Re: [Full-disclosure] IPv6 security myths

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Oct 26, 2010, at 14:18, Fernando Gont wrote:
> 
> Sorry, but I don't follow. If the problem with widespread deployment of
> IPsec was NAT traversal, why didn't we see widespread IPsec deployment
> (for the general case) e.g. once RFC 3948 was published?

RFC 3498 really only made a variant of tunnel-mode ESP traverse NAT by encapsulating it in UDP, and the result was predictable: widespread deployment of tunnel-mode ESP for VPN applications where the client is behind NAT and the access concentrator is at a globally routed and reachable address.

We still don't have much transport IPsec ESP (much less AH) in the public IPv4 Internet, and the main reason is the ubiquitous deployment of IPv4/NAPT for address amplification purposes, especially at residential gateways.

> And: Do you expect IPsec deplyment to increase dramatically as IPv6 gets
> deployed?

If you drop the need for NAPT at residential gateways, then I predict you will see a lot more IPsec on the public Internet.

Put another way, if you're looking for an effective way to discourage the use of IPsec over IPv6, then find a way to force residential gateways to require IPv6/NAPT functions, e.g. to provide IPv6 address amplification.  There are probably other ways-- *better* ways-- but that's the historically proven way of doing it.


--
james woodyatt <jhw@xxxxxxxxx>
member of technical staff, communications engineering


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]