Re: [Full-disclosure] IPv6 security myths

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>>>>> "Fernando" == Fernando Gont <fernando@xxxxxxxxxxx> writes:
    >> How it happened?  --- Ever heard of NAT? At the time IPsec
    >> through nat did not widely exist, and even implementations that
    >> figured out udp had the problem that the cert often included a
    >> 1918 address which didn't match the packet header source
    >> address. It is easy to forget context when bashing something
    >> after the fact...

    Fernando> Sorry, but I don't follow. If the problem with widespread
    Fernando> deployment of IPsec was NAT traversal, why didn't we see
    Fernando> widespread IPsec deployment (for the general case)
    Fernando> e.g. once RFC 3948 was published?

(go read my RFC4322)
Because:
      a) we didn't have a way to unique identify the end nodes

therefore
      b) since everyone is 192.168.1.101, we couldn't put that into the
      "certificates" (whether X.509/pkix, SPKI or something like
      DNS IPSECKEY), we are left with trying to IPsec via transport
      mode, and it's fundamentally difficult to make
      IPsec+RFC3948+transport work if the IPsec is a bump-in-the-stack.
      If you want to know why forward names do not work, please read rfc4322.

When the Freeswan project ran out of funding in Feb.2004, we were
seriously looking at whether or not we could just run IPv6-over-IPv4UDP
everywhere.  6to4 had just come out, and Teredo was being discussed, and
the HIP people had some very interesting results doing exactly this.

    Fernando> And: Do you expect IPsec deplyment to increase
    Fernando> dramatically as IPv6 gets deployed?

Partly. I also expect "VPN" use to get reduced, since 90% of VPNs are
really just remote-access systems necessary due to NAT, not security.
Most applications, due to lack of ubiquitous IPsec, are using TLS
anyway, so why do things twice?  (there are reasons, but for many
applications, it's not important enough)

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@xxxxxxxxxxxxxxxxxxxxxx http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 


_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]