It doesn't seem to me that this WG is chartered to change
the normative requirements of IPsec.
Brian
On 2008-03-07 16:43, Vishwas Manral wrote:
> Hi Tony,
>
> You bring forward a very good point, I had raised the same issue about
> 3 years back in the IPsec list. There are now some drafts to add
> support for the same in IPv6. The basic idea is that a middle-box(like
> a firewall) should be able to identify a NULL encrypted packet.
>
> I was however told that with some basic checks like checking some
> bytes in the packet can help in determining if the upper layer packet
> (and if the payload is encrypted or not). Not all firewalls currently
> support this.
>
> Thanks,
> Vishwas
>
> On Thu, Mar 6, 2008 at 5:49 PM, Tony Hain <[EMAIL PROTECTED]> wrote:
>> ESP == MUST && AH == MUST
>>
>> There is a major problem with ESP/NULL & firewalls, so AH has to be there.
>> The crap about lack of an API as a reason to downgrade the requirement for
>> both of these is nothing more than a concession to IETF politics, where 'we
>> don't define APIs' was the mantra at the point in time this was played out
>> before.
>>
>> You will never make progress if you constantly retreat in the face of
>> resistance...
>>
>> Tony
>>
>>
>>
>> > -----Original Message-----
>> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
>>
>>> [EMAIL PROTECTED]
>> > Sent: Wednesday, March 05, 2008 12:15 PM
>> > To: [EMAIL PROTECTED]
>> > Cc: [email protected]
>>
>>
>>> Subject: RE: Security Requirements for IPv6 Node Req summary
>> >
>> > Sorry, that was a cut & paste mistake. AH is a MAY.
>> >
>> > John
>> >
>> > >-----Original Message-----
>> > >From: ext Vishwas Manral [mailto:[EMAIL PROTECTED]
>> > >Sent: 05 March, 2008 12:12
>> > >To: Loughney John (Nokia-OCTO/PaloAlto)
>> > >Cc: [email protected]
>> > >Subject: Re: Security Requirements for IPv6 Node Req summary
>> > >
>> > >Hi John,
>> > >
>> > >RFC4301 states AH is optional. Is there a reason why we are
>> > >making it a MUST be supported feature. Below quoting RFC4301:
>> > >
>> > >"IPsec implementations MUST support ESP and MAY
>> > > support AH."
>> > >
>> > >Thanks,
>> > >Vishwas
>> > >
>> > >On Wed, Mar 5, 2008 at 11:46 AM, <[EMAIL PROTECTED]> wrote:
>> > >> Hi all,
>> > >>
>> > >> The RFC 4294-bis draft has the following requirement, which comes
>> > >> from the initial RFC.
>> > >>
>> > >> 8.1. Basic Architecture
>> > >>
>> > >> Security Architecture for the Internet Protocol [RFC-4301] MUST
>> > be
>> > >> supported.
>> > >>
>> > >> 8.2. Security Protocols
>> > >>
>> > >> ESP [RFC-4303] MUST be supported. AH [RFC-4302] MUST be
>> > >supported.
>> > >>
>> > >> We have had a lot of discussion that people basically feel
>> > >that these
>> > >> requirements are not applicable and should be moved to SHOULD. I
>> > >> would say that there is rough WG Consensus on this. Do
>> > >people feel
>> > >> if there should be additional text to explain this?
>> > >>
>> > >> I suggest that the WG Chairs and our ADs discuss this with the
>> > >> Security ADs to ensure that this is a reasonable consensus
>> > >to adopt
>> > >> - so that we do not run into issues during the eventual IETF/IESG
>> > >> review. I am not sure that we can go much further in
>> > >discussions in
>> > >> the WG.
>> > >>
>> > >> Does anyone have comments on this approach?
>> > >>
>> > >> John
>> >
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> [email protected]
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
>
--------------------------------------------------------------------
IETF IPv6 working group mailing list
[email protected]
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
