Hi Fernando.. On Dec 23, 2011, at 2:26 AM, Fernando Gont wrote:
Hi, Jan,
On 12/23/2011 05:45 AM, Jan Zorz @ go6.si wrote:
The change was largely due to limitations found in low power devices and therefore we still feel the community is best served by requiring mandatory IPsec support in all other devices (hosts, routers or layer-3 switches, network security devices, load balancers)
While I have not followed the discussion that lead to MUST -> SHOULD in RFC6434 closely, I should say that it is well understood that the previous requirement of "MUST" was mostly "words on paper".
Yes....there were many IPv6 capable devices without IPsec for many years. One of the comments made in the thread of Feb 2008 was that MUST or SHOULD wouldn't make much difference in getting implementations to appear. http://www.ietf.org/mail-archive/web/ipv6/current/msg09230.html
Question: Does "requiring IPsec support in all other devices" mean "complying with RFC 4301"? If that's the case, you're also requiring those devices to support IKEv2.
The intent right now is to add the following specifications for IPsec support • IPsec-v3 [RFC4301, RFC4303, RFC4302] * • IKE version 2 (IKEv2) [RFC5996 (obsoletes RFC 4306), RFC4718] * • ISAKMP [RFC2407, RFC2408,RFC2409] I have been seeing more shipping IKEv2 implementations in past few years and do believe most newer devices follow IPsec-v3 specs. Again, this is something authors would like to hear input on to make sure this is right thing to specify across all devices, regardless of whether IPsec will be mandatory or optional.
If that's intentional, I think you should make it explicit...
Agreed
Thanks, and Merry Christmas!
Happy Holidays..... - merike
Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492