[76838] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Merike Kaeo)
Fri Dec 31 17:15:47 2004
In-Reply-To: <20041231201009.GA14769@srv01.cluenet.de>
Cc: nanog@merit.edu
From: Merike Kaeo <kaeo@merike.com>
Date: Fri, 31 Dec 2004 14:14:39 -0800
To: Daniel Roesen <dr@cluenet.de>
Errors-To: owner-nanog-outgoing@merit.edu
On Dec 31, 2004, at 12:10 PM, Daniel Roesen wrote:
>
> On Fri, Dec 31, 2004 at 10:46:56AM -0800, Merike Kaeo wrote:
>> An IPv6 network is sufficiently different from IPv4 that I encourage
>> folks to not simply slap an IPv4 security model onto future IPv6
>> networks.
>
> Can you elaborate on "sufficiently different" please? Especially
> on details which make anything _conceptually_ different for security?
OK. Brevity always loses :) Yes, you still have same fundamental
security issues of providing authentication, authorization, access
control, confidentiality and audit so none of the investment in
learning about how to protect IPv4 networks is lost.....however, where
and how you provide the security services can be different for IPv4 vs
IPv6 networks.
I am in no way advocating replacing the existing IDS/fw devices but how
we use them today will not be effective if end-to-end encrypted traffic
becomes more prevalent so we may have to think about it 'differently'
in IPv6 networks.
Some issues regarding threat differences were pointed out in a NANOG
presentation : http://www.nanog.org/mtg-0405/miller.html
Issues mostly come down to the fact that addressing is so different
(not just scale but also how you obtain the addresses) and the fact
that encrypted traffic end-to-end *may* become more prevalent. And
yes, I am a huge proponent of getting rid of the saying that 'IPsec is
inherently built into IPv6' - just because the standard mandates its
implementation doesn't mean that people will turn it on :)
So, in my opinion since nothing has yet been proven in practice........
- fw functionality will change since *IF* IPsec encryption will become
more widespread end-to-end, all the bits which firewalls need to look
at will not be available. However, the IPsec specs do refer to 'hooks'
which smart vendors can use to provide firewall capabilities within
IPsec devices. Does this mean that end-hosts will themselves have
better firewall/IPsec capability? TBD.....but I'd expect (hope) that
to be the case. The firewalls which exist at network ingress/egress
points will still have a place but may not necessarily perform 'deep
packet inspection' if end-to-end encryption is used. On the other
hand, if folks do still want to perform 'deep packet inspection' then
perhaps that means end-to-end encryption will not become prevalent and
the Firewall devices will act as IPsec end-points?!?
- IDS equipment...where does this leave us with logging? How do we
detect potential attacks if there is end-to-end encryption? How are
addressing re-configurations recorded so that logs have meaning?
- the addressing issues (automated and larger scale in IPv6) will
change some ways the authentication, filtering and auditing will
happen.
merike
