Here is my voice: remove IPsec mandatory to all devices EXCEPT for router supporting OSPFv3 (ESP-null in transport mode being mandatory) and for firewall (where IKEv3 and IPsecv3 are mandatory) -éric
-----Original Message----- From: ipv6-wg-bounces@ripe.net [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Jan Zorz Sent: mercredi 28 décembre 2011 10:43 To: ipv6-wg@ripe.net Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question to community - we need your input.
On 12/27/11 11:36 PM, Sander Steffann wrote:
I agree. We are writing a template for tender initiators for enterprises. I think we should state that IPSec is mandatory, because enterprises should have the possibility to set up IPSec site-to-site tunnels as a minimum. I think we should write it in such a way that enterprises require IPSec support when writing a request for tender, unless they consciously decide that they don't need it. So I think we should put IPSec in the 'required' section. If an enterprise knows it will not need it then they can move it to 'optional' themselves. RIPE-501 and its successor are templates to be used and adapted as necessary. We should provide a sane default, and they might (will probably?) need IPSec at some point in time.
Hi,
I somehow agree...
Disclaimer: RIPE community explicitly expressed the "wish" not to write anything radical into RIPE-501 bis/replacement document - I think Joao did that also publicly at Amsterdam meeting, and we received this suggestion a lot on and off-line.
Being said that, we might disregard all "radical" suggestions, such as "remove IPsec completely from the document" unless they are proven non-radical and that community (majority) feels in that way.
So, for that suggestion there is much more support needed from community than we can see it now. Supporters for "remove IPsec requirements completely", make yourself heard, otherwise be quiet for the rest of the time :) (we need to get this document out of the door ASAP, many governments (not joking) are waiting for replacement to take it as basis for their national IPv6 profile ;) )
We received many strong suggestions also off-list to go with the flow and follow IETF way - make it all optional for all devices (maybe with this option we could leave it out for mobile devices). Supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :)
Security and IPv6 advocate mind tells us to leave IPSec (at least v2) mandatory for all sections (not valid for mobile devices) and IPsec v3 optional. This would make sense from many points of view, but I (personally) cannot make up my mind if this is not too harsh prerequisite for this moment. Again, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :)
Sanders proposal above adds additional section for all devices (minus mobile), so we expand to "Mandatory", "Required" and "Optional". If I may repeat myself, supporters for this option, make yourself heard, otherwise be quiet for the rest of the time :)
So, if WG chairs allow, I would propose a "show of hands" and see, how we can proceed. (anyone who express clear support fo one of the options gets a candy at RIPE64 meeting in Ljubljana :) :) :) )
I am leaving for vacation now, so I'll eave it up to this WG to decide what to do with my input :-) Sander
Sander, have a good time and rest a bit :) V6 work for this year is done :)
Cheers, Jan Zorz