On Oct 26, 2010, at 10:39 49PM, Fred Baker wrote: > I'm not a security guru, and will step aside instantly if someone with those credentials says I'm wrong. However, from my perspective, the assertion that IPv6 had any security properties that differed from IPv4 *at*all* has never made any sense. It is essentially a marketing claim, and - well, we all have marketing departments. > Actually, the claim was made, and was correct at the time under assumptions that proved false. The core issue was indeed that IPsec was mandated for v6. We were *very* overoptimistic about how long it would take before roll-out started in earnest. In fact, we underestimated how long it would take to get good specs for all the important pieces. We also underestimated how long IPsec would take, though that was partially (but only partially) because IPsec version 1 (RFCs 1825-1829) had to be thrown away. Quite simply, we assumed (in 1994) that IPv6 rollouts would start around 1996-1997. Given that, we didn't think that any vendors were going to bother adding IPsec to their v4 stacks. If that had all come to pass, v6 would indeed have been more secure. Even as late as 2000, I could still assert that v6 had some advantages; see http://www.cs.columbia.edu/~smb/talks/v6-security/index.htm We all know what happened. It's 2010, and deployment is finally starting in earnest. Virtually v4 stacks have IPsec. There's a a way to send IPsec through NATs (under certain circumstances). And no one cares much about host-to-host IPsec, as opposed to host-to-gateway VPNs. --Steve Bellovin, http://www.cs.columbia.edu/~smb _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf