Hi Alain,
On Tue, 26 Feb 2008 13:41:37 +0800
Alain Durand [EMAIL PROTECTED] wrote:
The latest draft: draft-ietf-6man-node-req-bis-00.txt
still lists IPsec as mandatory to implement.
As I mentioned last IETF meeting, this is creating a problem for certain
kind of devices, like cable modems,
Thomas, all,
On Wednesday 27 February 2008, Thomas Narten wrote:
Tony,
For those that have forgotten, the entire reason for mandating
IPsec is to get away from the 47 flavors of security that are never
really configured correctly or completely understood. Yes for any
given situation
Julien Laganier writes:
On Wednesday 27 February 2008, Thomas Narten wrote:
We'll never get them to rely on IPsec, at least not until its much
more widely available/useable.
Agree. But I think the availability part can be helped by keeping IPsec
mandatory (so that it gets in more and
Hi Alain,
you raise the existential question about the security (except for
dedicated security services like VPN): why to pay for something that
might be never used? :)
This is exactly the same problem I have today with airbags in the
cars: I pay them when I buy a car (i.e. cost), I cannot
Hi,
2008/2/26, Basavaraj Patil [EMAIL PROTECTED]:
It is not the load or processing that is the issue really which I think you
are alluding to. It is just the complexity of integrating a protocol like
Mobile IPv6 with IPsec and IKE/IKEv2.
Mobile IPv6 signaling can be secured via simpler
Brian Dickson wrote:
...
Any of a bunch of other kinds of security can do the job, from TLS to
SSH to use of
out-of-band channels.
For those that have forgotten, the entire reason for mandating IPsec is to
get away from the 47 flavors of security that are never really configured
correctly or
As a general node requirement, SHOULD is the right level, not MUST.
= +1
Apart from the technical discussion of whether IPsec is actually useful for
applications etc. The way KEYWORDS are defined, a MUST makes little
sense because IPv6 will not break without IPsec.
The argument for
PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Hesham Soliman
Sent: Wednesday, February 27, 2008 7:45 AM
To: 'Thomas Narten'; 'Nobuo OKABE'
Cc: [EMAIL PROTECTED]; ipv6@ietf.org; [EMAIL PROTECTED]
Subject: RE: Making IPsec *not* mandatory in Node Requirement
As a general node
*not* mandatory in Node Requirement
Brian Dickson wrote:
...
Any of a bunch of other kinds of security can do the job,
from TLS to
SSH to use of out-of-band channels.
For those that have forgotten, the entire reason for
mandating IPsec is to get away from the 47 flavors of
security
: Wednesday, February 27, 2008 5:20 AM
To: ipv6@ietf.org
Subject: RE: Making IPsec *not* mandatory in Node Requirement
Brian Dickson wrote:
...
Any of a bunch of other kinds of security can do the job, from TLS to
SSH to use of out-of-band channels.
For those that have forgotten, the entire reason
-Original Message-
From: Bound, Jim [mailto:[EMAIL PROTECTED]
On the
issue of e2e encrypt/decrypt except the header there are
those for many reasons will not want to permit this for the
reasons you state is my experience.
I may we way off base, but when I read this, all I can
Basavaraj Patil [EMAIL PROTECTED] writes:
I agree with Thomas about his views on IPsec being a mandatory and
default component of the IPv6 stack. Because of this belief, Mobile
IPv6 (RFC3775) design relied on IPsec for securing the
signaling. This has lead to complexity of the protocol and
Tony,
For those that have forgotten, the entire reason for mandating IPsec is to
get away from the 47 flavors of security that are never really configured
correctly or completely understood. Yes for any given situation someone can
design an optimized protocol, but as soon as the situation
Thomas,
Why do you believe MIP6 did not simply adopt the same security model as MIP4
and instead choose IPsec? It was because of the view that IPsec support in
IPv6 by default exists and hence should be used.
And the IESG statement in RFC4285 needs to be revisited and deprecated
because the
sugestion seems too rough to change the consensus.
I would be happy if I see your evidence.
I hope that the records and the experiences described above
helps the discussion.
Thanks,
From: Alain Durand [EMAIL PROTECTED]
Subject: Making IPsec *not* mandatory in Node Requirement ( was Re
exception.
But what is the majority?.Hmm
Thanks,
From: Alain Durand [EMAIL PROTECTED]
Subject: Re: Making IPsec *not* mandatory in Node Requirement
Date: Tue, 26 Feb 2008 16:48:36 +0800
The problem is that some of those devices have really limited memory and
they already do (too?) many
IMO, we need to get over the idea that IPsec is mandatory in
IPv6. Really. Or that mandating IPsec is actually useful in practice.
It is the case that mandating IPsec as part of IPv6 has contributed to
the hype about how great IPv6 is and how one will get better security
with IPv6. Unfortunately,
Hi Thomas,
I would again suggest that instead of making it non-mandatory, we
could provide a seperate set of requirements - for different device
types.
OSPFv3 currently uses IPsec because the assumption is that IPv6
mandates IPsec, and that means we do not need any other mechanism for
the same.
I agree with Thomas about his views on IPsec being a mandatory and default
component of the IPv6 stack.
Because of this belief, Mobile IPv6 (RFC3775) design relied on IPsec for
securing the signaling. This has lead to complexity of the protocol and not
really helped either in adoption or
: Making IPsec *not* mandatory in Node Requirement
IMO, we need to get over the idea that IPsec is mandatory in
IPv6. Really. Or that mandating IPsec is actually useful in practice.
It is the case that mandating IPsec as part of IPv6 has
contributed to the hype about how great IPv6 is and how one
Hi Basavraj,
But isn't that something IPsec needs to improve on. We already have
efforts like BTNS with connection latching in IPsec which may help
to ease the load on the end devices, which seems to have been the main
issue raised.
Thanks,
Vishwas
On Tue, Feb 26, 2008 at 9:58 AM, Basavaraj
It is not the load or processing that is the issue really which I think you
are alluding to. It is just the complexity of integrating a protocol like
Mobile IPv6 with IPsec and IKE/IKEv2.
Mobile IPv6 signaling can be secured via simpler mechanisms. But because of
the prevailing thinking that
OKABE
Cc: John Loughney; ipv6@ietf.org; [EMAIL PROTECTED]
Subject: Re: Making IPsec *not* mandatory in Node Requirement
I agree with Thomas about his views on IPsec being a
mandatory and default component of the IPv6 stack.
Because of this belief, Mobile IPv6 (RFC3775) design relied
on IPsec
] On Behalf Of Bound, Jim
Sent: mardi 26 février 2008 19:50
To: Basavaraj Patil; Thomas Narten; Nobuo OKABE
Cc: John Loughney; ipv6@ietf.org; Fred Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
For defense in depth scenarios I disagree in the case for the MN to verify
(fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
Hi all,
To come back to constrained device, as I already mentionned on
the list within 6lowpan, we are working on a draft which
documents the cost of each feature mandated by RFC4294, from
an implementation perspective (target
Loughney; ipv6@ietf.org; [EMAIL PROTECTED]
Subject: Re: Making IPsec *not* mandatory in Node Requirement
It is not the load or processing that is the issue really
which I think you are alluding to. It is just the complexity
of .
Mobile IPv6 signaling can be secured via simpler mechanisms
Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: mardi 26 février 2008 20:13
To: Julien Abeille (jabeille); [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL
PROTECTED]; [EMAIL PROTECTED]
Cc: ipv6@ietf.org; Fred Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
within 6man
Cheers,
Julien
-Original Message-
From: Vishwas Manral [mailto:[EMAIL PROTECTED]
Sent: mardi 26 février 2008 11:47
To: Julien Abeille (jabeille)
Subject: Re: Making IPsec *not* mandatory in Node Requirement
Hi Julien,
As you stress on lightweight, I would like to stress
- some applications might not require any security, e.g. a light sensor =
in your flat might not need it and not implement it, also due to the =
very low cost of the sensor.
I agree. There is absolutely no need to prevent my neighbor (or a bad
guy outside my window) from being able to
To: Julien Abeille (jabeille)
Cc: [EMAIL PROTECTED]; ipv6@ietf.org; [EMAIL PROTECTED];
Fred Baker (fred)
Subject: Re: Making IPsec *not* mandatory in Node Requirement
- some applications might not require any security, e.g. a light
sensor = in your flat might not need it and not implement
];
ipv6@ietf.org; Fred Baker (fred)
Subject: Re: Making IPsec *not* mandatory in Node Requirement
- some applications might not require any security, e.g. a light
sensor = in your flat might not need it and not implement it, also due
to the = very low cost of the sensor.
I agree
(fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
Hi all,
To come back to constrained device, as I already mentionned on
the list within 6lowpan, we are working on a draft which
documents the cost of each feature mandated by RFC4294, from
an implementation perspective
Basavaraj (NSN - US/Irving); Thomas
Narten; Nobuo OKABE
Cc: Loughney John (Nokia-OCTO/PaloAlto); ipv6@ietf.org; Fred
Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
Hi all,
To come back to constrained device, as I already mentionned on
the list
/PaloAlto); ipv6@ietf.org; Fred Baker
(fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
Hi all,
To come back to constrained device, as I already mentionned
on the list
within 6lowpan, we are working on a draft which documents
the cost of
each feature mandated
, February 26, 2008 3:00 PM
To: Julien Abeille (jabeille)
Cc: [EMAIL PROTECTED]; Bound, Jim;
[EMAIL PROTECTED]; [EMAIL PROTECTED]; ipv6@ietf.org; Fred
Baker (fred)
Subject: Re: Making IPsec *not* mandatory in Node Requirement
- some applications might not require any security, e.g. a light
:[EMAIL PROTECTED]
Sent: Tuesday, February 26, 2008 3:18 PM
To: Thomas Narten
Cc: [EMAIL PROTECTED]; Bound, Jim;
[EMAIL PROTECTED]; [EMAIL PROTECTED]; ipv6@ietf.org; Fred
Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
A sensor can only sense..., you are talking about
2008 13:24
To: Julien Abeille (jabeille); Thomas Narten
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; ipv6@ietf.org;
Fred Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
On the contrary some of the laser sensing capabilities now could be considered
light
: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; ipv6@ietf.org; Fred Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
On the contrary some of the laser sensing capabilities now
could be considered light so I guess it is what we mean by
light technically or from
: RE: Making IPsec *not* mandatory in Node Requirement
Julien,
I guess the point is that some cases and deployment, secuirty is not required
to be used.
However, if you are making a product and you do not include security as part of
the solution, than IPSec then you have a problem.
John
Fine
]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; ipv6@ietf.org; Fred Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
On the contrary some of the laser sensing capabilities now
could be considered light so I guess it is what we mean by
light technically or from a physics
Julien,
Ok, I get it, but I would think this is to be left to the
choice of the vendor if/how he provides security.
I am in favor of the approach where node requirements rfc
defines the bare minimum for two nodes to be able to talk to
each other, then phrase the other sections like setion
-Original Message-
From: Ed Jankiewicz [mailto:[EMAIL PROTECTED]
That is a good point, does IPsec depend on unanimous support? We
struggled with this in the DoD Profiles. Our rationale for
making IPsec
mandatory (except at the moment for some simple appliances)
was that for
I won't argue against the fact that security is an important part of a
complete solution. The question for me is whether IPsec is the most
appropriate solution for highly constrained embedded devices
(constrained in energy, memory, compute, and link capabilities). From
the few implementation
(jabeille)
Sent: 26 February, 2008 11:12
To: Bound, Jim; Patil Basavaraj (NSN - US/Irving); Thomas
Narten; Nobuo OKABE
Cc: Loughney John (Nokia-OCTO/PaloAlto); ipv6@ietf.org; Fred
Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
Hi all,
To come back to constrained
:[EMAIL PROTECTED]
Sent: mardi 26 février 2008 13:24
To: Julien Abeille (jabeille); Thomas Narten
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; ipv6@ietf.org; Fred Baker (fred)
Subject: RE: Making IPsec *not* mandatory in Node Requirement
On the contrary some of the laser sensing
:[EMAIL PROTECTED] On
Behalf Of Julien Abeille (jabeille)
Sent: Tuesday, February 26, 2008 6:05 PM
To: [EMAIL PROTECTED]
Cc: ipv6@ietf.org
Subject: RE: Making IPsec *not* mandatory in Node Requirement
Ok, I get it, but I would think this is to be left to the
choice of the vendor if/how he
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ed Jankiewicz
Sent: Tuesday, February 26, 2008 6:08 PM
To: ipv6@ietf.org
Cc: [EMAIL PROTECTED]
Subject: Re: Making IPsec *not* mandatory in Node Requirement
That is a good point, does IPsec depend on unanimous
PROTECTED] On
Behalf Of Jonathan Hui
Sent: Tuesday, February 26, 2008 6:57 PM
To: ipv6@ietf.org
Subject: IPsec and 6LoWPAN (was: Re: Making IPsec *not*
mandatory in Node Requirement)
I won't argue against the fact that security is an important
part of a complete solution. The question for me
PROTECTED]
Subject: Re: Making IPsec *not* mandatory in Node Requirement
Date: Tue, 26 Feb 2008 11:18:33 -0500
IMO, we need to get over the idea that IPsec is mandatory in
IPv6. Really. Or that mandating IPsec is actually useful in practice.
It is the case that mandating IPsec as part of IPv6 has
The latest draft: draft-ietf-6man-node-req-bis-00.txt
still lists IPsec as mandatory to implement.
As I mentioned last IETF meeting, this is creating a problem for certain
kind of devices, like cable modems, who have a very limited memory
footprint. Those devices operate in an environment where
that the records and the experiences described above
helps the discussion.
Thanks,
From: Alain Durand [EMAIL PROTECTED]
Subject: Making IPsec *not* mandatory in Node Requirement ( was Re: Updates to
Node Requirements-bis (UNCLASSIFIED))
Date: Tue, 26 Feb 2008 13:41:37 +0800
The latest draft: draft
51 matches
Mail list logo