[Info-vax] "Linux Shminux - IPsec is Snake Oil!" VMS Mgmnt

[jbriggs444 at gmail.com]

On Apr 10, 7:52 am, "Steven Underwood" <nob... at spamcop.net> wrote:
> <p... at peut.org> wrote in message
>
> news:2351d6bb-2098-4f42-b2f9-3929df9862d3 at a7g2000yqk.googlegroups.com...
>
> > As I understand it, IPsec is supposed to be integral part of IPv6.
> > The discussion if you really need all that is moot, there will come a
> > moment
> > in time you will have to have it.
>
> OK, Do you have any plans to move to IPv6?  I know we are currently planning
> to add another office to our AD domain and as such are going to be redoing
> their IP range.  There is no plan to do this to IPv6 standards.  We will be
> using IPv4 10.x.x.x ranges.  My Vista laptop has an IPv6 address but none of
> my other network equipment does.
>
> At my last position, when I started, they had all machines configured with
> public IP's.  With all the security built into IPv6, is it going to be
> accepted that it is now safe to do that again?  I highly doubt it... that
> security model is difficult to explain to the PHB's of the world and
> difficult to manage/control.  A firewall is fairly easy to explain.
>
> Back to the VMS specific issues... Something I have been wondering... since
> IPsec is supposed to be an integral part of IPv6, is it already implemented
> on IPv6, even if not annunciated on the roadmap (that started this
> discussion) so people who need IPsec can simply convert to IPv6 and be
> covered?

RFC 4294 (IPv6 Node Requirements) mandates IPsec, including support
for RFC 4301 (IPsec), RFC 4302 (ESP) and RFC 4303 (AH).

Support for RFC 4305 (crypto algorithms supported) is only a "should",
but support for NULL, 3DES-CBC, AES-128-CBC and HMAC-SHA-1-96 are
"must".

I'm no expert -- just a guy who can type "IPv6 IPsec mandatory" into a
search engine and follow up references.