Hi Alain, you raise the existential question about the security (except for dedicated security services like VPN): why to pay for something that might be never used? :)
This is exactly the same problem I have today with airbags in the cars: I pay them when I buy a car (i.e. cost), I cannot anymore put my legs on the dashboard when I am passenger because I am afraid to active them (i.e. complexity) and I will, maybe (I hope :)), never use them (i.e. useless). So, why, today, all the cars have such airbags (BTW, which are standardized I assume)? More seriously, I was not involved in the IETF when it was decided that IPsec would be mandatory in IPv6 but IHMO: - it is always good to have a common security protocol at the IP layer (i.e. interoperability) that can be used easily when you will need it. - many protocols have been specified and secured based on the assumption that IPsec was mandatory - if today some technologies cannot support IPsec, the next generation of the same technologies should support them Now I agree that there is a cost and too much security kills the security. But do you prefer to pay a "small" cost and have a "spare wheel" or to pay a "large" later cost because you will have security issues (and so you will have to stop services until to secure them correctly)? Best regards. JMC. 2008/2/26, Alain Durand <[EMAIL PROTECTED]>: > The latest draft: draft-ietf-6man-node-req-bis-00.txt > still lists IPsec as mandatory to implement. > > As I mentioned last IETF meeting, this is creating a problem for certain > kind of devices, like cable modems, who have a very limited memory > footprint. Those devices operate in an environment where IPsec is not used > and mandating its implementation has a serious cost: it means that legacy > devices cannot be upgraded to IPv6... > > In DOCSIS 3.0, the decision was to NOT require IPsec implementation on those > devices. I'm sure other environment have made or will make similar choices. > > Moreover, to make the point more general, we are specifying/buying many > other types of devices where we know that IPsec will never be used. Why > should the vendor of those devices have to implement it? Because one day I > might decide to deploy it? IMHO, this is not a good think, because in the > meantime, I will have to run extra code which means extra bugs, more memory > and more risks of miss-configuration. > > I would like to suggest that the node requirements remove any mention of > IPsec being mandatory to implement and instead includes text in the line of: > "if you are going to implement IPsec, here is what you should/must do". > > - Alain. > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: http://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
