[76830] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Merike Kaeo)
Fri Dec 31 13:48:20 2004
In-Reply-To: <Pine.WNT.4.61.0412311728250.3028@snarf>
Cc: nanog@merit.edu
From: Merike Kaeo <kaeo@merike.com>
Date: Fri, 31 Dec 2004 10:46:56 -0800
To: Sam Stickland <sam_ml@spacething.org>
Errors-To: owner-nanog-outgoing@merit.edu
IPv6 and IPsec will (should) change how people incorporate security
controls into their networks. It largely depends on who you trust and
also what corporate policies are in place.
No issue when just using authentication IPsec services. When you start
encrypting for confidentiality then:
a) you may end up trusting your endpoints more and perform sanity
checks other than 'deep inspection' to mitigate spoofed and unwanted
traffic
b) you may have a corporate policy where you need the capability to
look at all traffic and therefore are required to use some IPsec
intermediary device which acts as an endpoint on behalf of other
corporate hosts (and decrypts/encrypts the traffic).
An IPv6 network is sufficiently different from IPv4 that I encourage
folks to not simply slap an IPv4 security model onto future IPv6
networks.
- merike
www.doubleshotsecurity.com
On Dec 31, 2004, at 9:32 AM, Sam Stickland wrote:
>
> Since IPSEC is an integral part of IPv6 won't this have an affect on
> the deep packet inspection firewalls? Is this type of inspection
> expected to work in IPv6?
>
> Perhaps using some kind of NAP the firewall is allowed to speak on
> behalf of the host(s) it firewalls, so that to the client it appears
> to be the firewall itself appears to be the IPSEC endpoint?
>
> Sam
>
