[76863] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Manish Karir)
Sun Jan 2 00:50:07 2005
Date: Sun, 2 Jan 2005 00:49:43 -0500 (EST)
From: Manish Karir <mkarir@merit.edu>
To: nanog@merit.edu
In-Reply-To: <20041231180628.1B83A91241@trapdoor.merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
> ------------------------------
>
> Date: Fri, 31 Dec 2004 17:32:24 +0000 (GMT Standard Time)
> From: Sam Stickland <sam_ml@spacething.org>
> Subject: IPv6, IPSEC and deep packet inspection
>
> Since IPSEC is an integral part of IPv6 won't this have an affect on the
> deep packet inspection firewalls? Is this type of inspection expected to
> work in IPv6?
>
> Perhaps using some kind of NAP the firewall is allowed to speak on behalf
> of the host(s) it firewalls, so that to the client it appears to be the
> firewall itself appears to be the IPSEC endpoint?
>
> Sam
Some related issues as they apply to IPv4, were discussed in the following:
IPSEC and the Internet:
http://techreports.isr.umd.edu/reports/1999/MS_99-14.pdf
as well as:
A Multi-Layer IP Security Protocol for TCP Performance Enhancement in
Wireless Networks:
http://www.yongguangzhang.net/papers/jsac04.html
Both of the above essentially proposed using a layering scheme that
differentiates between keys used to encrypt different parts of a packet,
this would allow people the flexibility to then selectively disclose keys
as necessary for the deep packet inspector boxes to work, without
compromising the security of the entire packet payload. In this approach,
the "middlebox" does not have to be an IPSEC end-point. Both of the
above argued that without such layering, IPSEC would essentially render
any network monitoring or analysis based on information
deeper than the IP hdr, useless(which is actually the intent of
IPSEC).
-manish
