This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ipv6-wg@ripe.net/
[ipv6-wg] RIPE-501 and IPSEC on CPEs
- Previous message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs
- Next message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Ahmed Abu-Abed
ahmed at tamkien.com
Sat Jul 23 10:46:44 CEST 2011
Hello, On July 23rd S.P.Zeidler wrote: > Hi, > > Thus wrote Ahmed Abu-Abed (ahmed at tamkien.com): > >> I believe implementing line rate IPSEC on a CPE requires silicon >> that accelerates the crypto algorithms, and this may be a good > > Depends on your line rate. Up to 10Mbps, with i386 family CPUs of 400Mhz > or better, the CPU on its own will do fine. 100Mbps (or even 1Gbps) is also needed with GPON and ADSL2+ CPE offerings. And CPE vendors stay away from x86 processors due to heat dissipation issues. >> So making IPSEC optional is more practical to LIRs needing low cost >> CPE solutions. > > Another option would be for LIRs looking for ultra low cost routers to > take some that don't make the requirements list. Or take CPEs that flag > themselves as "fulfilling RIPE-501 except IPSEC". One of the main objectives of RIPE-501 is specifying IPv6 CPE requirements. CPEs are consumer devices, and LIRs need a spec that take practical issues, like cost, into consideration. > Just because RIPE-501 exists does not mean that devices that don't fulfil > it will suddenly evaporate, right? Shipping volume wise, IPv6 consumer CPEs are the most to utilize the RIPE-501 spec. So why not make such devices a priority when it comes to the mandatory requirements ? > Again, the purpose of such a list is that a device that fulfils it will > cover most reasonable needs. IPSEC on a low price consumer device may not be a reasonable need with current hardware offerings for CPEs. Making it optional is the best approach. > If we strike every feature off that somebody said "oh well I think I can > do without that" about, it will become a useless "remotely resembling > functional" description. > > Arguing that practically nobody would want their CPE to do IPSEC because > everybody does host based IPSEC would be a better approach, but I would > offer that that's going to be patently untrue if you look at company users > and not private-person-residential users. Many company users have a VPN client setup on their PC which should not need IPSEC on the CPE to work. We didn't say nobody wants it on their CPE, but IPSEC should not be on the mandatory list. Regards, -Ahmed
- Previous message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs
- Next message (by thread): [ipv6-wg] RIPE-501 and IPSEC on CPEs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ ipv6-wg Archives ]