> -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Thomas Narten
> I do like the idea of clarifying that network layer security is a good > general thing and that IPsec/IKE is the solution for that. But this > still begs the question in that network layer security is simply not a > requirement for all applications and usages of an IP device (IMO). TLS is great, and is used a lot, because it can be applied on a case by case basis. It is not imposed on the whole network. It is implemented by applications that require security, and not be the rest. When MUST is specified for IPv6 IPsec, this translates to every device connected to the network, as well as the network itself, MUST support IPsec. For example, that is how the requirement gets passed down by the DoD. Want to do IPv6 for your control network? Fine, but now you need certificates and key exchange, and all of the administrative infrastrucre that goes with these. Where simpler security schemes may have sufficed previously. So, end systems that may otherwise migrate to IPv6 hesitate. They are discovering all of the additional overhead of IPsec implementation that they never had to worry about before. Bert -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
