtering, QoS marking
or re-marking, instrumentation are lost? which may not be an issue
for some people but will certainly be one for others.
And yes, if AH is a "MAY" we need to find a better way to do
authentication using ESP... a real IETF task.
Best Regards
Patrick
At 09:18 PM 2/27/2008, Kevin Kargel wrote:
> quick poll - for those opposed to a MUST requirement for
> IPsec, what is your driving objection?
>
My feeling is that we should not introduce mandatory cost factors for
end devices. There are many sensor-ish devices that do not require
strict security.
If it is possible, could we say that IPSEC is MUST for routing hardware
and SHOULD for end user devices? That way the end-to-end availablity is
still serviced, but low risk devices can stay simple and cheap.
Kevin
:$s/worry/happy/g
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------