[Info-vax] "Linux Shminux - IPsec is Snake Oil!" VMS Mgmnt

Richard B. Gilbert rgilbert88 at comcast.net
Mon Apr 13 10:26:27 EDT 2009 

jbriggs444 at gmail.com wrote:
> On Apr 10, 7:52 am, "Steven Underwood" <nob... at spamcop.net> wrote:
>> <p... at peut.org> wrote in message
>>
>> news:2351d6bb-2098-4f42-b2f9-3929df9862d3 at a7g2000yqk.googlegroups.com...
>>
>>> As I understand it, IPsec is supposed to be integral part of IPv6.
>>> The discussion if you really need all that is moot, there will come a
>>> moment
>>> in time you will have to have it.
>> OK, Do you have any plans to move to IPv6?  I know we are currently planning
>> to add another office to our AD domain and as such are going to be redoing
>> their IP range.  There is no plan to do this to IPv6 standards.  We will be
>> using IPv4 10.x.x.x ranges.  My Vista laptop has an IPv6 address but none of
>> my other network equipment does.
>>
>> At my last position, when I started, they had all machines configured with
>> public IP's.  With all the security built into IPv6, is it going to be
>> accepted that it is now safe to do that again?  I highly doubt it... that
>> security model is difficult to explain to the PHB's of the world and
>> difficult to manage/control.  A firewall is fairly easy to explain.
>>
>> Back to the VMS specific issues... Something I have been wondering... since
>> IPsec is supposed to be an integral part of IPv6, is it already implemented
>> on IPv6, even if not annunciated on the roadmap (that started this
>> discussion) so people who need IPsec can simply convert to IPv6 and be
>> covered?
> 
> RFC 4294 (IPv6 Node Requirements) mandates IPsec, including support
> for RFC 4301 (IPsec), RFC 4302 (ESP) and RFC 4303 (AH).
> 
> Support for RFC 4305 (crypto algorithms supported) is only a "should",
> but support for NULL, 3DES-CBC, AES-128-CBC and HMAC-SHA-1-96 are
> "must".
> 
> I'm no expert -- just a guy who can type "IPv6 IPsec mandatory" into a
> search engine and follow up references.

A lot of people who are using the RFC-1918 private address spaces 
couldn't care less about IPv6.  I have ONE valid IP address on the 
public side of my router.  Everything else is 192.168.1.X.  If Comcast 
implements IPv6, and they haven't said a word to their customers about 
it yet, we may have to get a new router but I doubt that anything else 
will change.  I certainly don't want the Internet to have access to my 
systems, now or ever.

More information about the Info-vax mailing list