nanog mailing list archives
Re: IPv6, IPSEC and deep packet inspection
From: "Christopher L. Morrow" <christopher.morrow () mci com>
Date: Sat, 01 Jan 2005 00:42:37 +0000 (GMT)
On Fri, 31 Dec 2004, J. Oquendo wrote:
Oops... Subject would have helped before apologies... On Fri, 31 Dec 2004, Merike Kaeo wrote:When you start encrypting for confidentiality then: a) you may end up trusting your endpoints more and perform sanity checks other than 'deep inspection' to mitigate spoofed and unwanted trafficShouldn't mitigation on spoofing (and this argument will forever go forward on NANOG) be done at the network level, e.g. BOGON, Best Common
First, spoofing problems are as prevalent in v6 as in v4. Then 'yes this is a network problem' only choose the place in the network where it makes the most sense: "as close to the end systems as possible"... but that's probably for another nanog thread or ten.
Underrated Practices? If companies didn't follow them then/now using IPv4 which can already filter this what makes you think engineers will configure their equipment to do more sanity checks.
Some of this 'not follow it now' is partly due to equipment problems. These problems should be disappearring from many larger networks as new gear is cycled in over the next couple of years. The option will then be available to the engineers that operate the networks, they will likely still prefer the 'closest to the end system router' make the filtering decision though.
b) you may have a corporate policy where you need the capability to look at all traffic and therefore are required to use some IPsec intermediary device which acts as an endpoint on behalf of other corporate hosts (and decrypts/encrypts the traffic).Wouldn't this render ESP obsolete. What would be the purpose of IPsec then? What I infer from this message is that you would want some form of
It's possible your corporate policy might state: "AH is acceptable and required for intra-site communications, ESP is required and acceptable for inter-site communications that pass over untrusted networks." As a for instance... It seems that AH/ESP in v6 is just as complex and bothersome as v4, so perhsps this is a moot point for the coming decade? :)
hardware or software in place to be able to read this IPSec traffic. And this to you is security? How secure would I feel knowing my provider, or company has the ability to decrypt my encrypted data when I'm making an
your company likely has this capability, or could have it today... They also likely don't want you wasting company time buying things on ebay or amazon... your company, in the US, likely has this in their HR/Employee handbook in the form of some 'corporate assets are for corporate use only' statement.
online payment somewhere, how secure would any user feel with some form of (not known at this time to even be possible) device on the line. This statement makes little sense to me, or maybe I'm misreading it.
Current thread:
- Re: IPv6, IPSEC and deep packet inspection Christopher L. Morrow (Dec 31)
- <Possible follow-ups>
- Re: IPv6, IPSEC and deep packet inspection Stephen Sprunk (Dec 31)
- Re: IPv6, IPSEC and deep packet inspection Joe Abley (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Sean Donelan (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection bmanning (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Joe Abley (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Hank Nussbacher (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Nicolas FISCHBACH (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Kevin Oberman (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Manish Karir (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Nils Ketelsen (Jan 04)