[76900] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (Nils Ketelsen)
Tue Jan 4 09:47:06 2005
Date: Tue, 4 Jan 2005 09:44:01 -0500
From: Nils Ketelsen <nils.ketelsen@kuehne-nagel.com>
To: nanog@merit.edu
Mail-Followup-To: nanog@merit.edu
In-Reply-To: <Pine.WNT.4.61.0412311728250.3028@snarf>; from sam_ml@spacething.org on Fri, Dec 31, 2004 at 05:32:24PM +0000
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Dec 31, 2004 at 05:32:24PM +0000, Sam Stickland wrote:
> Since IPSEC is an integral part of IPv6 won't this have an affect on the
> deep packet inspection firewalls? Is this type of inspection expected to
> work in IPv6?
Well it will work as good as the Virus-Scanning on Firewalls,
when you use a SSL website.
> Perhaps using some kind of NAP the firewall is allowed to speak on behalf
> of the host(s) it firewalls, so that to the client it appears to be the
> firewall itself appears to be the IPSEC endpoint?
If the IPSEC implementation allows that it
is seriously broken. You are proposing the firewall to run a man
in the middle attack.
Nils
