[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
- Previous message (by thread): [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
- Next message (by thread): [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Eric Vyncke (evyncke)
evyncke at cisco.com
Tue Jan 3 08:23:10 CET 2012
Merike, 5 or 6 voices is indeed a too small sampling to be taken into account (even if I was one of those voices). No argument. But, I am a little less comfortable with your sentence about 'operators who are using IPsec' because my understanding was that RIPE-501bis is for 'tender initiators' which are more likely to be enterprises, public sector organizations rather than operators. Else, thanks for the job on RIPE-501: very much needed but do not shoot for the stars -éric > -----Original Message----- > From: Merike Kaeo [mailto:merike at doubleshotsecurity.com] > Sent: mardi 3 janvier 2012 01:48 > To: Eric Vyncke (evyncke) > Cc: Jan Zorz; ipv6-wg at ripe.net > Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to > community - we need your input. > > Bottom posting will probably make this reply confusing so for now I'll just > say that I tend to agree with my co-authors but we would like to hear more > input from the RIPE community, especially the operators who are using IPsec > in their IPv6 deployments (or plan to). six or seven voices seems like a > small sampling. > > Our hope is the get the final document done and back to last call in next > few weeks so replies by the end of this week would be very much appreciated. > > - merike > > On Jan 2, 2012, at 6:08 AM, Eric Vyncke (evyncke) wrote: > > > Here is my voice: remove IPsec mandatory to all devices EXCEPT for router > supporting OSPFv3 (ESP-null in transport mode being mandatory) and for > firewall (where IKEv3 and IPsecv3 are mandatory) > > > > -éric > > > >> -----Original Message----- > >> From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On > Behalf > >> Of Jan Zorz > >> Sent: mercredi 28 décembre 2011 10:43 > >> To: ipv6-wg at ripe.net > >> Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to > >> community - we need your input. > >> > >> On 12/27/11 11:36 PM, Sander Steffann wrote: > >>> I agree. We are writing a template for tender initiators for > >>> enterprises. I think we should state that IPSec is mandatory, because > >>> enterprises should have the possibility to set up IPSec site-to-site > >>> tunnels as a minimum. I think we should write it in such a way that > >>> enterprises require IPSec support when writing a request for tender, > >>> unless they consciously decide that they don't need it. So I think we > >>> should put IPSec in the 'required' section. If an enterprise knows it > >>> will not need it then they can move it to 'optional' themselves. > >>> RIPE-501 and its successor are templates to be used and adapted as > >>> necessary. We should provide a sane default, and they might (will > >>> probably?) need IPSec at some point in time. > >> > >> Hi, > >> > >> I somehow agree... > >> > >> Disclaimer: RIPE community explicitly expressed the "wish" not to write > >> anything radical into RIPE-501 bis/replacement document - I think Joao > >> did that also publicly at Amsterdam meeting, and we received this > >> suggestion a lot on and off-line. > >> > >> Being said that, we might disregard all "radical" suggestions, such as > >> "remove IPsec completely from the document" unless they are proven > >> non-radical and that community (majority) feels in that way. > >> > >> So, for that suggestion there is much more support needed from community > >> than we can see it now. Supporters for "remove IPsec requirements > >> completely", make yourself heard, otherwise be quiet for the rest of the > >> time :) (we need to get this document out of the door ASAP, many > >> governments (not joking) are waiting for replacement to take it as basis > >> for their national IPv6 profile ;) ) > >> > >> We received many strong suggestions also off-list to go with the flow > >> and follow IETF way - make it all optional for all devices (maybe with > >> this option we could leave it out for mobile devices). Supporters for > >> this option, make yourself heard, otherwise be quiet for the rest of the > >> time :) > >> > >> Security and IPv6 advocate mind tells us to leave IPSec (at least v2) > >> mandatory for all sections (not valid for mobile devices) and IPsec v3 > >> optional. This would make sense from many points of view, but I > >> (personally) cannot make up my mind if this is not too harsh > >> prerequisite for this moment. Again, supporters for this option, make > >> yourself heard, otherwise be quiet for the rest of the time :) > >> > >> Sanders proposal above adds additional section for all devices (minus > >> mobile), so we expand to "Mandatory", "Required" and "Optional". If I > >> may repeat myself, supporters for this option, make yourself heard, > >> otherwise be quiet for the rest of the time :) > >> > >> So, if WG chairs allow, I would propose a "show of hands" and see, how > >> we can proceed. (anyone who express clear support fo one of the options > >> gets a candy at RIPE64 meeting in Ljubljana :) :) :) ) > >> > >>> > >>> I am leaving for vacation now, so I'll eave it up to this WG to > >>> decide what to do with my input :-) Sander > >> > >> Sander, have a good time and rest a bit :) V6 work for this year is done > :) > >> > >> Cheers, Jan Zorz > >> > > > > > >
- Previous message (by thread): [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
- Next message (by thread): [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]