On 01/19/17 04:09, Wu, Jiaxin wrote: >>>> Laszlo, >>>> >>>> I also agree with (a). >>>> >>>> For IpSec, we can do the below update later: >>>> >>>> 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage >> for IPv4. >>>> >>>> Or >>>> >>>> 2), Define new flag "IPSEC_ENABLE" for both of them. >>>> >>>> I prefer 2). >>> >>> Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6. >>> >>> If I understand correctly: >>> >>> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean >>> IPv4 only + IpSec. While this may be a theoretically useful >>> combination, I wonder how often people would actually want this. >>> >>> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid >>> combination, especially for a full-fledged build of OVMF >>> >>> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I >>> understand, this is actually an invalid (incomplete) build for the >>> IPv6 stack. >>> >>> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most >> common >>> build, gives you just IPv4 >>> >>> Based on the above, I think I prefer (1); that is, I believe we >>> shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently >>> mandatory, so turning it off makes no sense. And in an IPv4-only build >>> of OVMF, I see quite limited usefulness for IpSec; turning it on with a >>> dedicated flag looks overkill, at least for a virtual machine firmware. >>> >>> Jordan, Gary, what do you think? >> >> IpSec is optional for me. The Ip6 driver detects the protocol dynamically, >> so we don't really need IpSec for IPv6. (PXEv6 and HTTPBoot v6 works for >> me with the current settings.) Besides, it seems we didn't provide a proper >> user interface (e.g. config UI or a shell command) to setup IpSec. The user >> probably has to find a tool, e.g. NetworkPkg/Application/IpsecConfig, to >> config it properly. So I feel it's not mandatory and would prefer 2). > > I did quick investigation for the IpSec deployment requirement for IPv4 and > IPv6. > > Now, the goal of the IpSec is to provide the security service for both the > IPv4 and IPv6 environments. > > Previously, IPsec implementation was mandatory requirement for IPv6. But in > RFC 6434 (IPv6 Node Requirements), the document updates that recommendation > by making support of the IPsec Architecture a *SHOULD* for all IPv6 nodes. > That means it has been made optional for IPv6 since RFC 6434. Detailed see > RFC 6434 section 11: > > " > Previously, IPv6 mandated implementation of IPsec and recommended the > key management approach of IKE. This document updates that > recommendation by making support of the IPsec Architecture [RFC4301] > a SHOULD for all IPv6 nodes. > " > > " > This document recognizes that there exists a range of device types > and environments where approaches to security other than IPsec can be > justified. For example, special-purpose devices may support only a > very limited number or type of applications, and an application- > specific security approach may be sufficient for limited management > or configuration capabilities. Alternatively, some devices may run > on extremely constrained hardware (e.g., sensors) where the full > IPsec Architecture is not justified. > " > > So, according above information, IPSEC_ENABLE should be fine to > include the feature or just keep the current until it truly > required:).
Thanks a lot for tracking this down! Given that we're apparently unaware of any actual need for IpSec in OVMF, I suggest that we postpone it. And, when the need arises, we should do -D IPSEC_ENABLE (affecting both IPv4 and IPv6); I understand now that that will be the right thing to do. Cheers! Laszlo _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
