Hello, On July 23rd S.P.Zeidler wrote:
Hi,
Thus wrote Ahmed Abu-Abed (ahmed@tamkien.com):
I believe implementing line rate IPSEC on a CPE requires silicon that accelerates the crypto algorithms, and this may be a good
Depends on your line rate. Up to 10Mbps, with i386 family CPUs of 400Mhz or better, the CPU on its own will do fine.
100Mbps (or even 1Gbps) is also needed with GPON and ADSL2+ CPE offerings. And CPE vendors stay away from x86 processors due to heat dissipation issues.
So making IPSEC optional is more practical to LIRs needing low cost CPE solutions.
Another option would be for LIRs looking for ultra low cost routers to take some that don't make the requirements list. Or take CPEs that flag themselves as "fulfilling RIPE-501 except IPSEC".
One of the main objectives of RIPE-501 is specifying IPv6 CPE requirements. CPEs are consumer devices, and LIRs need a spec that take practical issues, like cost, into consideration.
Just because RIPE-501 exists does not mean that devices that don't fulfil it will suddenly evaporate, right?
Shipping volume wise, IPv6 consumer CPEs are the most to utilize the RIPE-501 spec. So why not make such devices a priority when it comes to the mandatory requirements ?
Again, the purpose of such a list is that a device that fulfils it will cover most reasonable needs.
IPSEC on a low price consumer device may not be a reasonable need with current hardware offerings for CPEs. Making it optional is the best approach.
If we strike every feature off that somebody said "oh well I think I can do without that" about, it will become a useless "remotely resembling functional" description.
Arguing that practically nobody would want their CPE to do IPSEC because everybody does host based IPSEC would be a better approach, but I would offer that that's going to be patently untrue if you look at company users and not private-person-residential users.
Many company users have a VPN client setup on their PC which should not need IPSEC on the CPE to work. We didn't say nobody wants it on their CPE, but IPSEC should not be on the mandatory list. Regards, -Ahmed