[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.

Hello and Happy Holidays to everyone....

On Dec 23, 2011, at 2:16 PM, Jan Zorz @ go6.si wrote:

> On 12/23/11 5:30 PM, Eric Vyncke (evyncke) wrote:
>> Jan,
>> 
>> Let's be realistic (and the best quality of RIPE-501++ is to be
>> realistic and 'down to the ground'): very few IPv6-nodes do IPsec...
>> So, let's remove this requirement and make it optional (RFC 6434
>> clearly shows the path).
>> 
>> Going in holiday mode: do you use SSH or telnet+IPsec ? :-)
> 
> I see your point :)
> 
> so, +1 for all optional.
> 
> What others think?

Just to be sure we are all saying the same thing.  Are we wanting to have IPsec be optional for *ALL* sections, so even for routers or layer-3 switches, network security devices, load balancers?

1. For CPEs we had this discussion [July 20-26, 2011 on this list] and the decision thus far was to do:

>>>> My suggestion would be to add (in addition to RFC6204 in
>>>> mandatory):
>>>> 
>>>> "If this specification is used for business class CPE, then
>>>> IPsec-v2 [RFC2401, RFC2406, RFC2402], IKE version 2 (IKEv2)
>>>> [RFC4306, RFC4718] and ISAKMP [RFC2407, RFC2408, RFC2409] must be
>>>> supported in addition to RFC6204 requirements"

2. For Mobile Devices it makes sense to put as optional since in my experience TLS is more often used for VPN scenarios.  It would be great to know if that has changed.


3. For hosts, it probably also makes sense to have IPsec be optional since in the IETF discussions (which occurred in Feb - March 2088!!! on the IPv6 Maintenance WG mailing list) mostly since sensors and low end hosts (i.e. cable modems and also low end CPEs) would not want to deal with the code bloat.  

However, I will make a note that an IETF 'SHOULD' is not the same as optional.  If it were optional it would be a 'MAY'.   Also, at the time of the discussion there were talks about BTNS (Better Than Nothing Security) being a way to help solve some deployment issues - back in 2008 the standards were still just in draft stages.  Check out hack.org/mc/blog/  which a friend provided a pointer to a few days ago.  Seemed really interesting to me.

With a better potential for DNS being used to transfer public keys and the fact that most OSs have IPsec capabilities, I just hope we are going to make the right practical decision for now.   Folks on this list know best and we as authors will definitely reflect list consensus.


4. For routers and layer-3 switches, network security devices and load balancers I would expect the industry to want IPsec as mandatory but let's see what folks on list say.

> And additional question: should we request IPsec-v3 or v2?

The thinking currently is that wherever we say we require IPsec (either for mandatory or optional), we would specify the following:

• IPsec-v3 [RFC4301, RFC4303, RFC4302] * 
• IKE version 2 (IKEv2) [RFC5996 (obsoletes RFC 4306), RFC4718] * 
• ISAKMP [RFC2407, RFC2408,RFC2409]

OR, are there any place where the updated IPsec standards do not make sense and we still want to specify 

- IPsec-v2 [RFC2401,RFC2406, RFC2402]  ??

Thanks all...

- merike


> 
> Cheers, Jan
>