Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack

["Wu, Jiaxin" <jiaxin.wu@intel.com>]

> > > Laszlo,
> > >
> > > I also agree with (a).
> > >
> > > For IpSec, we can do the below update later:
> > >
> > > 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage
> for IPv4.
> > >
> > > Or
> > >
> > > 2), Define new flag "IPSEC_ENABLE" for both of them.
> > >
> > > I prefer 2).
> >
> > Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6.
> >
> > If I understand correctly:
> >
> > - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean
> >   IPv4 only + IpSec. While this may be a theoretically useful
> >   combination, I wonder how often people would actually want this.
> >
> > - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid
> >   combination, especially for a full-fledged build of OVMF
> >
> > - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I
> >   understand, this is actually an invalid (incomplete) build for the
> >   IPv6 stack.
> >
> > - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most
> common
> >   build, gives you just IPv4
> >
> > Based on the above, I think I prefer (1); that is, I believe we
> > shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently
> > mandatory, so turning it off makes no sense. And in an IPv4-only build
> > of OVMF, I see quite limited usefulness for IpSec; turning it on with a
> > dedicated flag looks overkill, at least for a virtual machine firmware.
> >
> > Jordan, Gary, what do you think?
> 
> IpSec is optional for me. The Ip6 driver detects the protocol dynamically,
> so we don't really need IpSec for IPv6. (PXEv6 and HTTPBoot v6 works for
> me with the current settings.) Besides, it seems we didn't provide a proper
> user interface (e.g. config UI or a shell command) to setup IpSec. The user
> probably has to find a tool, e.g. NetworkPkg/Application/IpsecConfig, to
> config it properly. So I feel it's not mandatory and would prefer 2).

I did quick investigation for the IpSec deployment requirement for IPv4 and IPv6.

Now, the goal of the IpSec is to provide the security service for both the IPv4 and IPv6 environments. 

Previously, IPsec implementation was mandatory requirement for IPv6.  But in RFC 6434 (IPv6 Node Requirements),  the document updates that recommendation by making support of the IPsec Architecture a *SHOULD* for all IPv6 nodes. That means it has been made optional for IPv6 since RFC 6434. Detailed see RFC 6434 section 11:

"
   Previously, IPv6 mandated implementation of IPsec and recommended the
   key management approach of IKE.  This document updates that
   recommendation by making support of the IPsec Architecture [RFC4301]
   a SHOULD for all IPv6 nodes.
"

"
   This document recognizes that there exists a range of device types
   and environments where approaches to security other than IPsec can be
   justified.  For example, special-purpose devices may support only a
   very limited number or type of applications, and an application-
   specific security approach may be sufficient for limited management
   or configuration capabilities.  Alternatively, some devices may run
   on extremely constrained hardware (e.g., sensors) where the full
   IPsec Architecture is not justified.
"

So, according above information, IPSEC_ENABLE should be fine to include the feature or just keep the current until it truly required:).

Thanks,
Jiaxin




> 
> Thanks,
> 
> Gary Lin
> 
> >
> > Thanks!
> > Laszlo
> >
> > >
> > > Thanks,
> > > Jiaxin
> > >