[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: IPv6 Security Last Call Initial Questions
Ran may also respond but this is a co-AD response
1. Is draft-ietf-ipsec-arch-00.txt going to be an Informational RFC
>> this sounds like a thing to think about - it does make sense to me
2. DES-CBC Encryption. Could I get the formal answer to this question
from you for the record? This question could also be asked of the IESG
at that Last Call effort too [if necessary].
An IPv6 implementation is required (MUST) to implement DES-CBC. Yet
in my country (U.S.A.) being conformant means that vendors MUST build a
product that cannot be exported to the International market.
Changing it to SHOULD would eliminate this objection to the draft.
Why cannot we use the word SHOULD?
>> This issue was dicussed within the IPng directorate, the IESG and the
>> IAB and the (non-unanimous) consensus was that it should be a requirement
>> that all complient IPv6 implementatons must support encryption and a
>> specific encryption protocol. The IESG in approving the IPng
>> recommendation (RFC 1752) as a Proposed Standard endorced that
5. In 4. Key Management section.
'Support for key management methods where the key management data is
carried within the IP layer is not a design objective for these
IP-layer security mechanisms.'
If this means it will not work then I think a standard should say
that, or else say nothing. Saying this means nothing to me as an
implementor. I cannot test for this case, so why is it an
This last point is critical. Statements in standards for which I
cannot implement as a test case is suspect as to the words being useful
for an implementor.
>> The reason to have any mention of this type is to ensure that some
>> implementer not assume that the specific requirements of that type
>> of key management will be fully met by this proposal. The requirements
>> may or may not be met but the specific work has not been done to be
>> sure which.
7. The specs reference two new IDs (or work in progress) for MD5 and
These are new. Are these the specifications you are stating to
implement MD5 and DES-CBC? Because you have stated MUST, if these
specs cannot be made proposed in the same time frame as your
standard, it will hold up the IPv6 Security work from going to
proposed standard. By saying SHOULD or they are an option, you free
your work from those work items reaching proposed standard IMHO.
>> these two IDs were posted today and should be ready for advancement
>> at the same time as Ran's documents.