On Sat, 2011-01-08 at 11:27 -0700, James McKenzie wrote: > On 1/8/11 11:16 AM, Michael H. Warfield wrote: - snip - > > Oh lord WHY can we NOT make this myth go away?!?! The IPv6 spec does > > NOT mandate the USE of IPsec. It only mandates the SUPPORT of IPsec. > > To be IPv6 compliant you must support it. You do NOT have to use it. > > The IETF has tried to be very clear on this and I've sat in on some of > > the working groups discussing it. I've been on the global IPv6 network > > over over a decade now and not used IPsec on IPv6. I've used IPsec on > > IPv4 (and I'm a code contributer to the Openswan project) to help > > facilitate IPv6 tunnels over firewalls and broken (redundant) NAT > > gateways. I can use IPsec on IPv6 and, if I use IKE2, I can even tunnel > > IPv6 directly on IPv4 in ESP (with version 1 IKE you have to use SIT on > > top of ESP in order to tunnel IPv6 on IPv4 through IPsec). But, I don't > > need to so I don't. You don't have to use IPsec. > You had better tell that to (ISC)2 as it is a question on their CISSP exam. Great. It always comes down to wording and, as much as everyone at the IETF tries to be precise, to the extend of even defining the terms "must", "should" "must not" and "should not" in almost every document, still things get misinterpreted. If the wording of that question says you "must use IPsec on IPv6" or "IPv6 mandates the use of IPsec", then they are dead wrong. If they say it is recommended or you should, then they have some wiggle room in that it's a "should" recommendation but not mandatory and almost nobody does. It's a "must" requirement to support it. It "must" be available in the network stack or you are not compliant (Linux is). They can get away with saying it's recommended or you should use it. If they say it's a mandatory requirement TO USE (not just to support) then they are wrong. I'll mention it to a few people I know who are in a better position to deal with that. Honestly, it's not even possible. The problem is the thorny issue of key management. If you don't have any mechanism for exchanging keys between previously unknown parties (what we refer to as "opportunistic encryption") then what good does it do you? In FreeS/WAN (now Openswan and StrongSWAN) there was an effort to do opportunistic encryption by exchanging public keys over DNS. Ever see any IPsec keys in DNS? It's not pretty and it's a royal PITA to manage. I asked our DNS administrators to add some KEY RRs to our zone a while back and they looked at me like I grew three heads. There have been other proposals since, even recently with the advent of DNSsec. Still, there's no universally accepted mechanism to crack that nut. > James McKenzie Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw@xxxxxxxxxxxx /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
Attachment:
signature.asc
Description: This is a digitally signed message part
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
