[76843] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Fri Dec 31 19:43:06 2004
Date: Sat, 01 Jan 2005 00:42:37 +0000 (GMT)
From: "Christopher L. Morrow" <christopher.morrow@mci.com>
In-reply-to: <Pine.GSO.4.58.0412311707230.15968@kungfunix.net>
To: "J. Oquendo" <sil@politrix.org>
Cc: nanog@nanog.org
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 31 Dec 2004, J. Oquendo wrote:
>
>
> Oops... Subject would have helped before apologies...
>
> On Fri, 31 Dec 2004, Merike Kaeo wrote:
>
> >
> > When you start encrypting for confidentiality then:
> >
> > a) you may end up trusting your endpoints more and perform sanity
> > checks other than 'deep inspection' to mitigate spoofed and unwanted
> > traffic
>
> Shouldn't mitigation on spoofing (and this argument will forever go
> forward on NANOG) be done at the network level, e.g. BOGON, Best Common
First, spoofing problems are as prevalent in v6 as in v4. Then 'yes this
is a network problem' only choose the place in the network where it makes
the most sense: "as close to the end systems as possible"... but that's
probably for another nanog thread or ten.
> Underrated Practices? If companies didn't follow them then/now using IPv4
> which can already filter this what makes you think engineers will
> configure their equipment to do more sanity checks.
>
Some of this 'not follow it now' is partly due to equipment problems.
These problems should be disappearring from many larger networks as new
gear is cycled in over the next couple of years. The option will then be
available to the engineers that operate the networks, they will likely
still prefer the 'closest to the end system router' make the filtering
decision though.
> > b) you may have a corporate policy where you need the capability to
> > look at all traffic and therefore are required to use some IPsec
> > intermediary device which acts as an endpoint on behalf of other
> > corporate hosts (and decrypts/encrypts the traffic).
>
> Wouldn't this render ESP obsolete. What would be the purpose of IPsec
> then? What I infer from this message is that you would want some form of
It's possible your corporate policy might state:
"AH is acceptable and required for intra-site communications, ESP is
required and acceptable for inter-site communications that pass over
untrusted networks."
As a for instance... It seems that AH/ESP in v6 is just as complex and
bothersome as v4, so perhsps this is a moot point for the coming decade?
:)
> hardware or software in place to be able to read this IPSec traffic. And
> this to you is security? How secure would I feel knowing my provider, or
> company has the ability to decrypt my encrypted data when I'm making an
your company likely has this capability, or could have it today... They
also likely don't want you wasting company time buying things on ebay or
amazon... your company, in the US, likely has this in their HR/Employee
handbook in the form of some 'corporate assets are for corporate use only'
statement.
> online payment somewhere, how secure would any user feel with some form of
> (not known at this time to even be possible) device on the line. This
> statement makes little sense to me, or maybe I'm misreading it.
>
