Fernando Gont wrote: > IPsec is a > "SHOULD" (rather than a "MUST") in the latest node-reqs-bis document Too late, too little. > [....] >> For the end to end security, only the end systems requiring the >> security are required to deploy mechanisms for the security, >> which means it is not necessary to mandate all the end systems >> deploy some security protocol. > > Sorry, I couldn't parse this paragraph. Could you clarify this one? In general, applications determine which security mechanism to use. Configurable boxes can install IPsec when applications requiring IPsec is installed. Unconfigurable boxes with fixed applications may or may not have IPsec depending on preinstalled applications. So, IPsec, or any other security mechanism, should be purely optional. Note that security mechanisms, anyway, need configuration of passwords etc. BTW, IPsec was mandated in IPv6 with the discussion that ICMPv6, regarded as an application, could be secured by IPsec, which, of course, is untrue. People tend to think PKI works magically. Masataka Ohta PS Port restricted IPv4, including end to end NAT, is transparent to IPsec, as long as SPI can be regarded as port numbers. _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf