James:
James Carlson wrote:
> Ed Jankiewicz writes:
>
>> As Jim Bound has stated many times, IETF defines standards not
>> deployment, and the Node Requirements revision should reiterate that the
>> standard for security in IPv6 is IPsec citing RFC 4301 (successor to
>> 2401). OTOH, we at DoD and NIST are certainly addressing deployment
>>
>
> That's an argument for: "if you claim to implement security at all
> with IPv6, you must at least implement IPsec as described in {insert
> references}."
>
> It's not a good argument for "everyone must implement security in all
> cases in order to be considered a good IPv6 citizen, even if they have
> no plans to use those security protocols, so there."
>
>
I'll concede that point. We need to say one or the other (unconditional
or conditional MUST) and it seems this is the best forum to hash that
out. I am not religious about it being an unconditional MUST in the
Node Requirements. I am suggesting a "non-interference" statement, that
to be a good IPv6 citizen you MUST NOT inhibit the use of IPsec.
>> I agree with Hemant (and others' sentiments on this thread) that the
>> Node Requirements doc should summarize the requirements for IPv6 nodes,
>> and leave the exceptions, extensions and caveats to deployment documents
>> like the NIST and DoD profiles and application documents.
>>
>
> If you do that, then the likely outcome is that systems that are
> designed to be used in those special, constrained environments where
> IPv6 is useful, but IPsec is not, will end up lacking the "IPv6 Ready"
> logo and other acceptability marks.
>
>
I still believe in choice - customers can extend requirements to add
special features, and can make choices regarding products without IPsec
where they are adequate. IETF can publish another 5000 RFCs that
mandate IPsec, but vendors and customers are free to build and buy
products that don't have it. IETF should state what is necessary for
interoperability, including statements about non-interference in some
cases. As long as I can use IPsec when I want it, why should I care if
my neighbor has a host without it? Or if my ISP blindly passes it
without having any IPsec implementation? I would care if my ISP blocked
it because it prevented their "deep packet inspection."
> It makes hash of those other profiles by requiring what isn't
> necessarily required.
>
>
also a good point - exceptions are messier than extensions - but as long
as exceptions are non-interfering, let the buyer beware.
Ed J.
--
Ed Jankiewicz - SRI International
Fort Monmouth Branch Office - IPv6 Research
Supporting DISA Standards Engineering Branch
732-389-1003 or [EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
