I'm surprised to see security is optional and an assertion that RFCs published in 2009 covers everything. Threats have evolved since then. In looking at RFC5415, Section 12.1, I see: Within CAPWAP, DTLS is used to secure the link between the WTP and AC. In addition to securing control messages, it's also a link in this chain of trust for establishing link layer keys. Consequently, much rests on the security of DTLS. In some CAPWAP deployment scenarios, there are two channels between the WTP and AC: the control channel, carrying CAPWAP Control messages, and the data channel, over which client data packets are tunneled between the AC and WTP. Typically, the control channel is secured by DTLS, while the data channel is not. The use of parallel protected and unprotected channels deserves special consideration, but does not create a threat. There are two potential concerns: attempting to convert protected data into unprotected data and attempting to convert un-protected data into protected data. These concerns are addressed below. Wouldn't interception and tampering of that traffic pose a threat? How about gaining access to the control channel? [duzongpeng] In Security Considerations section of RFC 5415, the threats have been analyzed including interception and tampering. The control channel is mandatory for encryption. In CAPWAP, mature security mechanism (DTLS) has been used to protect the control channel. [/duzongpeng] While I don't think this is the right draft to make changes for RFC5415, I don't think it's adequate to say the control channel is optional for encryption. I could see how the data might be handled elsewhere. The description discusses this as talking to hundreds of thousands of access points, isn't that access a threat? [duzongpeng] In RFC 5415, it is said that CAPWAP Control messages, and optionally CAPWAP Data messages, are secured using Datagram Transport Layer Security (DTLS) [RFC4347]. So IMO, the control channel is mandatory for encryption. [/duzongpeng] This draft allows for additional encapsulation methods, we could require encryption for these new encapsulation methods. [duzongpeng] In the deployment, for security consideration, we can deploy IPSec between WTP and AR to protect the data channel. [/duzongpeng] This should probably be a discuss, so I would appreciate some discussion on this to see if we have option here or if something will change in the referenced RFCs soon. [duzongpeng] Agree. [/duzongpeng]