Hi Tony, You bring forward a very good point, I had raised the same issue about 3 years back in the IPsec list. There are now some drafts to add support for the same in IPv6. The basic idea is that a middle-box(like a firewall) should be able to identify a NULL encrypted packet.
I was however told that with some basic checks like checking some bytes in the packet can help in determining if the upper layer packet (and if the payload is encrypted or not). Not all firewalls currently support this. Thanks, Vishwas On Thu, Mar 6, 2008 at 5:49 PM, Tony Hain <[EMAIL PROTECTED]> wrote: > ESP == MUST && AH == MUST > > There is a major problem with ESP/NULL & firewalls, so AH has to be there. > The crap about lack of an API as a reason to downgrade the requirement for > both of these is nothing more than a concession to IETF politics, where 'we > don't define APIs' was the mantra at the point in time this was played out > before. > > You will never make progress if you constantly retreat in the face of > resistance... > > Tony > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > > > [EMAIL PROTECTED] > > Sent: Wednesday, March 05, 2008 12:15 PM > > To: [EMAIL PROTECTED] > > Cc: [email protected] > > > > Subject: RE: Security Requirements for IPv6 Node Req summary > > > > Sorry, that was a cut & paste mistake. AH is a MAY. > > > > John > > > > >-----Original Message----- > > >From: ext Vishwas Manral [mailto:[EMAIL PROTECTED] > > >Sent: 05 March, 2008 12:12 > > >To: Loughney John (Nokia-OCTO/PaloAlto) > > >Cc: [email protected] > > >Subject: Re: Security Requirements for IPv6 Node Req summary > > > > > >Hi John, > > > > > >RFC4301 states AH is optional. Is there a reason why we are > > >making it a MUST be supported feature. Below quoting RFC4301: > > > > > >"IPsec implementations MUST support ESP and MAY > > > support AH." > > > > > >Thanks, > > >Vishwas > > > > > >On Wed, Mar 5, 2008 at 11:46 AM, <[EMAIL PROTECTED]> wrote: > > >> Hi all, > > >> > > >> The RFC 4294-bis draft has the following requirement, which comes > > >> from the initial RFC. > > >> > > >> 8.1. Basic Architecture > > >> > > >> Security Architecture for the Internet Protocol [RFC-4301] MUST > > be > > >> supported. > > >> > > >> 8.2. Security Protocols > > >> > > >> ESP [RFC-4303] MUST be supported. AH [RFC-4302] MUST be > > >supported. > > >> > > >> We have had a lot of discussion that people basically feel > > >that these > > >> requirements are not applicable and should be moved to SHOULD. I > > >> would say that there is rough WG Consensus on this. Do > > >people feel > > >> if there should be additional text to explain this? > > >> > > >> I suggest that the WG Chairs and our ADs discuss this with the > > >> Security ADs to ensure that this is a reasonable consensus > > >to adopt > > >> - so that we do not run into issues during the eventual IETF/IESG > > >> review. I am not sure that we can go much further in > > >discussions in > > >> the WG. > > >> > > >> Does anyone have comments on this approach? > > >> > > >> John > > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
