[ipv6-wg] RIPE-501 and IPSEC on CPEs

ESP-NULL.....which means that you do use an integrity crypto algorithm such as SHA-1, SHA256, MD5, etc

The Node Requirements bis doc is reaching finalization in the IETF and has changed IPsec from a MUST to a SHOULD:

 "Security Architecture for the Internet Protocol" [RFC4301] SHOULD be
   supported by all IPv6 nodes.  Note that the IPsec Architecture
   requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both
   manual and automatic key management.  Currently the default automated
   key management protocol to implement is IKEv2.  As required in
   [RFC4301], IPv6 nodes implementing the IPsec Architecture MUST
   implement ESP [RFC4303] and MAY implement AH [RFC4302]."

It may make sense to change IPsec to 'optional' (I can't believe I am saying this :)). 

- merike

On Jul 20, 2011, at 9:40 AM, Ivan Pepelnjak wrote:

> Don't forget that although IPsec is part of IPv6 functionality, supporting null encapsulation (whatever it's properly called ;) and no authentication or encryption protocol also makes you compliant.
> 
> We might make it optional ;)
> Ivan
> 
>> -----Original Message-----
>> From: ipv6-wg-admin at ripe.net [mailto:ipv6-wg-admin at ripe.net] On Behalf Of
>> Jan Zorz @ go6.si
>> Sent: Wednesday, July 20, 2011 6:36 PM
>> To: ipv6-wg at ripe.net
>> Subject: Re: [ipv6-wg] RIPE-501 and IPSEC on CPEs
>> 
>> On 7/20/11 2:42 PM, Ahmed Abu-Abed wrote:
>>> Hello All,
>>> Reading RIPE-501 spec for basic CPEs, I see that IPSEC & IKE are
>>> mandatory under "host" equipment. Is this a necessity ? Many IPv4 CPEs
>>> do not support IPSEC to keep the costs down.
>>> Regards,
>>> -Ahmed
>> 
>> Yes, host must support this. CPE not necessarily, that's why it's under
>> optional requirements.
>> 
>> Cheers, Jan
> 
>