Re: IPv6, IPSEC and deep packet inspection

[Merike Kaeo <kaeo () merike com>]

IPv6 and IPsec will (should) change how people incorporate security 
controls into their networks.  It largely depends on who you trust and 
also what corporate policies are in place.

No issue when just using authentication IPsec services.  When you start 
encrypting for confidentiality then:

a) you may end up trusting your endpoints more and perform sanity 
checks other than 'deep inspection' to mitigate spoofed and unwanted 
traffic
b) you may have a corporate policy where you need the capability to 
look at all traffic and therefore are required to use some IPsec 
intermediary device which acts as an endpoint on behalf of other 
corporate hosts (and decrypts/encrypts the traffic).

An IPv6 network is sufficiently different from IPv4 that I encourage 
folks to not simply slap an IPv4 security  model onto future IPv6 
networks.

- merike
www.doubleshotsecurity.com

On Dec 31, 2004, at 9:32 AM, Sam Stickland wrote:

> Since IPSEC is an integral part of IPv6 won't this have an affect on 
> the deep packet inspection firewalls? Is this type of inspection 
> expected to work in IPv6?
>
> Perhaps using some kind of NAP the firewall is allowed to speak on 
> behalf of the host(s) it firewalls, so that to the client it appears 
> to be the firewall itself appears to be the IPSEC endpoint?
>
> Sam