Hi Brian, You are right.
Thanks, Vishwas On Sat, Mar 8, 2008 at 11:30 AM, Brian E Carpenter <[EMAIL PROTECTED]> wrote: > It doesn't seem to me that this WG is chartered to change > the normative requirements of IPsec. > > Brian > > > > On 2008-03-07 16:43, Vishwas Manral wrote: > > Hi Tony, > > > > You bring forward a very good point, I had raised the same issue about > > 3 years back in the IPsec list. There are now some drafts to add > > support for the same in IPv6. The basic idea is that a middle-box(like > > a firewall) should be able to identify a NULL encrypted packet. > > > > I was however told that with some basic checks like checking some > > bytes in the packet can help in determining if the upper layer packet > > (and if the payload is encrypted or not). Not all firewalls currently > > support this. > > > > Thanks, > > Vishwas > > > > On Thu, Mar 6, 2008 at 5:49 PM, Tony Hain <[EMAIL PROTECTED]> wrote: > >> ESP == MUST && AH == MUST > >> > >> There is a major problem with ESP/NULL & firewalls, so AH has to be > there. > >> The crap about lack of an API as a reason to downgrade the requirement > for > >> both of these is nothing more than a concession to IETF politics, where > 'we > >> don't define APIs' was the mantra at the point in time this was played > out > >> before. > >> > >> You will never make progress if you constantly retreat in the face of > >> resistance... > >> > >> Tony > >> > >> > >> > >> > -----Original Message----- > >> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > >> > >>> [EMAIL PROTECTED] > >> > Sent: Wednesday, March 05, 2008 12:15 PM > >> > To: [EMAIL PROTECTED] > >> > Cc: [email protected] > >> > >> > >>> Subject: RE: Security Requirements for IPv6 Node Req summary > >> > > >> > Sorry, that was a cut & paste mistake. AH is a MAY. > >> > > >> > John > >> > > >> > >-----Original Message----- > >> > >From: ext Vishwas Manral [mailto:[EMAIL PROTECTED] > >> > >Sent: 05 March, 2008 12:12 > >> > >To: Loughney John (Nokia-OCTO/PaloAlto) > >> > >Cc: [email protected] > >> > >Subject: Re: Security Requirements for IPv6 Node Req summary > >> > > > >> > >Hi John, > >> > > > >> > >RFC4301 states AH is optional. Is there a reason why we are > >> > >making it a MUST be supported feature. Below quoting RFC4301: > >> > > > >> > >"IPsec implementations MUST support ESP and MAY > >> > > support AH." > >> > > > >> > >Thanks, > >> > >Vishwas > >> > > > >> > >On Wed, Mar 5, 2008 at 11:46 AM, <[EMAIL PROTECTED]> wrote: > >> > >> Hi all, > >> > >> > >> > >> The RFC 4294-bis draft has the following requirement, which comes > >> > >> from the initial RFC. > >> > >> > >> > >> 8.1. Basic Architecture > >> > >> > >> > >> Security Architecture for the Internet Protocol [RFC-4301] MUST > >> > be > >> > >> supported. > >> > >> > >> > >> 8.2. Security Protocols > >> > >> > >> > >> ESP [RFC-4303] MUST be supported. AH [RFC-4302] MUST be > >> > >supported. > >> > >> > >> > >> We have had a lot of discussion that people basically feel > >> > >that these > >> > >> requirements are not applicable and should be moved to SHOULD. I > >> > >> would say that there is rough WG Consensus on this. Do > >> > >people feel > >> > >> if there should be additional text to explain this? > >> > >> > >> > >> I suggest that the WG Chairs and our ADs discuss this with the > >> > >> Security ADs to ensure that this is a reasonable consensus > >> > >to adopt > >> > >> - so that we do not run into issues during the eventual IETF/IESG > >> > >> review. I am not sure that we can go much further in > >> > >discussions in > >> > >> the WG. > >> > >> > >> > >> Does anyone have comments on this approach? > >> > >> > >> > >> John > >> > > > -------------------------------------------------------------------- > > > > IETF IPv6 working group mailing list > > [email protected] > > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 > > -------------------------------------------------------------------- > > > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
