public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
From: "Wu, Jiaxin" <jiaxin.wu@intel.com>
To: Gary Lin <glin@suse.com>, Laszlo Ersek <lersek@redhat.com>
Cc: "edk2-devel@ml01.01.org" <edk2-devel@ml01.01.org>,
	"Justen, Jordan L" <jordan.l.justen@intel.com>,
	"Long, Qin" <qin.long@intel.com>
Subject: Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack
Date: Thu, 19 Jan 2017 03:09:42 +0000	[thread overview]
Message-ID: <895558F6EA4E3B41AC93A00D163B727416294E59@SHSMSX103.ccr.corp.intel.com> (raw)
In-Reply-To: <20170118092140.2kjvl5w5327e4pst@GaryWorkstation>

> > > Laszlo,
> > >
> > > I also agree with (a).
> > >
> > > For IpSec, we can do the below update later:
> > >
> > > 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage
> for IPv4.
> > >
> > > Or
> > >
> > > 2), Define new flag "IPSEC_ENABLE" for both of them.
> > >
> > > I prefer 2).
> >
> > Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6.
> >
> > If I understand correctly:
> >
> > - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean
> >   IPv4 only + IpSec. While this may be a theoretically useful
> >   combination, I wonder how often people would actually want this.
> >
> > - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid
> >   combination, especially for a full-fledged build of OVMF
> >
> > - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I
> >   understand, this is actually an invalid (incomplete) build for the
> >   IPv6 stack.
> >
> > - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most
> common
> >   build, gives you just IPv4
> >
> > Based on the above, I think I prefer (1); that is, I believe we
> > shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently
> > mandatory, so turning it off makes no sense. And in an IPv4-only build
> > of OVMF, I see quite limited usefulness for IpSec; turning it on with a
> > dedicated flag looks overkill, at least for a virtual machine firmware.
> >
> > Jordan, Gary, what do you think?
> 
> IpSec is optional for me. The Ip6 driver detects the protocol dynamically,
> so we don't really need IpSec for IPv6. (PXEv6 and HTTPBoot v6 works for
> me with the current settings.) Besides, it seems we didn't provide a proper
> user interface (e.g. config UI or a shell command) to setup IpSec. The user
> probably has to find a tool, e.g. NetworkPkg/Application/IpsecConfig, to
> config it properly. So I feel it's not mandatory and would prefer 2).

I did quick investigation for the IpSec deployment requirement for IPv4 and IPv6.

Now, the goal of the IpSec is to provide the security service for both the IPv4 and IPv6 environments. 

Previously, IPsec implementation was mandatory requirement for IPv6.  But in RFC 6434 (IPv6 Node Requirements),  the document updates that recommendation by making support of the IPsec Architecture a *SHOULD* for all IPv6 nodes. That means it has been made optional for IPv6 since RFC 6434. Detailed see RFC 6434 section 11:

"
   Previously, IPv6 mandated implementation of IPsec and recommended the
   key management approach of IKE.  This document updates that
   recommendation by making support of the IPsec Architecture [RFC4301]
   a SHOULD for all IPv6 nodes.
"

"
   This document recognizes that there exists a range of device types
   and environments where approaches to security other than IPsec can be
   justified.  For example, special-purpose devices may support only a
   very limited number or type of applications, and an application-
   specific security approach may be sufficient for limited management
   or configuration capabilities.  Alternatively, some devices may run
   on extremely constrained hardware (e.g., sensors) where the full
   IPsec Architecture is not justified.
"

So, according above information, IPSEC_ENABLE should be fine to include the feature or just keep the current until it truly required:).

Thanks,
Jiaxin




> 
> Thanks,
> 
> Gary Lin
> 
> >
> > Thanks!
> > Laszlo
> >
> > >
> > > Thanks,
> > > Jiaxin
> > >


  reply	other threads:[~2017-01-19  3:09 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-17  4:52 [PATCH 0/3] Enable HTTPS Boot in OVMF Gary Lin
2017-01-17  4:52 ` [PATCH 1/3] OvmfPkg: always resolve OpenSslLib, IntrinsicLib and BaseCryptLib Gary Lin
2017-01-17  8:03   ` Wu, Jiaxin
2017-01-17  9:13   ` Laszlo Ersek
2017-01-17  4:52 ` [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack Gary Lin
2017-01-17  8:04   ` Wu, Jiaxin
2017-01-17  9:22   ` Laszlo Ersek
2017-01-18  0:47     ` Wu, Jiaxin
2017-01-18  8:17       ` Laszlo Ersek
2017-01-18  9:21         ` Gary Lin
2017-01-19  3:09           ` Wu, Jiaxin [this message]
2017-01-19  8:36             ` Laszlo Ersek
2017-01-17  4:52 ` [PATCH 3/3] OvmfPkg: pull in TLS modules with -D TLS_ENABLE (also enabling HTTPS) Gary Lin
2017-01-17  8:04   ` Wu, Jiaxin
2017-01-17  9:24   ` Laszlo Ersek
2017-01-17  8:13 ` [PATCH 0/3] Enable HTTPS Boot in OVMF Long, Qin
2017-01-17  8:25 ` Jordan Justen
2017-01-17 20:13   ` Laszlo Ersek
2017-01-18  1:59     ` Gary Lin
2017-01-17  9:49 ` Laszlo Ersek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=895558F6EA4E3B41AC93A00D163B727416294E59@SHSMSX103.ccr.corp.intel.com \
    --to=devel@edk2.groups.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox