Re: IPv6, IPSEC and deep packet inspection

[Merike Kaeo <kaeo () merike com>]

On Dec 31, 2004, at 12:10 PM, Daniel Roesen wrote:

> On Fri, Dec 31, 2004 at 10:46:56AM -0800, Merike Kaeo wrote:
> > An IPv6 network is sufficiently different from IPv4 that I encourage
> > folks to not simply slap an IPv4 security  model onto future IPv6
> > networks.
>
> Can you elaborate on "sufficiently different" please? Especially
> on details which make anything _conceptually_ different for security?


OK.  Brevity always loses :)  Yes, you still have same fundamental 
security issues of providing authentication, authorization, access 
control, confidentiality and audit so none of the investment in 
learning about how to protect IPv4 networks is lost.....however, where 
and how you provide the security services can be different for IPv4 vs 
IPv6 networks.

I am in no way advocating replacing the existing IDS/fw devices but how 
we use them today will not be effective if end-to-end encrypted traffic 
becomes more prevalent so we may have to  think about it 'differently' 
in IPv6 networks.

Some issues regarding threat differences were pointed out in a NANOG 
presentation :  http://www.nanog.org/mtg-0405/miller.html

Issues mostly come down to the fact that addressing is so different 
(not just scale but also how you obtain the addresses) and the fact 
that encrypted traffic end-to-end *may* become more prevalent.  And 
yes, I am a huge proponent of getting rid of the saying that 'IPsec is 
inherently built into IPv6' - just because the standard mandates its 
implementation doesn't mean that people will turn it on :)

So, in my opinion since nothing has yet been proven in practice........

- fw functionality will change since *IF* IPsec encryption will become 
more widespread end-to-end, all the bits which firewalls need to look 
at will not be available.  However, the IPsec specs do refer to 'hooks' 
which smart vendors can use to provide firewall capabilities within 
IPsec devices.  Does this mean that end-hosts will themselves have 
better firewall/IPsec capability?  TBD.....but I'd expect (hope) that 
to be the case.  The firewalls which exist at network ingress/egress 
points will still have a place but may not necessarily perform 'deep 
packet inspection' if end-to-end encryption is used.  On the other 
hand, if folks do still want to perform 'deep packet inspection' then 
perhaps that means end-to-end encryption will not become prevalent and 
the Firewall devices will act as IPsec end-points?!?

- IDS equipment...where does this leave us with logging?   How do we 
detect potential attacks if there is end-to-end encryption?  How are 
addressing re-configurations recorded so that logs have meaning?

- the addressing issues (automated and larger scale in IPv6) will 
change some ways the authentication, filtering and auditing will 
happen.


 merike