[76854] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Sat Jan 1 11:44:26 2005
Date: Sat, 1 Jan 2005 18:43:55 +0200 (IST)
From: Hank Nussbacher <hank@mail.iucc.ac.il>
To: Stephen Sprunk <stephen@sprunk.org>
Cc: bmanning@vacation.karoshi.com, Rob Thomas <robt@cymru.com>,
North American Noise and Off-topic Gripes <nanog@merit.edu>
In-Reply-To: <02c601c4efbc$af4fa8e0$6401a8c0@stephen>
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, 31 Dec 2004, Stephen Sprunk wrote:
> Are there any layman-readable presentations or whitepapers out there that
> discuss what _new_ threat vectors IPv6 brings? Or how firewall or ACL
> tuning might be different?
Try the Networkers 2004 IPv6 security session (SEC-A01) from 3 weeks ago.
Abstract:
"IPv6 is seeing increased deployments worldwide and is expected to ramp up
significantly specially in Europe. Much of the existing security
discussion around IPv6 has focused on its inclusion of IPsec. While the
confidentiality, integrity, and authentication features of IPsec are
clearly useful, IPsec is not enough to securely deploy IPv6. This session
will present IPv6 security as contrasted with IPv4 from a threats
perspective. Common threats you may be familiar with in IPv4 will be
compared to how those threats may evolve in IPv6. The counter-measures for
IPv6 threats will be presented (including access control and firewalling).
Potential best practices for the use of IPv6 in a dual-stack mode in an
Internet edge, tunnelling will be presented as well. The focus will be on
medium to large organizations but Service Providers will probably find
this session helpful."
Problem is to get to the PDF you need authorization:
https://www28.cplan.com/cbc_export/PS_SEC-A01_268410_76-1_FIN_v1.pdf
You can get an earlier version off of Sean's page at:
http://www.seanconvery.com/ipv6.html
Might be worthwhile to review much of what is on that page!
-Hank
