[Info-vax] "Linux Shminux - IPsec is Snake Oil!" VMS Mgmnt
jbriggs444 at gmail.com
jbriggs444 at gmail.com
Mon Apr 13 11:43:58 EDT 2009
On Apr 13, 9:33 am, Jan-Erik Söderholm <jan-erik.soderh... at telia.com>
wrote:
> jbriggs... at gmail.com wrote:
> > On Apr 10, 7:52 am, "Steven Underwood" <nob... at spamcop.net> wrote:
> >> <p... at peut.org> wrote in message
>
> >>news:2351d6bb-2098-4f42-b2f9-3929df9862d3 at a7g2000yqk.googlegroups.com...
>
> >>> As I understand it, IPsec is supposed to be integral part of IPv6.
> >>> The discussion if you really need all that is moot, there will come a
> >>> moment
> >>> in time you will have to have it.
> >> OK, Do you have any plans to move to IPv6? I know we are currently planning
> >> to add another office to our AD domain and as such are going to be redoing
> >> their IP range. There is no plan to do this to IPv6 standards. We will be
> >> using IPv4 10.x.x.x ranges. My Vista laptop has an IPv6 address but none of
> >> my other network equipment does.
>
> >> At my last position, when I started, they had all machines configured with
> >> public IP's. With all the security built into IPv6, is it going to be
> >> accepted that it is now safe to do that again? I highly doubt it... that
> >> security model is difficult to explain to the PHB's of the world and
> >> difficult to manage/control. A firewall is fairly easy to explain.
>
> >> Back to the VMS specific issues... Something I have been wondering... since
> >> IPsec is supposed to be an integral part of IPv6, is it already implemented
> >> on IPv6, even if not annunciated on the roadmap (that started this
> >> discussion) so people who need IPsec can simply convert to IPv6 and be
> >> covered?
>
> > RFC 4294 (IPv6 Node Requirements) mandates IPsec, including support
> > for RFC 4301 (IPsec), RFC 4302 (ESP) and RFC 4303 (AH).
>
> > Support for RFC 4305 (crypto algorithms supported) is only a "should",
> > but support for NULL, 3DES-CBC, AES-128-CBC and HMAC-SHA-1-96 are
> > "must".
>
> > I'm no expert -- just a guy who can type "IPv6 IPsec mandatory" into a
> > search engine and follow up references.
>
> I've got the impression that IPv6 was mainly to handle the
> lack of address ranges in IPv4. But during the reasent years
> NAT networks with private IP address ranges such as 10.x.x.x or
> 192.168.x.x has mostly "solved" that problem, not ?
If you follow the ARIN-ppml (ARIN public policy mailing list), concern
about IPv4 address space exhaustion is very much an active topic. NAT
buys a lot. But some providers have already deployed two layers of
NAT in order to leverage their allocated space and provide access for
their customers.
http://en.wikipedia.org/wiki/IPv4_address_exhaustion:
"Apart from enforcing long-standing assignment rules, there is no
significant effort to conserve the remaining IPv4 addresses.
Consequently, it is expected that IANA will first run out permanently
in early 2011, and then the RIRs in early 2012, and subsequently LIRs"
IANA = Internet Assigned Numbers Authority
RIRS = Regional Internet Registrars (e.g. ARIN, APNIC and RIPE)
The way I see it, it's the startup companies and second/third tier
ISPs who need transportable address space in order to have redundant
Internet access that are going to be hit by this first. They can't go
to an ISP for address space. They have to go to a registrar.
Consumers using a single dynamic IP behind a household NAT device are
comparitively easy to take care of with double-NAT, IPv6 tunnels and
the like.
More information about the Info-vax
mailing list