Re: draft-ietf-ips-fcip-slp-07.txt

[Harald Tveit Alvestrand <harald@alvestrand.no>]

--On søndag, juli 06, 2003 08:21:14 +0200 Randy Bush <randy@psg.com> wrote:

> FCIP in title and many uses but never expanded or defined
>
> ---
>
> ragged right, please
>
> ---
>
> 6.1.  Security Implementation
>
>    For all implementations, IPsec SHOULD be implemented.  When  security
>    policy  information distribution using SLPv2 is supported, IPsec MUST
>    be implemented.
>
> "implemented?"  i think they need to say "used," and specify for what
> and when.
we have traditionally required implementation, on the principle that 
"anything that runs over IP will end up on the Internet", but not use, on 
the theory that what people do in the privacy of their own back rooms is 
none of our business, and they MAY be right that there exist times when 
they are not needed.

RFC 3365 section 7, Jeff Schiller speaking:

7.  MUST is for Implementors

  We often say that Security is a MUST implement.  It is worth noting
  that there is a significant different between MUST implement and MUST
  use.

  As mentioned earlier, some protocols may be deployed in secure
  enclaves for which security isn't an issue and security protocol
  processing may add a significant performance degradation.  Therefore
  it is completely reasonable for security features to be an option
  that the end user of the protocol may choose to disable.  Note that
  we are using a fuzzy definition of "end user" here.  We mean not only
  the ultimate end user, but any deployer of a technology, which may be
  an entire enterprise.

  However security must be a MUST IMPLEMENT so that end users will have
  the option of enabling it when the situation calls for it.


> ---
>
> and are the security ADs happy with all the SHOULDs and not MUSTs?
>
> ---
>
> randy