ESP-NULL.....which means that you do use an integrity crypto algorithm such as SHA-1, SHA256, MD5, etc The Node Requirements bis doc is reaching finalization in the IETF and has changed IPsec from a MUST to a SHOULD: "Security Architecture for the Internet Protocol" [RFC4301] SHOULD be supported by all IPv6 nodes. Note that the IPsec Architecture requires (e.g., Sec. 4.5 of RFC 4301) the implementation of both manual and automatic key management. Currently the default automated key management protocol to implement is IKEv2. As required in [RFC4301], IPv6 nodes implementing the IPsec Architecture MUST implement ESP [RFC4303] and MAY implement AH [RFC4302]." It may make sense to change IPsec to 'optional' (I can't believe I am saying this :)). - merike On Jul 20, 2011, at 9:40 AM, Ivan Pepelnjak wrote:
Don't forget that although IPsec is part of IPv6 functionality, supporting null encapsulation (whatever it's properly called ;) and no authentication or encryption protocol also makes you compliant.
We might make it optional ;) Ivan
-----Original Message----- From: ipv6-wg-admin@ripe.net [mailto:ipv6-wg-admin@ripe.net] On Behalf Of Jan Zorz @ go6.si Sent: Wednesday, July 20, 2011 6:36 PM To: ipv6-wg@ripe.net Subject: Re: [ipv6-wg] RIPE-501 and IPSEC on CPEs
On 7/20/11 2:42 PM, Ahmed Abu-Abed wrote:
Hello All, Reading RIPE-501 spec for basic CPEs, I see that IPSEC & IKE are mandatory under "host" equipment. Is this a necessity ? Many IPv4 CPEs do not support IPSEC to keep the costs down. Regards, -Ahmed
Yes, host must support this. CPE not necessarily, that's why it's under optional requirements.
Cheers, Jan