Jan, Let's be realistic (and the best quality of RIPE-501++ is to be realistic and 'down to the ground'): very few IPv6-nodes do IPsec... So, let's remove this requirement and make it optional (RFC 6434 clearly shows the path). Going in holiday mode: do you use SSH or telnet+IPsec ? :-) In all friendship, Season's Greetings for all -éric
-----Original Message----- From: ipv6-wg-bounces@ripe.net [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Jan Zorz @ go6.si Sent: vendredi 23 décembre 2011 09:45 To: ipv6-wg@ripe.net Subject: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
Dear IPv6 community.
(copy/paste from our internal discussion)
The authors of RIPE-501 are finalizing the last comments from previous last call and would like community input for what to do with IPsec. All authors feel that IPsec should be a mandatory requirement for all devices although due to technical limitations, for mobile devices it will be optional. We are aware that RFC6434 made IPsec support a SHOULD rather than a MUST.
From RFC 2119: SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
The change was largely due to limitations found in low power devices and therefore we still feel the community is best served by requiring mandatory IPsec support in all other devices (hosts, routers or layer-3 switches, network security devices, load balancers)
If we get this input from you this year, there is a great chance that we could put out the new/final draft out for discussion and/or maybe last-last-call before new year.
For RIPE-501 authors group, Jan
P.S: wishing happy new year, merry xmass, happiness, IPv6 and all that stuff in at least next year :)