[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.

On 12/27/11 11:36 PM, Sander Steffann wrote:
> I agree. We are writing a template for tender initiators for
> enterprises. I think we should state that IPSec is mandatory, because
> enterprises should have the possibility to set up IPSec site-to-site
> tunnels as a minimum. I think we should write it in such a way that
> enterprises  require IPSec support when writing a request for tender,
> unless they consciously decide that they don't need it. So I think we
> should put IPSec in the 'required' section. If an enterprise knows it
> will not need it then they can move it to 'optional' themselves.
> RIPE-501 and its successor are templates to be used and adapted as
> necessary. We should provide a sane default, and they might (will
> probably?) need IPSec at some point in time.

Hi,

I somehow agree...

Disclaimer: RIPE community explicitly expressed the "wish" not to write 
anything radical into RIPE-501 bis/replacement document - I think Joao 
did that also publicly at Amsterdam meeting, and we received this 
suggestion a lot on and off-line.

Being said that, we might disregard all "radical" suggestions, such as 
"remove IPsec completely from the document" unless they are proven 
non-radical and that community (majority) feels in that way.

So, for that suggestion there is much more support needed from community 
than we can see it now. Supporters for "remove IPsec requirements 
completely", make yourself heard, otherwise be quiet for the rest of the 
time :) (we need to get this document out of the door ASAP, many 
governments (not joking) are waiting for replacement to take it as basis 
for their national IPv6 profile ;) )

We received many strong suggestions also off-list to go with the flow 
and follow IETF way - make it all optional for all devices (maybe with 
this option we could leave it out for mobile devices). Supporters for 
this option, make yourself heard, otherwise be quiet for the rest of the 
time :)

Security and IPv6 advocate mind tells us to leave IPSec (at least v2) 
mandatory for all sections (not valid for mobile devices) and IPsec v3 
optional. This would make sense from many points of view, but I 
(personally) cannot make up my mind if this is not too harsh 
prerequisite for this moment. Again, supporters for this option, make 
yourself heard, otherwise be quiet for the rest of the time :)

Sanders proposal above adds additional section for all devices (minus 
mobile), so we expand to "Mandatory", "Required" and "Optional". If I 
may repeat myself, supporters for this option, make yourself heard, 
otherwise be quiet for the rest of the time :)

So, if WG chairs allow, I would propose a "show of hands" and see, how 
we can proceed. (anyone who express clear support fo one of the options 
gets a candy at RIPE64 meeting in Ljubljana :) :) :) )

>
> I am leaving for vacation now, so I'll eave it up to this WG to
> decide what to do with my input :-) Sander

Sander, have a good time and rest a bit :) V6 work for this year is done :)

Cheers, Jan Zorz