Thomas, I am coming from 180 degrees where you are but I respect your input. IPsec is required by any market (this includes VPNs and LAN only IPsec use) the IETF has been successful so I respectfully disagree with your market data. In addition the infrastructure to support IPsec is not our concern in the IETF IPsec secures layer 3 on networks and that is highly valuable to the market. Each market segment will deal with PKI and user space API and Management issues on their own terms/conditions and methods. I still think we have debate to move to a SHOULD but even a SHOULD says do this or have a good reason to not do it. Moving it to MAY is unacceptable to me in the IETF as a note.
/jim > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Thomas Narten > Sent: Wednesday, February 27, 2008 1:00 PM > To: [EMAIL PROTECTED] > Cc: [email protected] > Subject: Re: the role of the node "requirements" document > > John, > > > Well, I would say that we (HW, SW, Platform providers) > cannot expect > > to understand all of the ways that their products will be > deployed, so > > it is extremely hard to state "security is not needed." > > That is not what I (and I suspect others) are saying. > > What I am saying is that security (in practice) turns out to > be much harder than "just use IPsec". Really. The corollary > to this is that mandating IPsec (at the node level) doesn't > actually get you usuable security in IPv6. > > TO get real security, you have to consider the actual > application that needs securing as well as the operational > environment where the deployment will take place. There are > plenty of applications that already have security that do not > use IPsec. Should we/can we force them to use IPsec? No. > > And if an IPv6 node has limited functionality/purpose, and > none of that functionality appears likely to use IPsec > (because it has other means for providing security), what is > the point of requiring IPsec? > > I think the big message that people are missing is that IPsec > has not become the unbiquitous base-line security that we had > once hoped for. > > And even today, IPv6 only mandates IPsec (with manual keys). > No key managment. And if there is one thing we have learned > from practical deployments, it's all about key > mangement/distribution. That is the hard stuff that makes or > breaks usability. > > Mandating IPsec with just static keying just isn't useful in practice. > > Thus, continuing to mandate IPsec (while continuing to punt on key > management) just looks silly. > > Thomas > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [email protected] > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
