[IPsec] Is IKEv2 mandatory to implement?
Thomas Narten <narten@us.ibm.com> Thu, 29 April 2010 18:54 UTC
Return-Path: <narten@us.ibm.com>
X-Original-To: ipsec@core3.amsl.com
Delivered-To: ipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0182F3A6AA6 for <ipsec@core3.amsl.com>; Thu, 29 Apr 2010 11:54:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.762
X-Spam-Level:
X-Spam-Status: No, score=-5.762 tagged_above=-999 required=5 tests=[AWL=0.837, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RBLieBfLt7ab for <ipsec@core3.amsl.com>; Thu, 29 Apr 2010 11:54:15 -0700 (PDT)
Received: from e5.ny.us.ibm.com (e5.ny.us.ibm.com [32.97.182.145]) by core3.amsl.com (Postfix) with ESMTP id 1DD0C3A697B for <ipsec@ietf.org>; Thu, 29 Apr 2010 11:54:15 -0700 (PDT)
Received: from d01relay05.pok.ibm.com (d01relay05.pok.ibm.com [9.56.227.237]) by e5.ny.us.ibm.com (8.14.3/8.13.1) with ESMTP id o3TIcMeq026451 for <ipsec@ietf.org>; Thu, 29 Apr 2010 14:38:22 -0400
Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay05.pok.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id o3TIrrsq175038 for <ipsec@ietf.org>; Thu, 29 Apr 2010 14:53:55 -0400
Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVout) with ESMTP id o3TIrqXB020204 for <ipsec@ietf.org>; Thu, 29 Apr 2010 14:53:52 -0400
Received: from cichlid.raleigh.ibm.com (sig-9-65-232-249.mts.ibm.com [9.65.232.249]) by d01av01.pok.ibm.com (8.14.3/8.13.1/NCO v10.0 AVin) with ESMTP id o3TIrq7X020125 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <ipsec@ietf.org>; Thu, 29 Apr 2010 14:53:52 -0400
Received: from cichlid.raleigh.ibm.com (localhost [127.0.0.1]) by cichlid.raleigh.ibm.com (8.14.3/8.12.5) with ESMTP id o3TIrpe6014408 for <ipsec@ietf.org>; Thu, 29 Apr 2010 14:53:51 -0400
Message-Id: <201004291853.o3TIrpe6014408@cichlid.raleigh.ibm.com>
To: ipsec@ietf.org
Date: Thu, 29 Apr 2010 14:53:51 -0400
From: Thomas Narten <narten@us.ibm.com>
Subject: [IPsec] Is IKEv2 mandatory to implement?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2010 18:54:16 -0000
I'm looking at revising RFC 4294 (IPv6 Node Requirements), to update its security section. (e.g., see draft-ietf-6man-node-req-bis-04.txt) RFC 4294 (based on what I understand and recall the thinking to be at the time) mandated IPsec (ESP/AH), but only made IKEv2 a SHOULD. But, it's been pointed out to me that RFC 4301 actually says: > 10. Conformance Requirements > > All IPv4 IPsec implementations MUST comply with all requirements of > this document. All IPv6 implementations MUST comply with all > requirements of this document. And earlier: > Because most of the security services provided by IPsec require the > use of cryptographic keys, IPsec relies on a separate set of > mechanisms for putting these keys in place. This document requires > support for both manual and automated distribution of keys. It > specifies a specific public-key based approach (IKEv2 [Kau05]) for > automated key management, but other automated key distribution > techniques MAY be used. This implies IKEv2 is a MUST, but doesn't quite say it. This text is taken from Section 3, "System Overview", rather than elsewhere, where it might be considered less normative. Is there more specific wording in 4301 on this point? Is it viewed as an absolute MUST requirement to implement IKEv2 in order to claim compliance with RFC4301? Thomas
- [IPsec] Is IKEv2 mandatory to implement? Thomas Narten
- [IPsec] Is IKEv2 mandatory to implement? Tero Kivinen