[76837] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Iljitsch van Beijnum)
Fri Dec 31 17:10:40 2004
In-Reply-To: <Pine.WNT.4.61.0412311728250.3028@snarf>
Cc: nanog@merit.edu
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Fri, 31 Dec 2004 23:10:08 +0100
To: Sam Stickland <sam_ml@spacething.org>
Errors-To: owner-nanog-outgoing@merit.edu
On 31-dec-04, at 18:32, Sam Stickland wrote:
> Since IPSEC is an integral part of IPv6 won't this have an affect on
> the deep packet inspection firewalls? Is this type of inspection
> expected to work in IPv6?
In theory IPsec is mandatory in IPv6, but in practice this doesn't mean
anything, as you still need to configure and enable it. So the chances
of speaking IPsec with some random host somewhere on the net are 0
without much rounding down.
(And IPsec is the same for IPv4 and IPv6.)
There are several ways to deploy IPsec. The first choice is AH vs ESP.
Authentication Header (AH) authenticates the entire packet including
the IP except fields that may be modified in transit. Encapsulating
Security Payload (ESP) can do authentication/encryption of the packet
payload (i.e., TCP or UDP segment). Unless I'm very much mistaken, ESP
can also be used just for authentication.
So if AH or ESP auth-only are used, there shouldn't be any problems.
IPsec can work in two modes: transport mode, which works between two
hosts, and tunnel mode, which can work between two hosts, but can also
be performed inside security gateways or what have you.
> Perhaps using some kind of NAP the firewall is allowed to speak on
> behalf of the host(s) it firewalls, so that to the client it appears
> to be the firewall itself appears to be the IPSEC endpoint?
This is exactly the kind of thing IPsec encryption is supposed to
protect you from. :-) But yes, this could be done in theory.
(Obbviously the host then must not do IPsec with keys that the firewall
doesn't know.) Whether there are any products that do it is a very
different question.
