This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[ipv6-wg] RIPE-501 and IPSEC on CPEs

Previous message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs
Next message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ahmed Abu-Abed ahmed at tamkien.com
Sat Jul 23 10:46:44 CEST 2011

Hello,

On July 23rd S.P.Zeidler wrote:

> Hi,
>
> Thus wrote Ahmed Abu-Abed (ahmed at tamkien.com):
>
>> I believe implementing line rate IPSEC on a CPE requires silicon
>> that accelerates the crypto algorithms, and this may be a good
>
> Depends on your line rate. Up to 10Mbps, with i386 family CPUs of 400Mhz
> or better, the CPU on its own will do fine.

100Mbps (or even 1Gbps) is also needed with GPON and ADSL2+ CPE offerings. 
And CPE vendors stay away from x86 processors due to heat dissipation 
issues.

>> So making IPSEC optional is more practical to LIRs needing low cost
>> CPE solutions.
>
> Another option would be for LIRs looking for ultra low cost routers to
> take some that don't make the requirements list. Or take CPEs that flag
> themselves as "fulfilling RIPE-501 except IPSEC".

One of the main objectives of RIPE-501 is specifying IPv6 CPE requirements. 
CPEs are consumer devices, and LIRs need a spec that take practical issues, 
like cost, into consideration.

> Just because RIPE-501 exists does not mean that devices that don't fulfil
> it will suddenly evaporate, right?

Shipping volume wise, IPv6 consumer CPEs are the most to utilize the 
RIPE-501 spec. So why not make such devices a priority when it comes to the 
mandatory requirements ?

> Again, the purpose of such a list is that a device that fulfils it will
> cover most reasonable needs.

IPSEC on a low price consumer device may not be a reasonable need with 
current hardware offerings for CPEs. Making it optional is the best 
approach.

> If we strike every feature off that somebody said "oh well I think I can
> do without that" about, it will become a useless "remotely resembling
> functional" description.
>
> Arguing that practically nobody would want their CPE to do IPSEC because
> everybody does host based IPSEC would be a better approach, but I would
> offer that that's going to be patently untrue if you look at company users
> and not private-person-residential users.

Many company users have a VPN client setup on their PC which should not need 
IPSEC on the CPE to work. We didn't say nobody wants it on their CPE, but 
IPSEC should not be on the mandatory list.

Regards,
-Ahmed

Previous message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs
Next message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ipv6-wg Archives ]