[ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.

Merike,

5 or 6 voices is indeed a too small sampling to be taken into account (even if I was one of those voices). No argument.

But, I am a little less comfortable with your sentence about 'operators who are using IPsec' because my understanding was that RIPE-501bis is for 'tender initiators' which are more likely to be enterprises, public sector organizations rather than operators.

Else, thanks for the job on RIPE-501: very much needed but do not shoot for the stars

-éric

> -----Original Message-----
> From: Merike Kaeo [mailto:merike at doubleshotsecurity.com]
> Sent: mardi 3 janvier 2012 01:48
> To: Eric Vyncke (evyncke)
> Cc: Jan Zorz; ipv6-wg at ripe.net
> Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to
> community - we need your input.
> 
> Bottom posting will probably make this reply confusing so for now I'll just
> say that I tend to agree with my co-authors but we would like to hear more
> input from the RIPE community, especially the operators who are using IPsec
> in their IPv6 deployments (or plan to).  six or seven voices seems like a
> small sampling.
> 
> Our hope is the get the final document done and back to last call in next
> few weeks so replies by the end of this week would be very much appreciated.
> 
> - merike
> 
> On Jan 2, 2012, at 6:08 AM, Eric Vyncke (evyncke) wrote:
> 
> > Here is my voice: remove IPsec mandatory to all devices EXCEPT for router
> supporting OSPFv3 (ESP-null in transport mode being mandatory) and for
> firewall (where IKEv3 and IPsecv3 are mandatory)
> >
> > -éric
> >
> >> -----Original Message-----
> >> From: ipv6-wg-bounces at ripe.net [mailto:ipv6-wg-bounces at ripe.net] On
> Behalf
> >> Of Jan Zorz
> >> Sent: mercredi 28 décembre 2011 10:43
> >> To: ipv6-wg at ripe.net
> >> Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to
> >> community - we need your input.
> >>
> >> On 12/27/11 11:36 PM, Sander Steffann wrote:
> >>> I agree. We are writing a template for tender initiators for
> >>> enterprises. I think we should state that IPSec is mandatory, because
> >>> enterprises should have the possibility to set up IPSec site-to-site
> >>> tunnels as a minimum. I think we should write it in such a way that
> >>> enterprises  require IPSec support when writing a request for tender,
> >>> unless they consciously decide that they don't need it. So I think we
> >>> should put IPSec in the 'required' section. If an enterprise knows it
> >>> will not need it then they can move it to 'optional' themselves.
> >>> RIPE-501 and its successor are templates to be used and adapted as
> >>> necessary. We should provide a sane default, and they might (will
> >>> probably?) need IPSec at some point in time.
> >>
> >> Hi,
> >>
> >> I somehow agree...
> >>
> >> Disclaimer: RIPE community explicitly expressed the "wish" not to write
> >> anything radical into RIPE-501 bis/replacement document - I think Joao
> >> did that also publicly at Amsterdam meeting, and we received this
> >> suggestion a lot on and off-line.
> >>
> >> Being said that, we might disregard all "radical" suggestions, such as
> >> "remove IPsec completely from the document" unless they are proven
> >> non-radical and that community (majority) feels in that way.
> >>
> >> So, for that suggestion there is much more support needed from community
> >> than we can see it now. Supporters for "remove IPsec requirements
> >> completely", make yourself heard, otherwise be quiet for the rest of the
> >> time :) (we need to get this document out of the door ASAP, many
> >> governments (not joking) are waiting for replacement to take it as basis
> >> for their national IPv6 profile ;) )
> >>
> >> We received many strong suggestions also off-list to go with the flow
> >> and follow IETF way - make it all optional for all devices (maybe with
> >> this option we could leave it out for mobile devices). Supporters for
> >> this option, make yourself heard, otherwise be quiet for the rest of the
> >> time :)
> >>
> >> Security and IPv6 advocate mind tells us to leave IPSec (at least v2)
> >> mandatory for all sections (not valid for mobile devices) and IPsec v3
> >> optional. This would make sense from many points of view, but I
> >> (personally) cannot make up my mind if this is not too harsh
> >> prerequisite for this moment. Again, supporters for this option, make
> >> yourself heard, otherwise be quiet for the rest of the time :)
> >>
> >> Sanders proposal above adds additional section for all devices (minus
> >> mobile), so we expand to "Mandatory", "Required" and "Optional". If I
> >> may repeat myself, supporters for this option, make yourself heard,
> >> otherwise be quiet for the rest of the time :)
> >>
> >> So, if WG chairs allow, I would propose a "show of hands" and see, how
> >> we can proceed. (anyone who express clear support fo one of the options
> >> gets a candy at RIPE64 meeting in Ljubljana :) :) :) )
> >>
> >>>
> >>> I am leaving for vacation now, so I'll eave it up to this WG to
> >>> decide what to do with my input :-) Sander
> >>
> >> Sander, have a good time and rest a bit :) V6 work for this year is done
> :)
> >>
> >> Cheers, Jan Zorz
> >>
> >
> >
> >