ipv6 question

Michael H. Warfield mhw at WittsEnd.com
Sat Jan 8 20:02:34 UTC 2011 

On Sat, 2011-01-08 at 11:27 -0700, James McKenzie wrote: 
> On 1/8/11 11:16 AM, Michael H. Warfield wrote:

- snip -

> > Oh lord WHY can we NOT make this myth go away?!?!  The IPv6 spec does
> > NOT mandate the USE of IPsec.  It only mandates the SUPPORT of IPsec.
> > To be IPv6 compliant you must support it.  You do NOT have to use it.
> > The IETF has tried to be very clear on this and I've sat in on some of
> > the working groups discussing it.  I've been on the global IPv6 network
> > over over a decade now and not used IPsec on IPv6.  I've used IPsec on
> > IPv4 (and I'm a code contributer to the Openswan project) to help
> > facilitate IPv6 tunnels over firewalls and broken (redundant) NAT
> > gateways.  I can use IPsec on IPv6 and, if I use IKE2, I can even tunnel
> > IPv6 directly on IPv4 in ESP (with version 1 IKE you have to use SIT on
> > top of ESP in order to tunnel IPv6 on IPv4 through IPsec).  But, I don't
> > need to so I don't.  You don't have to use IPsec.

> You had better tell that to (ISC)2 as it is a question on their CISSP exam.

Great.

It always comes down to wording and, as much as everyone at the IETF
tries to be precise, to the extend of even defining the terms "must",
"should" "must not" and "should not" in almost every document, still
things get misinterpreted.  If the wording of that question says you
"must use IPsec on IPv6" or "IPv6 mandates the use of IPsec", then they
are dead wrong.  If they say it is recommended or you should, then they
have some wiggle room in that it's a "should" recommendation but not
mandatory and almost nobody does.  It's a "must" requirement to support
it.  It "must" be available in the network stack or you are not
compliant (Linux is).  They can get away with saying it's recommended or
you should use it.  If they say it's a mandatory requirement TO USE (not
just to support) then they are wrong.  I'll mention it to a few people I
know who are in a better position to deal with that.

Honestly, it's not even possible.  The problem is the thorny issue of
key management.  If you don't have any mechanism for exchanging keys
between previously unknown parties (what we refer to as "opportunistic
encryption") then what good does it do you?  In FreeS/WAN (now Openswan
and StrongSWAN) there was an effort to do opportunistic encryption by
exchanging public keys over DNS.  Ever see any IPsec keys in DNS?  It's
not pretty and it's a royal PITA to manage.  I asked our DNS
administrators to add some KEY RRs to our zone a while back and they
looked at me like I grew three heads.  There have been other proposals
since, even recently with the advent of DNSsec.  Still, there's no
universally accepted mechanism to crack that nut.


> James McKenzie

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110108/4e505e7c/attachment.bin

More information about the users mailing list