nanog mailing list archives
Re: IPv6, IPSEC and deep packet inspection
From: Merike Kaeo <kaeo () merike com>
Date: Fri, 31 Dec 2004 10:46:56 -0800
IPv6 and IPsec will (should) change how people incorporate security controls into their networks. It largely depends on who you trust and also what corporate policies are in place.
No issue when just using authentication IPsec services. When you start encrypting for confidentiality then:
a) you may end up trusting your endpoints more and perform sanity checks other than 'deep inspection' to mitigate spoofed and unwanted traffic b) you may have a corporate policy where you need the capability to look at all traffic and therefore are required to use some IPsec intermediary device which acts as an endpoint on behalf of other corporate hosts (and decrypts/encrypts the traffic).
An IPv6 network is sufficiently different from IPv4 that I encourage folks to not simply slap an IPv4 security model onto future IPv6 networks.
- merike www.doubleshotsecurity.com On Dec 31, 2004, at 9:32 AM, Sam Stickland wrote:
Since IPSEC is an integral part of IPv6 won't this have an affect on the deep packet inspection firewalls? Is this type of inspection expected to work in IPv6?Perhaps using some kind of NAP the firewall is allowed to speak on behalf of the host(s) it firewalls, so that to the client it appears to be the firewall itself appears to be the IPSEC endpoint?Sam
Current thread:
- IPv6, IPSEC and deep packet inspection Sam Stickland (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Merike Kaeo (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Daniel Roesen (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Merike Kaeo (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Stephen Sprunk (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Rob Thomas (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection william(at)elan.net (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Daniel Roesen (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection bmanning (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Daniel Roesen (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Iljitsch van Beijnum (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Merike Kaeo (Dec 31)
- <Possible follow-ups>
- Re: IPv6, IPSEC and deep packet inspection J. Oquendo (Dec 31)