Hello... On Jan 2, 2012, at 11:23 PM, Eric Vyncke (evyncke) wrote:
Merike,
5 or 6 voices is indeed a too small sampling to be taken into account (even if I was one of those voices). No argument.
But, I am a little less comfortable with your sentence about 'operators who are using IPsec' because my understanding was that RIPE-501bis is for 'tender initiators' which are more likely to be enterprises, public sector organizations rather than operators.
Bad choice of words on my part. We would just like more input if possible to make sure we reflect the community consensus.
Else, thanks for the job on RIPE-501: very much needed but do not shoot for the stars
:) Yes, it does have to be based on reality. - merike
-éric
-----Original Message----- From: Merike Kaeo [mailto:merike@doubleshotsecurity.com] Sent: mardi 3 janvier 2012 01:48 To: Eric Vyncke (evyncke) Cc: Jan Zorz; ipv6-wg@ripe.net Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Bottom posting will probably make this reply confusing so for now I'll just say that I tend to agree with my co-authors but we would like to hear more input from the RIPE community, especially the operators who are using IPsec in their IPv6 deployments (or plan to). six or seven voices seems like a small sampling.
Our hope is the get the final document done and back to last call in next few weeks so replies by the end of this week would be very much appreciated.
- merike
On Jan 2, 2012, at 6:08 AM, Eric Vyncke (evyncke) wrote:
Here is my voice: remove IPsec mandatory to all devices EXCEPT for router supporting OSPFv3 (ESP-null in transport mode being mandatory) and for firewall (where IKEv3 and IPsecv3 are mandatory)
-éric
-----Original Message----- From: ipv6-wg-bounces@ripe.net [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Jan Zorz Sent: mercredi 28 décembre 2011 10:43 To: ipv6-wg@ripe.net Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
On 12/27/11 11:36 PM, Sander Steffann wrote:
I agree. We are writing a template for tender initiators for enterprises. I think we should state that IPSec is mandatory, because enterprises should have the possibility to set up IPSec site-to-site tunnels as a minimum. I think we should write it in such a way that enterprises require IPSec support when writing a request for tender, unless they consciously decide that they don't need it. So I think we should put IPSec in the 'required' section. If an enterprise knows it will not need it then they can move it to 'optional' themselves. RIPE-501 and its successor are templates to be used and adapted as necessary. We should provide a sane default, and they might (will probably?) need IPSec at some point in time.
Hi,
I somehow agree...
Disclaimer: RIPE community explicitly expressed the "wish" not to write anything radical into RIPE-501 bis/replacement document - I think Joao did that also publicly at Amsterdam meeting, and we received this suggestion a lot on and off-line.
Being said that, we might disregard all "radical" suggestions, such as "remove IPsec completely from the document" unless they are proven non-radical and that community (majority) feels in that way.
So, for that suggestion there is much more support needed from community than we can see it now. Supporters for "remove IPsec requirements completely", make yourself heard, otherwise be quiet for the rest of the time :) (we need to get this document out of the door ASAP, many governments (not joking) are waiting for replacement to take it as basis for their national IPv6 profile ;) )
We received many strong suggestions also off-list to go with the flow and follow IETF way - make it all optional for all devices (maybe with this option we could leave it out for mobile devices). Supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :)
Security and IPv6 advocate mind tells us to leave IPSec (at least v2) mandatory for all sections (not valid for mobile devices) and IPsec v3 optional. This would make sense from many points of view, but I (personally) cannot make up my mind if this is not too harsh prerequisite for this moment. Again, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :)
Sanders proposal above adds additional section for all devices (minus mobile), so we expand to "Mandatory", "Required" and "Optional". If I may repeat myself, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :)
So, if WG chairs allow, I would propose a "show of hands" and see, how we can proceed. (anyone who express clear support fo one of the options gets a candy at RIPE64 meeting in Ljubljana :) :) :) )
I am leaving for vacation now, so I'll eave it up to this WG to decide what to do with my input :-) Sander
Sander, have a good time and rest a bit :) V6 work for this year is done :)
Cheers, Jan Zorz