[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.

Mon Jan 2 15:08:49 CET 2012

Here is my voice: remove IPsec mandatory to all devices EXCEPT for router supporting OSPFv3 (ESP-null in transport mode being mandatory) and for firewall (where IKEv3 and IPsecv3 are mandatory)

-éric

> -----Original Message-----
> From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On Behalf
> Of Jan Zorz
> Sent: mercredi 28 décembre 2011 10:43
> To: ipv6-wg at ripe.net
> Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to
> community - we need your input.
> 
> On 12/27/11 11:36 PM, Sander Steffann wrote:
> > I agree. We are writing a template for tender initiators for
> > enterprises. I think we should state that IPSec is mandatory, because
> > enterprises should have the possibility to set up IPSec site-to-site
> > tunnels as a minimum. I think we should write it in such a way that
> > enterprises  require IPSec support when writing a request for tender,
> > unless they consciously decide that they don't need it. So I think we
> > should put IPSec in the 'required' section. If an enterprise knows it
> > will not need it then they can move it to 'optional' themselves.
> > RIPE-501 and its successor are templates to be used and adapted as
> > necessary. We should provide a sane default, and they might (will
> > probably?) need IPSec at some point in time.
> 
> Hi,
> 
> I somehow agree...
> 
> Disclaimer: RIPE community explicitly expressed the "wish" not to write
> anything radical into RIPE-501 bis/replacement document - I think Joao
> did that also publicly at Amsterdam meeting, and we received this
> suggestion a lot on and off-line.
> 
> Being said that, we might disregard all "radical" suggestions, such as
> "remove IPsec completely from the document" unless they are proven
> non-radical and that community (majority) feels in that way.
> 
> So, for that suggestion there is much more support needed from community
> than we can see it now. Supporters for "remove IPsec requirements
> completely", make yourself heard, otherwise be quiet for the rest of the
> time :) (we need to get this document out of the door ASAP, many
> governments (not joking) are waiting for replacement to take it as basis
> for their national IPv6 profile ;) )
> 
> We received many strong suggestions also off-list to go with the flow
> and follow IETF way - make it all optional for all devices (maybe with
> this option we could leave it out for mobile devices). Supporters for
> this option, make yourself heard, otherwise be quiet for the rest of the
> time :)
> 
> Security and IPv6 advocate mind tells us to leave IPSec (at least v2)
> mandatory for all sections (not valid for mobile devices) and IPsec v3
> optional. This would make sense from many points of view, but I
> (personally) cannot make up my mind if this is not too harsh
> prerequisite for this moment. Again, supporters for this option, make
> yourself heard, otherwise be quiet for the rest of the time :)
> 
> Sanders proposal above adds additional section for all devices (minus
> mobile), so we expand to "Mandatory", "Required" and "Optional". If I
> may repeat myself, supporters for this option, make yourself heard,
> otherwise be quiet for the rest of the time :)
> 
> So, if WG chairs allow, I would propose a "show of hands" and see, how
> we can proceed. (anyone who express clear support fo one of the options
> gets a candy at RIPE64 meeting in Ljubljana :) :) :) )
> 
> >
> > I am leaving for vacation now, so I'll eave it up to this WG to
> > decide what to do with my input :-) Sander
> 
> Sander, have a good time and rest a bit :) V6 work for this year is done :)
> 
> Cheers, Jan Zorz
>