[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Merike Kaeo merike at doubleshotsecurity.com
Tue Jan 3 01:47:43 CET 2012
Bottom posting will probably make this reply confusing so for now I'll just say that I tend to agree with my co-authors but we would like to hear more input from the RIPE community, especially the operators who are using IPsec in their IPv6 deployments (or plan to). six or seven voices seems like a small sampling. Our hope is the get the final document done and back to last call in next few weeks so replies by the end of this week would be very much appreciated. - merike On Jan 2, 2012, at 6:08 AM, Eric Vyncke (evyncke) wrote: > Here is my voice: remove IPsec mandatory to all devices EXCEPT for router supporting OSPFv3 (ESP-null in transport mode being mandatory) and for firewall (where IKEv3 and IPsecv3 are mandatory) > > -éric > >> -----Original Message----- >> From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On Behalf >> Of Jan Zorz >> Sent: mercredi 28 décembre 2011 10:43 >> To: ipv6-wg at ripe.net >> Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to >> community - we need your input. >> >> On 12/27/11 11:36 PM, Sander Steffann wrote: >>> I agree. We are writing a template for tender initiators for >>> enterprises. I think we should state that IPSec is mandatory, because >>> enterprises should have the possibility to set up IPSec site-to-site >>> tunnels as a minimum. I think we should write it in such a way that >>> enterprises require IPSec support when writing a request for tender, >>> unless they consciously decide that they don't need it. So I think we >>> should put IPSec in the 'required' section. If an enterprise knows it >>> will not need it then they can move it to 'optional' themselves. >>> RIPE-501 and its successor are templates to be used and adapted as >>> necessary. We should provide a sane default, and they might (will >>> probably?) need IPSec at some point in time. >> >> Hi, >> >> I somehow agree... >> >> Disclaimer: RIPE community explicitly expressed the "wish" not to write >> anything radical into RIPE-501 bis/replacement document - I think Joao >> did that also publicly at Amsterdam meeting, and we received this >> suggestion a lot on and off-line. >> >> Being said that, we might disregard all "radical" suggestions, such as >> "remove IPsec completely from the document" unless they are proven >> non-radical and that community (majority) feels in that way. >> >> So, for that suggestion there is much more support needed from community >> than we can see it now. Supporters for "remove IPsec requirements >> completely", make yourself heard, otherwise be quiet for the rest of the >> time :) (we need to get this document out of the door ASAP, many >> governments (not joking) are waiting for replacement to take it as basis >> for their national IPv6 profile ;) ) >> >> We received many strong suggestions also off-list to go with the flow >> and follow IETF way - make it all optional for all devices (maybe with >> this option we could leave it out for mobile devices). Supporters for >> this option, make yourself heard, otherwise be quiet for the rest of the >> time :) >> >> Security and IPv6 advocate mind tells us to leave IPSec (at least v2) >> mandatory for all sections (not valid for mobile devices) and IPsec v3 >> optional. This would make sense from many points of view, but I >> (personally) cannot make up my mind if this is not too harsh >> prerequisite for this moment. Again, supporters for this option, make >> yourself heard, otherwise be quiet for the rest of the time :) >> >> Sanders proposal above adds additional section for all devices (minus >> mobile), so we expand to "Mandatory", "Required" and "Optional". If I >> may repeat myself, supporters for this option, make yourself heard, >> otherwise be quiet for the rest of the time :) >> >> So, if WG chairs allow, I would propose a "show of hands" and see, how >> we can proceed. (anyone who express clear support fo one of the options >> gets a candy at RIPE64 meeting in Ljubljana :) :) :) ) >> >>> >>> I am leaving for vacation now, so I'll eave it up to this WG to >>> decide what to do with my input :-) Sander >> >> Sander, have a good time and rest a bit :) V6 work for this year is done :) >> >> Cheers, Jan Zorz >> > > >
[ ipv6-wg Archives ]