From Jac.Kloots at surfnet.nl Mon Dec 5 22:23:55 2011 From: Jac.Kloots at surfnet.nl (Jac Kloots) Date: Mon, 5 Dec 2011 22:23:55 +0100 (CET) Subject: [ipv6-wg] on RIPE-523 IPv6 Address Allocation and Assignment Policy Message-ID: While I was reading RIPE-523 I noticed a mismatch between titles in the indexand the paragraph itself. The index for 5.4.2 says: Assignments shorter than a /48 to a single End Site While the paragraph title is: Assignment of multiple /48s to a single End Site Any change on getting this in line? Regards, Jac -- Jac Kloots Network Services SURFnet bv From emadaio at ripe.net Wed Dec 7 15:47:22 2011 From: emadaio at ripe.net (Emilio Madaio) Date: Wed, 07 Dec 2011 15:47:22 +0100 Subject: [ipv6-wg] Update in the RIPE document for IPv6 Allocation and Assignment policies Message-ID: <4EDF7C7A.3000605@ripe.net> Dear colleagues, An editorial correction has been made to ripe-523 "IPv6 Address Allocation and Assignment Policy". The updated document has been renumbered to ripe-538. It is available at: http://www.ripe.net/ripe/docs/ripe-538 There was a mismatch between the policy text and the index title for section 5.4.2. This mismatch occurred between the updates from ripe-421 to ripe-450. Apologies for any inconvenience caused. Kind regards, Emilio Madaio Policy Development Officer RIPE NCC From ripe-wgs.cs at schiefner.de Mon Dec 12 16:45:42 2011 From: ripe-wgs.cs at schiefner.de (Carsten Schiefner) Date: Mon, 12 Dec 2011 16:45:42 +0100 Subject: [ipv6-wg] Usenix: Google deploys IPv6 for internal network Message-ID: <4EE621A6.6090800@schiefner.de> Dear all - maybe this: https://www.networkworld.com/news/2011/120911-usenix-google-deploys-ipv6-for-253949.html?source=NWWNLE_nlt_network_systems_2011-12-12 is an interesting read-up for at least some of you... Best, -C. From fw at deneb.enyo.de Sat Dec 17 13:45:00 2011 From: fw at deneb.enyo.de (Florian Weimer) Date: Sat, 17 Dec 2011 13:45:00 +0100 Subject: [ipv6-wg] Usenix: Google deploys IPv6 for internal network In-Reply-To: <4EE621A6.6090800@schiefner.de> (Carsten Schiefner's message of "Mon, 12 Dec 2011 16:45:42 +0100") References: <4EE621A6.6090800@schiefner.de> Message-ID: <87ty4z4bar.fsf@mid.deneb.enyo.de> * Carsten Schiefner: > is an interesting read-up for at least some of you... I wonder if they have implemented some form of source address validation and prevented unicast flooding, or if they essentially run without those safeguards inside each VLAN. (With a hard limit of 256 VLANs per building, those VLANs are probably rather large in some cases.) From ripe-wgs.cs at schiefner.de Mon Dec 19 12:45:11 2011 From: ripe-wgs.cs at schiefner.de (Carsten Schiefner) Date: Mon, 19 Dec 2011 12:45:11 +0100 Subject: [ipv6-wg] Usenix: Google deploys IPv6 for internal network In-Reply-To: <87ty4z4bar.fsf@mid.deneb.enyo.de> References: <4EE621A6.6090800@schiefner.de> <87ty4z4bar.fsf@mid.deneb.enyo.de> Message-ID: <4EEF23C7.60202@schiefner.de> Florian, all - Am 17.12.2011 13:45, schrieb Florian Weimer: >> is an interesting read-up for at least some of you... > > I wonder if they have implemented some form of source address > validation and prevented unicast flooding, or if they essentially run > without those safeguards inside each VLAN. (With a hard limit of 256 > VLANs per building, those VLANs are probably rather large in some > cases.) maybe some Google employees being involved in v6 deployments - and I know that the RIPE community has some on board: hint, hint! ;-) - want to fill us in here? Best, -C. From jan at go6.si Fri Dec 23 09:45:06 2011 From: jan at go6.si (Jan Zorz @ go6.si) Date: Fri, 23 Dec 2011 09:45:06 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. Message-ID: <4EF43F92.4000403@go6.si> Dear IPv6 community. (copy/paste from our internal discussion) The authors of RIPE-501 are finalizing the last comments from previous last call and would like community input for what to do with IPsec. All authors feel that IPsec should be a mandatory requirement for all devices although due to technical limitations, for mobile devices it will be optional. We are aware that RFC6434 made IPsec support a SHOULD rather than a MUST. From RFC 2119: SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. The change was largely due to limitations found in low power devices and therefore we still feel the community is best served by requiring mandatory IPsec support in all other devices (hosts, routers or layer-3 switches, network security devices, load balancers) If we get this input from you this year, there is a great chance that we could put out the new/final draft out for discussion and/or maybe last-last-call before new year. For RIPE-501 authors group, Jan P.S: wishing happy new year, merry xmass, happiness, IPv6 and all that stuff in at least next year :) From fweimer at bfk.de Fri Dec 23 10:06:12 2011 From: fweimer at bfk.de (Florian Weimer) Date: Fri, 23 Dec 2011 09:06:12 +0000 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF43F92.4000403@go6.si> (Jan Zorz's message of "Fri, 23 Dec 2011 09:45:06 +0100") References: <4EF43F92.4000403@go6.si> Message-ID: <82y5u3bqt7.fsf@mid.bfk.de> * Jan Zorz: > The authors of RIPE-501 are finalizing the last comments from previous > last call and would like community input for what to do with IPsec. > All authors feel that IPsec should be a mandatory requirement for all > devices although due to technical limitations, for mobile devices it > will be optional. Shouldn't it be the other way round? Mobile devices are more likely to need VPN services than other kinds of devices. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From merike at doubleshotsecurity.com Fri Dec 23 16:46:08 2011 From: merike at doubleshotsecurity.com (Merike Kaeo) Date: Fri, 23 Dec 2011 07:46:08 -0800 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <82y5u3bqt7.fsf@mid.bfk.de> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> Message-ID: <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> On Dec 23, 2011, at 1:06 AM, Florian Weimer wrote: > * Jan Zorz: > >> The authors of RIPE-501 are finalizing the last comments from previous >> last call and would like community input for what to do with IPsec. >> All authors feel that IPsec should be a mandatory requirement for all >> devices although due to technical limitations, for mobile devices it >> will be optional. > > Shouldn't it be the other way round? Mobile devices are more likely to > need VPN services than other kinds of devices. Mobile devices typically use TLS. If that has changed it would be good to know but from my experience IPsec is hardly ever used in mobile devices and vendors had issues with battery life and argued against making it a mandatory requirement in the IETF. - merike > > -- > Florian Weimer > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstra?e 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99 > > From evyncke at cisco.com Fri Dec 23 17:30:40 2011 From: evyncke at cisco.com (Eric Vyncke (evyncke)) Date: Fri, 23 Dec 2011 17:30:40 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF43F92.4000403@go6.si> References: <4EF43F92.4000403@go6.si> Message-ID: <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> Jan, Let's be realistic (and the best quality of RIPE-501++ is to be realistic and 'down to the ground'): very few IPv6-nodes do IPsec... So, let's remove this requirement and make it optional (RFC 6434 clearly shows the path). Going in holiday mode: do you use SSH or telnet+IPsec ? :-) In all friendship, Season's Greetings for all -?ric > -----Original Message----- > From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On Behalf > Of Jan Zorz @ go6.si > Sent: vendredi 23 d?cembre 2011 09:45 > To: ipv6-wg at ripe.net > Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to > community - we need your input. > > Dear IPv6 community. > > (copy/paste from our internal discussion) > > The authors of RIPE-501 are finalizing the last comments from previous > last call and would like community input for what to do with IPsec. All > authors feel that IPsec should be a mandatory requirement for all > devices although due to technical limitations, for mobile devices it > will be optional. We are aware that RFC6434 made IPsec support a SHOULD > rather than a MUST. > > From RFC 2119: SHOULD This word, or the adjective "RECOMMENDED", mean > that there may exist valid reasons in particular circumstances to ignore > a particular item, but the full implications must be understood and > carefully weighed before choosing a different course. > > The change was largely due to limitations found in low power devices and > therefore we still feel the community is best served by requiring > mandatory IPsec support in all other devices (hosts, routers or layer-3 > switches, network security devices, load balancers) > > If we get this input from you this year, there is a great chance that we > could put out the new/final draft out for discussion and/or maybe > last-last-call before new year. > > For RIPE-501 authors group, Jan > > P.S: wishing happy new year, merry xmass, happiness, IPv6 and all that > stuff in at least next year :) From jan at go6.si Fri Dec 23 23:16:45 2011 From: jan at go6.si (Jan Zorz @ go6.si) Date: Fri, 23 Dec 2011 23:16:45 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> References: <4EF43F92.4000403@go6.si> <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> Message-ID: <4EF4FDCD.8040005@go6.si> On 12/23/11 5:30 PM, Eric Vyncke (evyncke) wrote: > Jan, > > Let's be realistic (and the best quality of RIPE-501++ is to be > realistic and 'down to the ground'): very few IPv6-nodes do IPsec... > So, let's remove this requirement and make it optional (RFC 6434 > clearly shows the path). > > Going in holiday mode: do you use SSH or telnet+IPsec ? :-) I see your point :) so, +1 for all optional. What others think? And additional question: should we request IPsec-v3 or v2? Cheers, Jan From fgont at si6networks.com Fri Dec 23 11:26:54 2011 From: fgont at si6networks.com (Fernando Gont) Date: Fri, 23 Dec 2011 07:26:54 -0300 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF43F92.4000403@go6.si> References: <4EF43F92.4000403@go6.si> Message-ID: <4EF4576E.40103@si6networks.com> Hi, Jan, On 12/23/2011 05:45 AM, Jan Zorz @ go6.si wrote: > The change was largely due to limitations found in low power devices and > therefore we still feel the community is best served by requiring > mandatory IPsec support in all other devices (hosts, routers or layer-3 > switches, network security devices, load balancers) While I have not followed the discussion that lead to MUST -> SHOULD in RFC6434 closely, I should say that it is well understood that the previous requirement of "MUST" was mostly "words on paper". Question: Does "requiring IPsec support in all other devices" mean "complying with RFC 4301"? If that's the case, you're also requiring those devices to support IKEv2. If that's intentional, I think you should make it explicit... Thanks, and Merry Christmas! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont at si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 From mm at elabnet.de Sat Dec 24 03:42:32 2011 From: mm at elabnet.de (Michael Markstaller) Date: Sat, 24 Dec 2011 03:42:32 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF4FDCD.8040005@go6.si> References: <4EF43F92.4000403@go6.si> <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> <4EF4FDCD.8040005@go6.si> Message-ID: <4EF53C18.1040706@elabnet.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just my 2ct: I have 90% with IPSec but 0,000% IPv6 (whatever you think, fact, this is not happening in real life yet! we're peering, all set-up, but no single customer ever asked for?! Maybe there's still something wrong with IPv6? Both is yet freaky stuff, my cents: don't block the new freaky stuff (V6) with the old one (IPSec) which never got real.. in real life.. Michael On 23.12.2011 23:16, Jan Zorz @ go6.si wrote: > On 12/23/11 5:30 PM, Eric Vyncke (evyncke) wrote: >> Jan, >> >> Let's be realistic (and the best quality of RIPE-501++ is to be >> realistic and 'down to the ground'): very few IPv6-nodes do >> IPsec... So, let's remove this requirement and make it optional >> (RFC 6434 clearly shows the path). >> >> Going in holiday mode: do you use SSH or telnet+IPsec ? :-) > > I see your point :) > > so, +1 for all optional. > > What others think? > > And additional question: should we request IPsec-v3 or v2? > > Cheers, Jan > - -- Michael Markstaller Elaborated Networks GmbH www.elabnet.de - www.wiregate.de Lise-Meitner-Str. 1, D-85662 Hohenbrunn, Germany fon: +49-8102-8951-60, fax: +49-8102-8951-80 Gesch?ftsf?hrer: Stefan Werner, Michael Markstaller Amtsgericht M?nchen HRB 125120, Ust-ID: DE201281054 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk71PBcACgkQaWRHV2kMuAJZWQCePRJmxG7iJ0tutVxTD3e8hNu2 uhYAnArGJ+wHZTQRZ+/sOQfRgfcoQ6DS =97pC -----END PGP SIGNATURE----- From marcoh at marcoh.net Sat Dec 24 08:53:45 2011 From: marcoh at marcoh.net (Marco Hogewoning) Date: Sat, 24 Dec 2011 08:53:45 +0100 Subject: [ipv6-wg] Waiting for customers ( was Re: RIPE-501 replacement document - IPsec question to community - we need your input.) In-Reply-To: <4EF53C18.1040706@elabnet.de> References: <4EF43F92.4000403@go6.si> <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> <4EF4FDCD.8040005@go6.si> <4EF53C18.1040706@elabnet.de> Message-ID: On 24 dec. 2011, at 03:42, Michael Markstaller wrote: > > Just my 2ct: > I have 90% with IPSec but 0,000% IPv6 (whatever you think, fact, this > is not happening in real life yet! we're peering, all set-up, but no > single customer ever asked for?! Maybe there's still something wrong > with IPv6? How many customers call you and ask literally for "IPv4"? In my experience most customers ask for Internet connectivity and don't care about the protocol. Given the choice the customer probably wants a V12 "...'cause it goes faster!" :) Merry christmas to you all, Grtx, MarcoH (no hats) -- "Good tests kill flawed theories; we remain alive to guess again" From ripe.ipv6-wg at ml.karotte.org Sat Dec 24 12:57:22 2011 From: ripe.ipv6-wg at ml.karotte.org (Sebastian Wiesinger) Date: Sat, 24 Dec 2011 12:57:22 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> References: <4EF43F92.4000403@go6.si> <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> Message-ID: <20111224115722.GA20855@danton.fire-world.de> * Eric Vyncke (evyncke) [2011-12-23 17:32]: > Jan, > > Let's be realistic (and the best quality of RIPE-501++ is to be > realistic and 'down to the ground'): very few IPv6-nodes do IPsec... > So, let's remove this requirement and make it optional (RFC 6434 > clearly shows the path). +1 Happy Holidays! Sebastian -- New GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A 9D82 58A2 D94A 93A0 B9CE) Old GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From us at sweet-sorrow.com Sat Dec 24 13:10:41 2011 From: us at sweet-sorrow.com (Us) Date: Sat, 24 Dec 2011 13:10:41 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <20111224115722.GA20855@danton.fire-world.de> References: <4EF43F92.4000403@go6.si> <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> <20111224115722.GA20855@danton.fire-world.de> Message-ID: <4EF5C141.5030601@sweet-sorrow.com> On 12/24/2011 12:57 PM, Sebastian Wiesinger wrote: > * Eric Vyncke (evyncke) [2011-12-23 17:32]: >> Jan, >> >> Let's be realistic (and the best quality of RIPE-501++ is to be >> realistic and 'down to the ground'): very few IPv6-nodes do IPsec... >> So, let's remove this requirement and make it optional (RFC 6434 >> clearly shows the path). > > +1 > > Happy Holidays! > > Sebastian > I'd have to +1 this also. Especially because of already mentioned low power devices (phones and tablets and such) Even though it would be nice to have it. Ragnar Belial Us From merike at doubleshotsecurity.com Sun Dec 25 14:55:49 2011 From: merike at doubleshotsecurity.com (Merike Kaeo) Date: Sun, 25 Dec 2011 05:55:49 -0800 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF4FDCD.8040005@go6.si> References: <4EF43F92.4000403@go6.si> <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> <4EF4FDCD.8040005@go6.si> Message-ID: Hello and Happy Holidays to everyone.... On Dec 23, 2011, at 2:16 PM, Jan Zorz @ go6.si wrote: > On 12/23/11 5:30 PM, Eric Vyncke (evyncke) wrote: >> Jan, >> >> Let's be realistic (and the best quality of RIPE-501++ is to be >> realistic and 'down to the ground'): very few IPv6-nodes do IPsec... >> So, let's remove this requirement and make it optional (RFC 6434 >> clearly shows the path). >> >> Going in holiday mode: do you use SSH or telnet+IPsec ? :-) > > I see your point :) > > so, +1 for all optional. > > What others think? Just to be sure we are all saying the same thing. Are we wanting to have IPsec be optional for *ALL* sections, so even for routers or layer-3 switches, network security devices, load balancers? 1. For CPEs we had this discussion [July 20-26, 2011 on this list] and the decision thus far was to do: >>>> My suggestion would be to add (in addition to RFC6204 in >>>> mandatory): >>>> >>>> "If this specification is used for business class CPE, then >>>> IPsec-v2 [RFC2401, RFC2406, RFC2402], IKE version 2 (IKEv2) >>>> [RFC4306, RFC4718] and ISAKMP [RFC2407, RFC2408, RFC2409] must be >>>> supported in addition to RFC6204 requirements" 2. For Mobile Devices it makes sense to put as optional since in my experience TLS is more often used for VPN scenarios. It would be great to know if that has changed. 3. For hosts, it probably also makes sense to have IPsec be optional since in the IETF discussions (which occurred in Feb - March 2088!!! on the IPv6 Maintenance WG mailing list) mostly since sensors and low end hosts (i.e. cable modems and also low end CPEs) would not want to deal with the code bloat. However, I will make a note that an IETF 'SHOULD' is not the same as optional. If it were optional it would be a 'MAY'. Also, at the time of the discussion there were talks about BTNS (Better Than Nothing Security) being a way to help solve some deployment issues - back in 2008 the standards were still just in draft stages. Check out hack.org/mc/blog/ which a friend provided a pointer to a few days ago. Seemed really interesting to me. With a better potential for DNS being used to transfer public keys and the fact that most OSs have IPsec capabilities, I just hope we are going to make the right practical decision for now. Folks on this list know best and we as authors will definitely reflect list consensus. 4. For routers and layer-3 switches, network security devices and load balancers I would expect the industry to want IPsec as mandatory but let's see what folks on list say. > And additional question: should we request IPsec-v3 or v2? The thinking currently is that wherever we say we require IPsec (either for mandatory or optional), we would specify the following: ? IPsec-v3 [RFC4301, RFC4303, RFC4302] * ? IKE version 2 (IKEv2) [RFC5996 (obsoletes RFC 4306), RFC4718] * ? ISAKMP [RFC2407, RFC2408,RFC2409] OR, are there any place where the updated IPsec standards do not make sense and we still want to specify - IPsec-v2 [RFC2401,RFC2406, RFC2402] ?? Thanks all... - merike > > Cheers, Jan > From merike at doubleshotsecurity.com Sun Dec 25 17:38:20 2011 From: merike at doubleshotsecurity.com (Merike Kaeo) Date: Sun, 25 Dec 2011 08:38:20 -0800 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF4FDCD.8040005@go6.si> References: <4EF43F92.4000403@go6.si> <317616CE96204D49B5A1811098BA89500625B79E@XMB-AMS-110.cisco.com> <4EF4FDCD.8040005@go6.si> Message-ID: <7A8F3749-485E-4939-9C08-94F97F4C72CE@doubleshotsecurity.com> Whoops....first go-around said 2088 for IETF IPv6 Maintenance wg discussions below....should obviously be 2008! - merike Hello and Happy Holidays to everyone.... On Dec 23, 2011, at 2:16 PM, Jan Zorz @ go6.si wrote: > On 12/23/11 5:30 PM, Eric Vyncke (evyncke) wrote: >> Jan, >> >> Let's be realistic (and the best quality of RIPE-501++ is to be >> realistic and 'down to the ground'): very few IPv6-nodes do IPsec... >> So, let's remove this requirement and make it optional (RFC 6434 >> clearly shows the path). >> >> Going in holiday mode: do you use SSH or telnet+IPsec ? :-) > > I see your point :) > > so, +1 for all optional. > > What others think? Just to be sure we are all saying the same thing. Are we wanting to have IPsec be optional for *ALL* sections, so even for routers or layer-3 switches, network security devices, load balancers? 1. For CPEs we had this discussion [July 20-26, 2011 on this list] and the decision thus far was to do: >>>> My suggestion would be to add (in addition to RFC6204 in >>>> mandatory): >>>> >>>> "If this specification is used for business class CPE, then >>>> IPsec-v2 [RFC2401, RFC2406, RFC2402], IKE version 2 (IKEv2) >>>> [RFC4306, RFC4718] and ISAKMP [RFC2407, RFC2408, RFC2409] must be >>>> supported in addition to RFC6204 requirements" 2. For Mobile Devices it makes sense to put as optional since in my experience TLS is more often used for VPN scenarios. It would be great to know if that has changed. 3. For hosts, it probably also makes sense to have IPsec be optional since in the IETF discussions (which occurred in Feb - March 2088!!! on the IPv6 Maintenance WG mailing list) mostly since sensors and low end hosts (i.e. cable modems and also low end CPEs) would not want to deal with the code bloat. However, I will make a note that an IETF 'SHOULD' is not the same as optional. If it were optional it would be a 'MAY'. Also, at the time of the discussion there were talks about BTNS (Better Than Nothing Security) being a way to help solve some deployment issues - back in 2008 the standards were still just in draft stages. Check out hack.org/mc/blog/ which a friend provided a pointer to a few days ago. Seemed really interesting to me. With a better potential for DNS being used to transfer public keys and the fact that most OSs have IPsec capabilities, I just hope we are going to make the right practical decision for now. Folks on this list know best and we as authors will definitely reflect list consensus. 4. For routers and layer-3 switches, network security devices and load balancers I would expect the industry to want IPsec as mandatory but let's see what folks on list say. > And additional question: should we request IPsec-v3 or v2? The thinking currently is that wherever we say we require IPsec (either for mandatory or optional), we would specify the following: ? IPsec-v3 [RFC4301, RFC4303, RFC4302] * ? IKE version 2 (IKEv2) [RFC5996 (obsoletes RFC 4306), RFC4718] * ? ISAKMP [RFC2407, RFC2408,RFC2409] OR, are there any place where the updated IPsec standards do not make sense and we still want to specify - IPsec-v2 [RFC2401,RFC2406, RFC2402] ?? Thanks all... - merike > > Cheers, Jan > From merike at doubleshotsecurity.com Sun Dec 25 17:55:35 2011 From: merike at doubleshotsecurity.com (Merike Kaeo) Date: Sun, 25 Dec 2011 08:55:35 -0800 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF4576E.40103@si6networks.com> References: <4EF43F92.4000403@go6.si> <4EF4576E.40103@si6networks.com> Message-ID: <74A6AA4D-77ED-46AF-AC10-6C707F28A135@doubleshotsecurity.com> Hi Fernando.. On Dec 23, 2011, at 2:26 AM, Fernando Gont wrote: > Hi, Jan, > > On 12/23/2011 05:45 AM, Jan Zorz @ go6.si wrote: >> The change was largely due to limitations found in low power devices and >> therefore we still feel the community is best served by requiring >> mandatory IPsec support in all other devices (hosts, routers or layer-3 >> switches, network security devices, load balancers) > > While I have not followed the discussion that lead to MUST -> SHOULD in > RFC6434 closely, I should say that it is well understood that the > previous requirement of "MUST" was mostly "words on paper". Yes....there were many IPv6 capable devices without IPsec for many years. One of the comments made in the thread of Feb 2008 was that MUST or SHOULD wouldn't make much difference in getting implementations to appear. http://www.ietf.org/mail-archive/web/ipv6/current/msg09230.html > > Question: Does "requiring IPsec support in all other devices" mean > "complying with RFC 4301"? If that's the case, you're also requiring > those devices to support IKEv2. The intent right now is to add the following specifications for IPsec support ? IPsec-v3 [RFC4301, RFC4303, RFC4302] * ? IKE version 2 (IKEv2) [RFC5996 (obsoletes RFC 4306), RFC4718] * ? ISAKMP [RFC2407, RFC2408,RFC2409] I have been seeing more shipping IKEv2 implementations in past few years and do believe most newer devices follow IPsec-v3 specs. Again, this is something authors would like to hear input on to make sure this is right thing to specify across all devices, regardless of whether IPsec will be mandatory or optional. > If that's intentional, I think you should make it explicit... Agreed > Thanks, and Merry Christmas! Happy Holidays..... - merike > > Best regards, > -- > Fernando Gont > SI6 Networks > e-mail: fgont at si6networks.com > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > From fweimer at bfk.de Tue Dec 27 10:15:29 2011 From: fweimer at bfk.de (Florian Weimer) Date: Tue, 27 Dec 2011 09:15:29 +0000 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> (Merike Kaeo's message of "Fri, 23 Dec 2011 07:46:08 -0800") References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> Message-ID: <82y5ty1iku.fsf@mid.bfk.de> * Merike Kaeo: > On Dec 23, 2011, at 1:06 AM, Florian Weimer wrote: > >> * Jan Zorz: >> >>> The authors of RIPE-501 are finalizing the last comments from previous >>> last call and would like community input for what to do with IPsec. >>> All authors feel that IPsec should be a mandatory requirement for all >>> devices although due to technical limitations, for mobile devices it >>> will be optional. >> >> Shouldn't it be the other way round? Mobile devices are more likely to >> need VPN services than other kinds of devices. > > Mobile devices typically use TLS. Most devices use TLS. I agree with dropping IPsec from the document completely, indepedent of device type. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From jan at go6.si Tue Dec 27 11:39:43 2011 From: jan at go6.si (Jan Zorz @ go6.si) Date: Tue, 27 Dec 2011 11:39:43 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <82y5ty1iku.fsf@mid.bfk.de> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> <82y5ty1iku.fsf@mid.bfk.de> Message-ID: <4EF9A06F.40107@go6.si> On 12/27/11 10:15 AM, Florian Weimer wrote: > Most devices use TLS. > > I agree with dropping IPsec from the document completely, indepedent of > device type. Hi, So you suggest not mentioning IPsec in any form at all in whole document? Am I reading this correctly? Cheers, Jan From fweimer at bfk.de Tue Dec 27 13:40:54 2011 From: fweimer at bfk.de (Florian Weimer) Date: Tue, 27 Dec 2011 12:40:54 +0000 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <4EF9A06F.40107@go6.si> (Jan Zorz's message of "Tue, 27 Dec 2011 11:39:43 +0100") References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> <82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> Message-ID: <82d3ba192h.fsf@mid.bfk.de> * Jan Zorz: > On 12/27/11 10:15 AM, Florian Weimer wrote: >> Most devices use TLS. >> >> I agree with dropping IPsec from the document completely, indepedent of >> device type. > So you suggest not mentioning IPsec in any form at all in whole > document? Am I reading this correctly? Yes. Even if we could achieve agreement on a subset of devices where it's supposed to make sense, "IPsec" is really a catchphrase for a set of related protocols, so anyone who actually needs some of it needs to ask for it explicitly anyway. -- Florian Weimer BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstra?e 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 From evyncke at cisco.com Tue Dec 27 16:43:43 2011 From: evyncke at cisco.com (Eric Vyncke (evyncke)) Date: Tue, 27 Dec 2011 16:43:43 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input. In-Reply-To: <82d3ba192h.fsf@mid.bfk.de> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de><00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com><82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> Message-ID: <317616CE96204D49B5A1811098BA89500625B89F@XMB-AMS-110.cisco.com> I think that we should keep IPsec/IKEv2 only for firewall and mention to any place where OSPFv3 is mentioned that the support of AH is required. > -----Original Message----- > From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On Behalf > Of Florian Weimer > Sent: mardi 27 d?cembre 2011 13:41 > To: Jan Zorz @ go6.si > Cc: ipv6-wg at ripe.net > Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question > tocommunity - we need your input. > > * Jan Zorz: > > > On 12/27/11 10:15 AM, Florian Weimer wrote: > >> Most devices use TLS. > >> > >> I agree with dropping IPsec from the document completely, indepedent of > >> device type. > > > So you suggest not mentioning IPsec in any form at all in whole > > document? Am I reading this correctly? > > Yes. Even if we could achieve agreement on a subset of devices where > it's supposed to make sense, "IPsec" is really a catchphrase for a set > of related protocols, so anyone who actually needs some of it needs to > ask for it explicitly anyway. > > -- > Florian Weimer > BFK edv-consulting GmbH http://www.bfk.de/ > Kriegsstra?e 100 tel: +49-721-96201-1 > D-76133 Karlsruhe fax: +49-721-96201-99 From merike at doubleshotsecurity.com Tue Dec 27 17:08:51 2011 From: merike at doubleshotsecurity.com (Merike Kaeo) Date: Tue, 27 Dec 2011 08:08:51 -0800 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input. In-Reply-To: <317616CE96204D49B5A1811098BA89500625B89F@XMB-AMS-110.cisco.com> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de><00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com><82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> <317616CE96204D49B5A1811098BA89500625B89F@XMB-AMS-110.cisco.com> Message-ID: On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote: > I think that we should keep IPsec/IKEv2 only for firewall and mention to any place where OSPFv3 is mentioned that the support of AH is required. Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a 'MAY'. The arguments for AH and ESP-Null were also on the IPv6 Maintenance WG mailing list in Feb/March 2008 and I don't think the standard changed. - merike > >> -----Original Message----- >> From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On Behalf >> Of Florian Weimer >> Sent: mardi 27 d?cembre 2011 13:41 >> To: Jan Zorz @ go6.si >> Cc: ipv6-wg at ripe.net >> Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question >> tocommunity - we need your input. >> >> * Jan Zorz: >> >>> On 12/27/11 10:15 AM, Florian Weimer wrote: >>>> Most devices use TLS. >>>> >>>> I agree with dropping IPsec from the document completely, indepedent of >>>> device type. >> >>> So you suggest not mentioning IPsec in any form at all in whole >>> document? Am I reading this correctly? >> >> Yes. Even if we could achieve agreement on a subset of devices where >> it's supposed to make sense, "IPsec" is really a catchphrase for a set >> of related protocols, so anyone who actually needs some of it needs to >> ask for it explicitly anyway. >> >> -- >> Florian Weimer >> BFK edv-consulting GmbH http://www.bfk.de/ >> Kriegsstra?e 100 tel: +49-721-96201-1 >> D-76133 Karlsruhe fax: +49-721-96201-99 > > > From leo.vegoda at icann.org Tue Dec 27 17:44:42 2011 From: leo.vegoda at icann.org (Leo Vegoda) Date: Tue, 27 Dec 2011 08:44:42 -0800 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input. In-Reply-To: References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de><00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com><82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> <317616CE96204D49B5A1811098BA89500625B89F@XMB-AMS-110.cisco.com> Message-ID: <4DAD20CE-3948-44BF-9720-850482F18A62@icann.org> Hi, On Dec 27, 2011, at 8:08 am, Merike Kaeo wrote: > On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote: > >> I think that we should keep IPsec/IKEv2 only for firewall and mention to any place where OSPFv3 is mentioned that the support of AH is required. > > Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a 'MAY'. There is an unverified errata report that reverses those key words: http://www.rfc-editor.org/errata_search.php?rfc=4552 It'll be interesting to see if its status is ever changed to verified. Regards, Leo From spz at serpens.de Tue Dec 27 20:11:50 2011 From: spz at serpens.de (S.P.Zeidler) Date: Tue, 27 Dec 2011 20:11:50 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <82d3ba192h.fsf@mid.bfk.de> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> <82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> Message-ID: <20111227191149.GO27877@serpens.de> Hi, Thus wrote Florian Weimer (fweimer at bfk.de): > Yes. Even if we could achieve agreement on a subset of devices where > it's supposed to make sense, "IPsec" is really a catchphrase for a set > of related protocols, so anyone who actually needs some of it needs to > ask for it explicitly anyway. My experience differs. I have a bunch of site-to-site VPNs on IPSEC, partially to not very large sites, and most enterprisey routers I've met can do an IPSEC tunnel just fine. How many sizeable enterprises or government entities do you know that really reside in just one building or even campus? The requirement to be able to connect a satellite office to headquarters is not really esoteric. regards, spz -- spz at serpens.de (S.P.Zeidler) From sander at steffann.nl Tue Dec 27 23:36:51 2011 From: sander at steffann.nl (Sander Steffann) Date: Tue, 27 Dec 2011 23:36:51 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <20111227191149.GO27877@serpens.de> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> <82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> <20111227191149.GO27877@serpens.de> Message-ID: <47BEAF0E-D6CC-44E8-822A-4DF7B947085F@steffann.nl> Hi, >> Yes. Even if we could achieve agreement on a subset of devices where >> it's supposed to make sense, "IPsec" is really a catchphrase for a set >> of related protocols, so anyone who actually needs some of it needs to >> ask for it explicitly anyway. > > My experience differs. I have a bunch of site-to-site VPNs on IPSEC, > partially to not very large sites, and most enterprisey routers I've met > can do an IPSEC tunnel just fine. > > How many sizeable enterprises or government entities do you know that > really reside in just one building or even campus? The requirement > to be able to connect a satellite office to headquarters is not really > esoteric. I agree. We are writing a template for tender initiators for enterprises. I think we should state that IPSec is mandatory, because enterprises should have the possibility to set up IPSec site-to-site tunnels as a minimum. I think we should write it in such a way that enterprises require IPSec support when writing a request for tender, unless they consciously decide that they don't need it. So I think we should put IPSec in the 'required' section. If an enterprise knows it will not need it then they can move it to 'optional' themselves. RIPE-501 and its successor are templates to be used and adapted as necessary. We should provide a sane default, and they might (will probably?) need IPSec at some point in time. I am leaving for vacation now, so I'll eave it up to this WG to decide what to do with my input :-) Sander -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2084 bytes Desc: not available URL: From jan at go6.si Wed Dec 28 10:54:30 2011 From: jan at go6.si (Jan Zorz @ go6.si) Date: Wed, 28 Dec 2011 10:54:30 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <47BEAF0E-D6CC-44E8-822A-4DF7B947085F@steffann.nl> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> <82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> <20111227191149.GO27877@serpens.de> <47BEAF0E-D6CC-44E8-822A-4DF7B947085F@steffann.nl> Message-ID: <4EFAE756.3060702@go6.si> On 12/27/11 11:36 PM, Sander Steffann wrote: > I agree. We are writing a template for tender initiators for > enterprises. I think we should state that IPSec is mandatory, because > enterprises should have the possibility to set up IPSec site-to-site > tunnels as a minimum. I think we should write it in such a way that > enterprises require IPSec support when writing a request for tender, > unless they consciously decide that they don't need it. So I think we > should put IPSec in the 'required' section. If an enterprise knows it > will not need it then they can move it to 'optional' themselves. > RIPE-501 and its successor are templates to be used and adapted as > necessary. We should provide a sane default, and they might (will > probably?) need IPSec at some point in time. Hi, I somehow agree... Disclaimer: RIPE community explicitly expressed the "wish" not to write anything radical into RIPE-501 bis/replacement document - I think Joao did that also publicly at Amsterdam meeting, and we received this suggestion a lot on and off-line. Being said that, we might disregard all "radical" suggestions, such as "remove IPsec completely from the document" unless they are proven non-radical and that community (majority) feels in that way. So, for that suggestion there is much more support needed from community than we can see it now. Supporters for "remove IPsec requirements completely", make yourself heard, otherwise be quiet for the rest of the time :) (we need to get this document out of the door ASAP, many governments (not joking) are waiting for replacement to take it as basis for their national IPv6 profile ;) ) We received many strong suggestions also off-list to go with the flow and follow IETF way - make it all optional for all devices (maybe with this option we could leave it out for mobile devices). Supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :) Security and IPv6 advocate mind tells us to leave IPSec (at least v2) mandatory for all sections (not valid for mobile devices) and IPsec v3 optional. This would make sense from many points of view, but I (personally) cannot make up my mind if this is not too harsh prerequisite for this moment. Again, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :) Sanders proposal above adds additional section for all devices (minus mobile), so we expand to "Mandatory", "Required" and "Optional". If I may repeat myself, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :) So, if WG chairs allow, I would propose a "show of hands" and see, how we can proceed. (anyone who express clear support fo one of the options gets a candy at RIPE64 meeting in Ljubljana :) :) :) ) > > I am leaving for vacation now, so I'll eave it up to this WG to > decide what to do with my input :-) Sander Sander, have a good time and rest a bit :) V6 work for this year is done :) Cheers, Jan Zorz From jan at pragma.si Wed Dec 28 10:43:22 2011 From: jan at pragma.si (Jan Zorz) Date: Wed, 28 Dec 2011 10:43:22 +0100 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input. In-Reply-To: <47BEAF0E-D6CC-44E8-822A-4DF7B947085F@steffann.nl> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de> <00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com> <82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> <20111227191149.GO27877@serpens.de> <47BEAF0E-D6CC-44E8-822A-4DF7B947085F@steffann.nl> Message-ID: <4EFAE4BA.2060505@pragma.si> On 12/27/11 11:36 PM, Sander Steffann wrote: > I agree. We are writing a template for tender initiators for > enterprises. I think we should state that IPSec is mandatory, because > enterprises should have the possibility to set up IPSec site-to-site > tunnels as a minimum. I think we should write it in such a way that > enterprises require IPSec support when writing a request for tender, > unless they consciously decide that they don't need it. So I think we > should put IPSec in the 'required' section. If an enterprise knows it > will not need it then they can move it to 'optional' themselves. > RIPE-501 and its successor are templates to be used and adapted as > necessary. We should provide a sane default, and they might (will > probably?) need IPSec at some point in time. Hi, I somehow agree... Disclaimer: RIPE community explicitly expressed the "wish" not to write anything radical into RIPE-501 bis/replacement document - I think Joao did that also publicly at Amsterdam meeting, and we received this suggestion a lot on and off-line. Being said that, we might disregard all "radical" suggestions, such as "remove IPsec completely from the document" unless they are proven non-radical and that community (majority) feels in that way. So, for that suggestion there is much more support needed from community than we can see it now. Supporters for "remove IPsec requirements completely", make yourself heard, otherwise be quiet for the rest of the time :) (we need to get this document out of the door ASAP, many governments (not joking) are waiting for replacement to take it as basis for their national IPv6 profile ;) ) We received many strong suggestions also off-list to go with the flow and follow IETF way - make it all optional for all devices (maybe with this option we could leave it out for mobile devices). Supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :) Security and IPv6 advocate mind tells us to leave IPSec (at least v2) mandatory for all sections (not valid for mobile devices) and IPsec v3 optional. This would make sense from many points of view, but I (personally) cannot make up my mind if this is not too harsh prerequisite for this moment. Again, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :) Sanders proposal above adds additional section for all devices (minus mobile), so we expand to "Mandatory", "Required" and "Optional". If I may repeat myself, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :) So, if WG chairs allow, I would propose a "show of hands" and see, how we can proceed. (anyone who express clear support fo one of the options gets a candy at RIPE64 meeting in Ljubljana :) :) :) ) > > I am leaving for vacation now, so I'll eave it up to this WG to > decide what to do with my input :-) Sander Sander, have a good time and rest a bit :) V6 work for this year is done :) Cheers, Jan Zorz From merike at doubleshotsecurity.com Fri Dec 30 19:32:38 2011 From: merike at doubleshotsecurity.com (Merike Kaeo) Date: Fri, 30 Dec 2011 10:32:38 -0800 Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input. In-Reply-To: <4DAD20CE-3948-44BF-9720-850482F18A62@icann.org> References: <4EF43F92.4000403@go6.si> <82y5u3bqt7.fsf@mid.bfk.de><00568AC9-DA18-4243-B030-72843FD11A05@doubleshotsecurity.com><82y5ty1iku.fsf@mid.bfk.de> <4EF9A06F.40107@go6.si> <82d3ba192h.fsf@mid.bfk.de> <317616CE96204D49B5A1811098BA89500625B89F@XMB-AMS-110.cisco.com> <4DAD20CE-3948-44BF-9720-850482F18A62@icann.org> Message-ID: On Dec 27, 2011, at 8:44 AM, Leo Vegoda wrote: > Hi, > > On Dec 27, 2011, at 8:08 am, Merike Kaeo wrote: >> On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote: >> >>> I think that we should keep IPsec/IKEv2 only for firewall and mention to any place where OSPFv3 is mentioned that the support of AH is required. >> >> Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a 'MAY'. > > There is an unverified errata report that reverses those key words: > > http://www.rfc-editor.org/errata_search.php?rfc=4552 > > It'll be interesting to see if its status is ever changed to verified. There are no details in the errata that are useful. I find it amusing that yesterday there started a discussion in the IETF IPsec wg about writing a draft to move AH to historic. 3 years ago I had started writing a doc to enumerate why ESP-Null is good enough and detailed the fields that were getting protected using AH and why even with OSPFv3 there wasn't a clear advantage. There are nuances with SPD that you implicitly get protection of the SRC and DST IP addresses. I think I need to finish that paper as it's 90% done. I'll send out to a few folks early next week.....something I was doing in some spare time a few years ago. Note also that this argument has come up a few times since eventhough you can use ESP for only integrity protection it has been difficult for vendors to make a quick distinction whether an ESP packet is integrity only or also encrypted. So, some vendors prefer to use AH since in some ways it is 'simpler' and doesn't affect their performance. AH is the least tested protocol in any interoperability test. I have attended a few and if that has changed, OK. Not from my experience. - merike > > Regards, > > Leo >