[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Eric Vyncke (evyncke) evyncke at cisco.com
Mon Jan 2 15:08:49 CET 2012
Here is my voice: remove IPsec mandatory to all devices EXCEPT for router supporting OSPFv3 (ESP-null in transport mode being mandatory) and for firewall (where IKEv3 and IPsecv3 are mandatory) -éric > -----Original Message----- > From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On Behalf > Of Jan Zorz > Sent: mercredi 28 décembre 2011 10:43 > To: ipv6-wg at ripe.net > Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to > community - we need your input. > > On 12/27/11 11:36 PM, Sander Steffann wrote: > > I agree. We are writing a template for tender initiators for > > enterprises. I think we should state that IPSec is mandatory, because > > enterprises should have the possibility to set up IPSec site-to-site > > tunnels as a minimum. I think we should write it in such a way that > > enterprises require IPSec support when writing a request for tender, > > unless they consciously decide that they don't need it. So I think we > > should put IPSec in the 'required' section. If an enterprise knows it > > will not need it then they can move it to 'optional' themselves. > > RIPE-501 and its successor are templates to be used and adapted as > > necessary. We should provide a sane default, and they might (will > > probably?) need IPSec at some point in time. > > Hi, > > I somehow agree... > > Disclaimer: RIPE community explicitly expressed the "wish" not to write > anything radical into RIPE-501 bis/replacement document - I think Joao > did that also publicly at Amsterdam meeting, and we received this > suggestion a lot on and off-line. > > Being said that, we might disregard all "radical" suggestions, such as > "remove IPsec completely from the document" unless they are proven > non-radical and that community (majority) feels in that way. > > So, for that suggestion there is much more support needed from community > than we can see it now. Supporters for "remove IPsec requirements > completely", make yourself heard, otherwise be quiet for the rest of the > time :) (we need to get this document out of the door ASAP, many > governments (not joking) are waiting for replacement to take it as basis > for their national IPv6 profile ;) ) > > We received many strong suggestions also off-list to go with the flow > and follow IETF way - make it all optional for all devices (maybe with > this option we could leave it out for mobile devices). Supporters for > this option, make yourself heard, otherwise be quiet for the rest of the > time :) > > Security and IPv6 advocate mind tells us to leave IPSec (at least v2) > mandatory for all sections (not valid for mobile devices) and IPsec v3 > optional. This would make sense from many points of view, but I > (personally) cannot make up my mind if this is not too harsh > prerequisite for this moment. Again, supporters for this option, make > yourself heard, otherwise be quiet for the rest of the time :) > > Sanders proposal above adds additional section for all devices (minus > mobile), so we expand to "Mandatory", "Required" and "Optional". If I > may repeat myself, supporters for this option, make yourself heard, > otherwise be quiet for the rest of the time :) > > So, if WG chairs allow, I would propose a "show of hands" and see, how > we can proceed. (anyone who express clear support fo one of the options > gets a candy at RIPE64 meeting in Ljubljana :) :) :) ) > > > > > I am leaving for vacation now, so I'll eave it up to this WG to > > decide what to do with my input :-) Sander > > Sander, have a good time and rest a bit :) V6 work for this year is done :) > > Cheers, Jan Zorz >
[ ipv6-wg Archives ]