> -----Original Message----- > From: Ed Jankiewicz [mailto:[EMAIL PROTECTED]
> That is a good point, does IPsec depend on unanimous support? We > struggled with this in the DoD Profiles. Our rationale for > making IPsec > mandatory (except at the moment for some simple appliances) > was that for > IPsec to be a feasible solution it needs to be available > throughout the > network. We want it to be universally available so that it > CAN be used > when required. Take the case of network routers in non-secure spaces. This should be a VERY common situation. Let's assume that I use some form of hardware encryption for everything traveling between routers, mainly to protect the routing protocol, but also apply this encryption to any traffic. This could be more than adequate for such a network, and it avoids the need for IKEv2 in the routers. Or forget hardware encryption. I can also use means other than IKEv2 to identify the crypto algorithm used between my routers, if I have control of router configuration but these routers may be in non-secure spaces. Even manual configuration, if the network is not huge. Or SNMP. > With end-to-end, any two hosts could use IPsec as a > solution even if no one else supported it, assuming that > nothing in the > network blocks its use. And this solution doesn't prevent end-to-end IPsec in any way. And yet, the NIST Profile does not allow the above possibilities. My fundamental position is that for real, meaningful security, you either need IPsec between hosts, or at very least you need IPsec between "security gateways" that are themselves located in secure spaces, *along with* the hosts. In short, when routers are in non-secure speaces, there's no way you'll get "security" if you allow only plaintext to these routers. The onus of IP security goes mostly to hosts or the security gateways. Bert -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
