Phill, On 11/10/2013 03:00, Phillip Hallam-Baker wrote: > I think the problem is that many protocols are at the wrong level of > abstraction to mandate use of any security controls. > > For example, consider IPSEC which at one time was mandatory to implement in > IPv6 but isn't any more because most protocols use SSL rather than IPSEC in > any case.
Please let's be accurate. The reason that IPsec was a MUST in RFC 4294 but became a SHOULD in RFC 6434 was nothing to do with SSL: "This document recognizes that there exists a range of device types and environments where approaches to security other than IPsec can be justified. For example, special-purpose devices may support only a very limited number or type of applications, and an application- specific security approach may be sufficient for limited management or configuration capabilities. Alternatively, some devices may run on extremely constrained hardware (e.g., sensors) where the full IPsec Architecture is not justified." Also, it was clear from the start that IPsec for IPv6 was MTI, not MTU, and the downgrade to RTI (recommended to implement) was to allow for low end devices where the code would never be used anyway. Brian _______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
