Re: [PATCH 2/3] OvmfPkg: correct the set of modules included for the IPv6 stack

[Laszlo Ersek <lersek@redhat.com>]

On 01/19/17 04:09, Wu, Jiaxin wrote:
>>>> Laszlo,
>>>>
>>>> I also agree with (a).
>>>>
>>>> For IpSec, we can do the below update later:
>>>>
>>>> 1), Include it under NETWORK_IP6_ENABLE directly but with the limit usage
>> for IPv4.
>>>>
>>>> Or
>>>>
>>>> 2), Define new flag "IPSEC_ENABLE" for both of them.
>>>>
>>>> I prefer 2).
>>>
>>> Hmmm, I'm not so sure. Personally I've never used either IpSec or IPv6.
>>>
>>> If I understand correctly:
>>>
>>> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=FALSE would mean
>>>   IPv4 only + IpSec. While this may be a theoretically useful
>>>   combination, I wonder how often people would actually want this.
>>>
>>> - IPSEC_ENABLE=TRUE && NETWORK_IP6_ENABLE=TRUE -- this is a valid
>>>   combination, especially for a full-fledged build of OVMF
>>>
>>> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=TRUE -- as far as I
>>>   understand, this is actually an invalid (incomplete) build for the
>>>   IPv6 stack.
>>>
>>> - IPSEC_ENABLE=FALSE && NETWORK_IP6_ENABLE=FALSE -- the most
>> common
>>>   build, gives you just IPv4
>>>
>>> Based on the above, I think I prefer (1); that is, I believe we
>>> shouldn't introduce IPSEC_ENABLE. For IPv6, IpSec is apparently
>>> mandatory, so turning it off makes no sense. And in an IPv4-only build
>>> of OVMF, I see quite limited usefulness for IpSec; turning it on with a
>>> dedicated flag looks overkill, at least for a virtual machine firmware.
>>>
>>> Jordan, Gary, what do you think?
>>
>> IpSec is optional for me. The Ip6 driver detects the protocol dynamically,
>> so we don't really need IpSec for IPv6. (PXEv6 and HTTPBoot v6 works for
>> me with the current settings.) Besides, it seems we didn't provide a proper
>> user interface (e.g. config UI or a shell command) to setup IpSec. The user
>> probably has to find a tool, e.g. NetworkPkg/Application/IpsecConfig, to
>> config it properly. So I feel it's not mandatory and would prefer 2).
> 
> I did quick investigation for the IpSec deployment requirement for IPv4 and IPv6.
> 
> Now, the goal of the IpSec is to provide the security service for both the IPv4 and IPv6 environments. 
> 
> Previously, IPsec implementation was mandatory requirement for IPv6.  But in RFC 6434 (IPv6 Node Requirements),  the document updates that recommendation by making support of the IPsec Architecture a *SHOULD* for all IPv6 nodes. That means it has been made optional for IPv6 since RFC 6434. Detailed see RFC 6434 section 11:
> 
> "
>    Previously, IPv6 mandated implementation of IPsec and recommended the
>    key management approach of IKE.  This document updates that
>    recommendation by making support of the IPsec Architecture [RFC4301]
>    a SHOULD for all IPv6 nodes.
> "
> 
> "
>    This document recognizes that there exists a range of device types
>    and environments where approaches to security other than IPsec can be
>    justified.  For example, special-purpose devices may support only a
>    very limited number or type of applications, and an application-
>    specific security approach may be sufficient for limited management
>    or configuration capabilities.  Alternatively, some devices may run
>    on extremely constrained hardware (e.g., sensors) where the full
>    IPsec Architecture is not justified.
> "
> 
> So, according above information, IPSEC_ENABLE should be fine to
> include the feature or just keep the current until it truly
> required:).

Thanks a lot for tracking this down!

Given that we're apparently unaware of any actual need for IpSec in
OVMF, I suggest that we postpone it. And, when the need arises, we
should do -D IPSEC_ENABLE (affecting both IPv4 and IPv6); I understand
now that that will be the right thing to do.

Cheers!
Laszlo