On Thu, 31 Oct 2002 [EMAIL PROTECTED] wrote: > Title : Requirements for Plug and Play IPsec for IPv6 > applications > Author(s) : T. Kobayakawa, S. Miyakawa > Filename : draft-kobayakawa-ipsec-ipv6-pnpipsec-reqts-00.txt > Pages : 5 > Date : 2002-10-30 > > This document describes requirements about how IPsec is supplemented > for IPv6 Plug and Play applications.
Comments. Substantial: There is another reason for Internet users to choose IPv6. IPv6 is believed to be equipped with IPsec as default, and many users choose IPv6 because of IPsec. However, IPsec is independent from version numbers of IP, and IPv6 does not have special advantages for IPsec. We have two options to cope with this myth: ==> "no special advantages" is not true. Well, directly, there seem to be no special advantages. But increased address space and e2e addressing make e2e IPSEC much easier -- NAT boxes severely hinder IPSEC usability. However, we should not mandate the existence of this outside server because there are many situations in which such servers are not available, and IP layer authentication and Man-in-the-Middle protection are not important. ==> I don't understand this at all. Please elaborate a bit. I fail to see cases when MITM protection is irrelevant. After the establishment of this security level of IPsec SAs, authentication, authorization, accounting, and Man-in-the-Middle prevention are added on to those SAs. ==> how are these added there? I fail to see how establishing possibly MITM'ed "authenticated" IPSEC SA's helps _any_ with this. ==> You forgot Security Considerations section. I believe using IPSEC when it's known to be possibly wrong is not good -- no security is better than false sense of security. Editorial: ==> many places s/configurations/configuration/ abundant (IPv4 global addresses are not, especially in Asia.) Such peer-to-peer applications often require authentication and secrecy mechanisms, which are provided by IPsec. ==> s/are provided/can be provided/ Many IPv6 applications assume embedded devices without keyboard and display. For embedded devices, maintaining X.509 certificate, such as Certificate Update and Certificate Revocation Handling, is too heavy and often diminishes the usability. ==> reword this, the latter part isn't clearly related to _maintaining_ certificates. but it's not practical to apply to IP communications.) Assuming no ==> s/.)/)./ Just "key-exchange-before-all-the-communication" does not work because it forces delay on all the communications regardless of this kind of IPsec supports. ==> reword the last part, e.g. "support for PnP IPSEC". -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
