I don't see the implementation complexity as supporting rationale but would be open to hearing the issues of signaling maybe? MIPv6, IPsec, and IKEv2 (I also think it was the market mandate IKEv2 right now) do need to be cohesive wihin an implementation but clearly different discrete components with a network stack software design The approach or at least the way I believe it should be engineered in a network stack I think the integration is not a problem. I don't think we should not require a function in the IETF because it is percieved that "integrating a protocol like Mobile IPv6 with IPsec and IKE/IKEv2" is to complex because I would disagree with that assumption.
/jim > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Basavaraj Patil > Sent: Tuesday, February 26, 2008 1:21 PM > To: ext Vishwas Manral > Cc: Thomas Narten; John Loughney; [email protected]; [EMAIL PROTECTED] > Subject: Re: Making IPsec *not* mandatory in Node Requirement > > > It is not the load or processing that is the issue really > which I think you are alluding to. It is just the complexity > of . > Mobile IPv6 signaling can be secured via simpler mechanisms. > But because of the prevailing thinking that IPsec MUST be > used as the security mechanism, we stuck with it and are lets > say not too happy about it. > > -Basavaraj > > > On 2/26/08 12:13 PM, "ext Vishwas Manral" > <[EMAIL PROTECTED]> wrote: > > > Hi Basavraj, > > > > But isn't that something IPsec needs to improve on. We already have > > efforts like BTNS with "connection latching" in IPsec which > may help > > to ease the load on the end devices, which seems to have > been the main > > issue raised. > > > > Thanks, > > Vishwas > > > > On Tue, Feb 26, 2008 at 9:58 AM, Basavaraj Patil > > <[EMAIL PROTECTED]> wrote: > >> > >> I agree with Thomas about his views on IPsec being a > mandatory and > >> default component of the IPv6 stack. > >> Because of this belief, Mobile IPv6 (RFC3775) design > relied on IPsec > >> for securing the signaling. This has lead to complexity of the > >> protocol and not really helped either in adoption or > implementation. > >> IPsec based security is an overkill for Mobile IPv6 and > illustrates > >> the point that you do not have to use it simply because > it happens > >> to be an integral part of IPv6. > >> > >> -Basavaraj > >> > >> > >> > >> > >> On 2/26/08 10:18 AM, "ext Thomas Narten" > <[EMAIL PROTECTED]> wrote: > >> > >>> IMO, we need to get over the idea that IPsec is mandatory > in IPv6. > >>> Really. Or that mandating IPsec is actually useful in practice. > >>> > >>> It is the case that mandating IPsec as part of IPv6 has > contributed > >>> to the hype about how great IPv6 is and how one will get better > >>> security with IPv6. Unfortunately, that myth has also harmed the > >>> overall IPv6 deployment effort, as people look more > closely and come > >>> to understand that deploying IPv6 doesn't > automatically/easily yield > >>> improved security. > >>> > >>> We all know the reality of security is very different and > much more > >>> complicated/nuanced then just saying "use IPsec". > >>> > >>> Consider: > >>> > >>> IPsec by itself (with no key management) is close to useless. The > >>> average person cannot configure static keys, so the result is (in > >>> effect) a useless mandate (as a broad mandate for ALL nodes). > >>> > >>> What applications actually make use of IPsec for security? A lot > >>> fewer than one might think. For many IPv6 devices/nodes, if one > >>> actually looks at the applications that will be used on > them, they > >>> do not use IPsec today for security. And, there are > >>> strong/compelling arguments for why IPsec is not the best > security solution for many applications. > >>> Thus, requiring IPsec is pointless. > >>> > >>> To be truly useful, we (of course) need key management. > If we want > >>> to mandate key management, the stakes go way up. IKEv1/v2 > is not a > >>> small implementation effort. And, we are now in the funny > situation > >>> where > >>> IKEv1 has been implemented, but due to shortcomings, IKEv2 has > >>> already been developed. IKEv2 has been out for over 2 years, but > >>> implementations are not widespread yet. So, would we > mandate IKEv1 > >>> (which is obsoleted and has documented issues), or do we mandate > >>> IKEv2, even though it is clear it is not widely available yet? > >>> > >>> IMO, we should drop the MUST language surrounding IPsec. The > >>> technical justification for making it MUST are simply not > >>> compelling. It seems to me that the MUST is there primarily for > >>> historical/marketing reasons. > >>> > >>> Note that dropping the MUST will not mean people stop > implementing > >>> IPsec, where there is compelling benefit. Indeed, note > that the USG > >>> has already moved away from IKEv1 and has strongly > signalled that it > >>> will require IKEv2 going forward. So I am confident that > IPsec (and > >>> IKE) will get implemented going forward. > >>> > >>> But there is no reason why IPsec should be mandated in > devices where > >>> it is clear (based on the function/purpose of the device) > that IPsec > >>> will in fact not actually be used. > >>> > >>> As a general "node requirement", SHOULD is the right > level, not MUST. > >>> > >>> Thomas > >>> > -------------------------------------------------------------------- > >>> IETF IPv6 working group mailing list [email protected] Administrative > >>> Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >>> > -------------------------------------------------------------------- > >> > >> > -------------------------------------------------------------------- > >> IETF IPv6 working group mailing list [email protected] > Administrative > >> Requests: http://www.ietf.org/mailman/listinfo/ipv6 > >> > -------------------------------------------------------------------- > >> > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
