On Dec 27, 2011, at 7:43 AM, Eric Vyncke (evyncke) wrote:
I think that we should keep IPsec/IKEv2 only for firewall and mention to any place where OSPFv3 is mentioned that the support of AH is required.
Is there an RFC that now states that IPsec AH for OSPFv3 is a 'MUST' or 'SHOULD' and not a 'MAY'? Last I recall the specifics for how to implement IPsec for OSPFv3 are in RFC4552 and states that ESP is a 'MUST' and AH is a 'MAY'. The arguments for AH and ESP-Null were also on the IPv6 Maintenance WG mailing list in Feb/March 2008 and I don't think the standard changed. - merike
-----Original Message----- From: ipv6-wg-bounces@ripe.net [mailto:ipv6-wg-bounces@ripe.net] On Behalf Of Florian Weimer Sent: mardi 27 décembre 2011 13:41 To: Jan Zorz @ go6.si Cc: ipv6-wg@ripe.net Subject: Re: [ipv6-wg] RIPE-501 replacement document - IPsec question tocommunity - we need your input.
* Jan Zorz:
On 12/27/11 10:15 AM, Florian Weimer wrote:
Most devices use TLS.
I agree with dropping IPsec from the document completely, indepedent of device type.
So you suggest not mentioning IPsec in any form at all in whole document? Am I reading this correctly?
Yes. Even if we could achieve agreement on a subset of devices where it's supposed to make sense, "IPsec" is really a catchphrase for a set of related protocols, so anyone who actually needs some of it needs to ask for it explicitly anyway.
-- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99