[Info-vax] "Linux Shminux - IPsec is Snake Oil!" VMS Mgmnt
Jan-Erik Söderholm
jan-erik.soderholm at telia.com
Mon Apr 13 09:33:35 EDT 2009
jbriggs444 at gmail.com wrote:
> On Apr 10, 7:52 am, "Steven Underwood" <nob... at spamcop.net> wrote:
>> <p... at peut.org> wrote in message
>>
>> news:2351d6bb-2098-4f42-b2f9-3929df9862d3 at a7g2000yqk.googlegroups.com...
>>
>>> As I understand it, IPsec is supposed to be integral part of IPv6.
>>> The discussion if you really need all that is moot, there will come a
>>> moment
>>> in time you will have to have it.
>> OK, Do you have any plans to move to IPv6? I know we are currently planning
>> to add another office to our AD domain and as such are going to be redoing
>> their IP range. There is no plan to do this to IPv6 standards. We will be
>> using IPv4 10.x.x.x ranges. My Vista laptop has an IPv6 address but none of
>> my other network equipment does.
>>
>> At my last position, when I started, they had all machines configured with
>> public IP's. With all the security built into IPv6, is it going to be
>> accepted that it is now safe to do that again? I highly doubt it... that
>> security model is difficult to explain to the PHB's of the world and
>> difficult to manage/control. A firewall is fairly easy to explain.
>>
>> Back to the VMS specific issues... Something I have been wondering... since
>> IPsec is supposed to be an integral part of IPv6, is it already implemented
>> on IPv6, even if not annunciated on the roadmap (that started this
>> discussion) so people who need IPsec can simply convert to IPv6 and be
>> covered?
>
> RFC 4294 (IPv6 Node Requirements) mandates IPsec, including support
> for RFC 4301 (IPsec), RFC 4302 (ESP) and RFC 4303 (AH).
>
> Support for RFC 4305 (crypto algorithms supported) is only a "should",
> but support for NULL, 3DES-CBC, AES-128-CBC and HMAC-SHA-1-96 are
> "must".
>
> I'm no expert -- just a guy who can type "IPv6 IPsec mandatory" into a
> search engine and follow up references.
I've got the impression that IPv6 was mainly to handle the
lack of address ranges in IPv4. But during the reasent years
NAT networks with private IP address ranges such as 10.x.x.x or
192.168.x.x has mostly "solved" that problem, not ?
More information about the Info-vax
mailing list