Re: Making IPsec *not* mandatory in Node Requirement
Julien Laganier <julien.IETF@laposte.net> Thu, 28 February 2008 09:04 UTC
Return-Path: <ipv6-bounces@ietf.org>
X-Original-To: ietfarch-ipv6-archive@core3.amsl.com
Delivered-To: ietfarch-ipv6-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 01DEF28C584; Thu, 28 Feb 2008 01:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.639
X-Spam-Level:
X-Spam-Status: No, score=-0.639 tagged_above=-999 required=5 tests=[AWL=-0.202, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sEJIx-7VRu8D; Thu, 28 Feb 2008 01:04:41 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 525E128C47F; Thu, 28 Feb 2008 01:04:41 -0800 (PST)
X-Original-To: ipv6@core3.amsl.com
Delivered-To: ipv6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DCA8A28C545 for <ipv6@core3.amsl.com>; Thu, 28 Feb 2008 01:04:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15fs1koIXMlW for <ipv6@core3.amsl.com>; Thu, 28 Feb 2008 01:04:34 -0800 (PST)
Received: from ti-out-0910.google.com (ti-out-0910.google.com [209.85.142.191]) by core3.amsl.com (Postfix) with ESMTP id 8116628C754 for <ipv6@ietf.org>; Thu, 28 Feb 2008 01:04:04 -0800 (PST)
Received: by ti-out-0910.google.com with SMTP id i7so3888643tid.25 for <ipv6@ietf.org>; Thu, 28 Feb 2008 01:03:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; bh=mRLQHrakM+RIu0Ffc5pdkYgZ++D2zA0tVtXCVIxfs/0=; b=YHhhtb5Vph85Hg6s/7fFUVX+jJCRc52a2+n8JBfDnxQ7hC6VGyHxvloCFeNJFEAsYZoPYwAtf2kmkclvyymYdT5E/HRk1IYavS7gBf6J/ZQtaYzorXoXj4Q6hQQjwiczTPWqttOE++7hMvP6upACQT2B0Um+fODk22DhUPh0iD0=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id:sender; b=iYzgznscYOx+VZldwjC4DeGaW6hPdnxvnrGMzv0GGcTYKfgc99e0RTvpLQHaBTJiH7JdrmkfBx1WFOVEVnXY28q0uWlRgNwdqnVF2V1t1TiLY9VIvJDCs3VYnd0O2yss5gwSm6oq+WFAnp1YlqvX2Ou4Sy9sApFQQvnL2dm+c5U=
Received: by 10.151.144.4 with SMTP id w4mr2615742ybn.199.1204189433521; Thu, 28 Feb 2008 01:03:53 -0800 (PST)
Received: from ubik.local ( [212.119.9.178]) by mx.google.com with ESMTPS id f6sm4617639nfh.21.2008.02.28.01.03.48 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 28 Feb 2008 01:03:51 -0800 (PST)
From: Julien Laganier <julien.IETF@laposte.net>
To: ipv6@ietf.org
Subject: Re: Making IPsec *not* mandatory in Node Requirement
Date: Thu, 28 Feb 2008 10:04:32 +0100
User-Agent: KMail/1.9.6 (enterprise 0.20070907.709405)
References: <200802261618.m1QGIXqt016372@cichlid.raleigh.ibm.com> <1cc401c8792a$5fa6bf90$1ef43eb0$@net> <200802271714.m1RHED68018076@cichlid.raleigh.ibm.com>
In-Reply-To: <200802271714.m1RHED68018076@cichlid.raleigh.ibm.com>
MIME-Version: 1.0
Content-Disposition: inline
Message-Id: <200802281004.34603.julien.IETF@laposte.net>
Cc: Thomas Narten <narten@us.ibm.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
Sender: ipv6-bounces@ietf.org
Errors-To: ipv6-bounces@ietf.org
Thomas, all, On Wednesday 27 February 2008, Thomas Narten wrote: > Tony, > > > For those that have forgotten, the entire reason for mandating > > IPsec is to get away from the 47 flavors of security that are never > > really configured correctly or completely understood. Yes for any > > given situation someone can design an optimized protocol, but as > > soon as the situation changes the optimization no longer applies, > > and may expose unexpected holes. This was in fact happening at the > > time the mandate was put in. > > Right. Having one way to do things is far better than having 47. > > But if we look at the reality of things, IPsec (and we have to > include IKE in evaluating this), IPsec just isn't the ideal > one-size-fits-all technology we'd like it to be. > > For example, one big problem is the lack of a proper API for > applications to communicate with IPsec to select services and verify > that a certain level of security is present. Would that be the major showstopper in using IPsec for other things than VPNs, the IETF has chartered the BTNS WG to work on APIs to communicate with IPsec. The WG currently has two documents that need reviews: http://tools.ietf.org/wg/btns/draft-ietf-btns-abstract-api/ http://tools.ietf.org/wg/btns/draft-ietf-btns-c-api/ > Second, good security says "don't trust anyone but yourself". So, do > you trust the OS you are running on? If someone cares about security but doesn't trust the OS he's running on, I think the best thing he can do is to not use the OS in question. > Do you trust the IPsec embedded in the system that was implemented by > a third party? Keeping IPsec mandatory would be one facilitator of the move from IPsec implementation from third party to native IPsec implementation shipped with the OS that has to be trusted. > Smart applications implement their own security (e.g., TLS) to ease > deployment. How many applications really implement their *own* security? Many applications I'm using daily relies on libraries shipped with the OS that has to be trusted, e.g. gnutls and openssl. > We'll never get them to rely on IPsec, at least not until its much > more widely available/useable. Agree. But I think the availability part can be helped by keeping IPsec mandatory (so that it gets in more and more OS's), while the usability part can be helped by getting the BTNS WG to deliver its APIs (so that applications can finally start using IPsec). --julien -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
- Updates to Node Requirements-bis john.loughney
- Re: Updates to Node Requirements-bis Bob Hinden
- RE: Updates to Node Requirements-bis Hemant Singh (shemant)
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… Duncan, Richard J CTR DISA JITC
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… john.loughney
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… Duncan, Richard J CTR DISA JITC
- Re: Updates to Node Requirements-bis (UNCLASSIFIE… Ed Jankiewicz
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… john.loughney
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… Manfredi, Albert E
- Re: Updates to Node Requirements-bis Brian E Carpenter
- RE: Updates to Node Requirements-bis Manfredi, Albert E
- RE: Updates to Node Requirements-bis Dunn, Jeffrey H.
- Re: Updates to Node Requirements-bis (UNCLASSIFIE… Fred Baker
- Re: Updates to Node Requirements-bis (UNCLASSIFIE… Fred Baker
- Making IPsec *not* mandatory in Node Requirement … Alain Durand
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… Pekka Savola
- Re: Making IPsec *not* mandatory in Node Requirem… Nobuo OKABE
- Re: Making IPsec *not* mandatory in Node Requirem… Alain Durand
- Re: Making IPsec *not* mandatory in Node Requirem… Nobuo OKABE
- the role of the node "requirements" document Pekka Savola
- RE: the role of the node "requirements" document Hemant Singh (shemant)
- Re: the role of the node "requirements" document Brian Haberman
- Re: Making IPsec *not* mandatory in Node Requirem… Basavaraj Patil
- RE: the role of the node "requirements" document michael.dillon
- RE: the role of the node "requirements" document john.loughney
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… Manfredi, Albert E
- RE: the role of the node "requirements" document Hemant Singh (shemant)
- Re: Updates to Node Requirements-bis (UNCLASSIFIE… Vishwas Manral
- RE: Updates to Node Requirements-bis (UNCLASSIFIE… Manfredi, Albert E
- Re: Making IPsec *not* mandatory in Node Requirem… Thomas Narten
- Re: the role of the node "requirements" document Thomas Narten
- Re: the role of the node "requirements" document Ed Jankiewicz
- Re: Making IPsec *not* mandatory in Node Requirem… Vishwas Manral
- RE: Making IPsec *not* mandatory in Node Requirem… john.loughney
- Re: Making IPsec *not* mandatory in Node Requirem… Vishwas Manral
- Re: Making IPsec *not* mandatory in Node Requirem… Basavaraj Patil
- RE: Updates to Node Requirements-bis Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Julien Abeille (jabeille)
- RE: Making IPsec *not* mandatory in Node Requirem… john.loughney
- RE: Making IPsec *not* mandatory in Node Requirem… Julien Abeille (jabeille)
- RE: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Pascal Thubert (pthubert)
- Re: Making IPsec *not* mandatory in Node Requirem… Thomas Narten
- RE: Making IPsec *not* mandatory in Node Requirem… Kevin Kargel
- RE: Making IPsec *not* mandatory in Node Requirem… Julien Abeille (jabeille)
- Re: Making IPsec *not* mandatory in Node Requirem… Brian Dickson
- IGPs [Re: Updates to Node Requirements-bis] Brian E Carpenter
- Re: the role of the node "requirements" document Brian E Carpenter
- Re: Making IPsec *not* mandatory in Node Requirem… Vishwas Manral
- RE: the role of the node "requirements" document Julien Abeille (jabeille)
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Julien Abeille (jabeille)
- RE: Making IPsec *not* mandatory in Node Requirem… john.loughney
- RE: Making IPsec *not* mandatory in Node Requirem… Julien Abeille (jabeille)
- Re: Making IPsec *not* mandatory in Node Requirem… Ed Jankiewicz
- RE: Making IPsec *not* mandatory in Node Requirem… john.loughney
- RE: Making IPsec *not* mandatory in Node Requirem… Manfredi, Albert E
- IPsec and 6LoWPAN (was: Re: Making IPsec *not* ma… Jonathan Hui
- Re: Making IPsec *not* mandatory in Node Requirem… Alain Durand
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Bound, Jim
- Re: Making IPsec *not* mandatory in Node Requirem… Nobuo OKABE
- Re: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Jonathan Hui
- Re: Making IPsec *not* mandatory in Node Requirem… Jean-Michel Combes
- Re: Making IPsec *not* mandatory in Node Requirem… Jean-Michel Combes
- RE: Making IPsec *not* mandatory in Node Requirem… Tony Hain
- RE: Making IPsec *not* mandatory in Node Requirem… Hesham Soliman
- RE: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Bound, Jim
- RE: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: Making IPsec *not* mandatory in Node Requirem… Bound, Jim
- RE: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Pascal Thubert (pthubert)
- RE: the role of the node "requirements" document michael.dillon
- RE: the role of the node "requirements" document Hemant Singh (shemant)
- RE: Making IPsec *not* mandatory in Node Requirem… Hemant Singh (shemant)
- RE: Making IPsec *not* mandatory in Node Requirem… Manfredi, Albert E
- Re: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Jonathan Hui
- Re: the role of the node "requirements" document Ed Jankiewicz
- Re: Making IPsec *not* mandatory in Node Requirem… Thomas Narten
- Re: Making IPsec *not* mandatory in Node Requirem… Thomas Narten
- Re: Making IPsec *not* mandatory in Node Requirem… Basavaraj Patil
- Re: the role of the node "requirements" document James Carlson
- RE: the role of the node "requirements" document john.loughney
- Re: the role of the node "requirements" document Thomas Narten
- RE: the role of the node "requirements" document James Carlson
- Re: the role of the node "requirements" document James Carlson
- Re: the role of the node "requirements" document Jean-Michel Combes
- Re: the role of the node "requirements" document Ed Jankiewicz
- Re: the role of the node "requirements" document Dow Street
- RE: the role of the node "requirements" document Kevin Kargel
- Re: the role of the node "requirements" document James Carlson
- Re: the role of the node "requirements" document Brian E Carpenter
- Re: the role of the node "requirements" document Ed Jankiewicz
- RE: the role of the node "requirements" document Julien Abeille (jabeille)
- RE: the role of the node "requirements" document john.loughney
- RE: the role of the node "requirements" document Julien Abeille (jabeille)
- Re: the role of the node "requirements" document james woodyatt
- Re: the role of the node "requirements" document Sean Lawless
- Re: IPsec and 6LoWPAN (was: Re: Making IPsec *not… Eunsook "Eunah" Kim
- Re: the role of the node "requirements" document Nobuo OKABE
- Re: Making IPsec *not* mandatory in Node Requirem… Julien Laganier
- RE: the role of the node "requirements" document Patrick Grossetete
- Re: Making IPsec *not* mandatory in Node Requirem… James Carlson
- Re: Making IPsec *not* mandatory in Node Requirem… Julien Laganier
- RE: the role of the node "requirements" document Manfredi, Albert E
- RE: the role of the node "requirements" document Bound, Jim
- RE: the role of the node "requirements" document Bound, Jim
- RE: the role of the node "requirements" document Dunn, Jeffrey H.
- RE: the role of the node "requirements" document Kevin Kargel
- RE: the role of the node "requirements" document john.loughney
- Re: the role of the node "requirements" document Dow Street
- RE: the role of the node "requirements" document Kevin Kargel
- Re: Making IPsec *not* mandatory in Node Requirem… Mark Smith