[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Merike Kaeo merike at doubleshotsecurity.com
Thu Jan 26 17:18:32 CET 2012
On Jan 26, 2012, at 6:22 AM, Tim Chown wrote: > On 26 Jan 2012, at 08:50, Jan Zorz @ go6.si wrote: > >> On 1/2/12 3:08 PM, Eric Vyncke (evyncke) wrote: >>> Here is my voice: remove IPsec mandatory to all devices EXCEPT for >>> router supporting OSPFv3 (ESP-null in transport mode being mandatory) >>> and for firewall (where IKEv3 and IPsecv3 are mandatory) >> >> Eric, @all >> >> This question is now preventing the new draft to be published, as we think it's very important so solve it in a way, that makes sense and at the same time not to go against IETF and RFC specs. Sometimes this two clashes :) >> >> Community: Please, give us more input, so we can decide and write down something, that is what community thinks - otherwise we'll have to listen to sample of 6 voices. > > Jan, > > I agree pushing 501-bis asap should be a priority. > > Is there a pointer to the diffs between 501-bis and specific RFCs? Obviously I could go and look it up, just wondered if a list of differences already existed in a previous post or article. The issue right now is mostly only around IPsec and whether to have it be designated as mandatory or optional. The new IPv6 Node Requirements (RFC 6434) has the following language: "Security Architecture for the Internet Protocol" [RFC4301] SHOULD be supported by all IPv6 nodes. Note that the IPsec Architecture requires (e.g., Section 4.5 of [RFC4301]) the implementation of both manual and automatic key management. Currently, the default automated key management protocol to implement is IKEv2. As required in [RFC4301], IPv6 nodes implementing the IPsec Architecture MUST implement ESP [RFC4303] and MAY implement AH [RFC4302]." I am starting to think that he language given by Eric above may be what gives us most consensus (and least controversy) :) - merike
[ ipv6-wg Archives ]