[76858] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Kevin Oberman)
Sat Jan 1 21:53:46 2005
To: "Stephen Sprunk" <stephen@sprunk.org>
Cc: bmanning@vacation.karoshi.com, "Rob Thomas" <robt@cymru.com>,
"North American Noise and Off-topic Gripes" <nanog@merit.edu>
In-reply-to: Your message of "Fri, 31 Dec 2004 22:42:17 CST."
<02c601c4efbc$af4fa8e0$6401a8c0@stephen>
Date: Sat, 01 Jan 2005 14:48:21 -0800
From: "Kevin Oberman" <oberman@es.net>
Errors-To: owner-nanog-outgoing@merit.edu
> From: "Stephen Sprunk" <stephen@sprunk.org>
> Date: Fri, 31 Dec 2004 22:42:17 -0600
> Sender: owner-nanog@merit.edu
>
>
> Thus spake <bmanning@vacation.karoshi.com>
> >
> > as one who has been "bit" by this already - i can say amen to
> > what Rob preacheth... the hardest part is getting folks up to
> > speed on IPv6 as a threat vector.
>
> Are there any layman-readable presentations or whitepapers out there that
> discuss what _new_ threat vectors IPv6 brings? Or how firewall or ACL
> tuning might be different?
>
> > Swat teams that can neutralize an IPv4 based flareup in minutes/
> >hours can take days/weeks to contain a v6 channel...
>
> The thing about that is that, if IPv6 is identified as the channel, it's
> still quite possible to shut down IPv6 connectivity until you figure out how
> to fix things. After all, there's nothing significant out there yet on v6
> that can't be reached with v4...
Stephen,
This may the case in your world, but in mine there are a few major
international research projects that are IPv6 only and I am not in a
position where I can just shut down IPv6 at some spot and assume that
customers won't notice (or at least won't care).
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@es.net Phone: +1 510 486-8634
