[ipv6hackers] SEND implementation Patent

Douglas Otis dotis at mail-abuse.org
Wed Mar 14 18:36:57 CET 2012

On 3/13/12 6:28 PM, Fernando Gont wrote:
>  On 03/13/2012 05:15 AM, Ahmad Sadeh wrote:
> > RFC 3972: http://tools.ietf.org/html/rfc3972 is proposed by T.
> > Aura, Microsoft Research and one of authors for
> >
> > RFC 3971 http://tools.ietf.org/html/rfc3971 (B. Zill ) from
> > Microsoft.
> >
> > But, why Microsoft does not implement SEND? as we can find
> > http://technet.microsoft.com/en-us/library/bb726956.aspx
>  Because with other unsecured pieces, such as the DNS, SEND does not
>  really make sense?

Dear Fernando,

Clearly enhanced security is needed and should be much cheaper as part 
of the OS rather than specialized network equipment.  For example, Apple 
uses TSIG/mDNS/kerberos to support Back to My Mac.  Perhaps adoption of 
DANE/DNSSEC will enable CA alternatives making SeND more attractive.

>  Also, because many other systems do not implement it, either, so it
>  doesn't pay much to be the first to do so?

When typical corporate LANs contain compromised systems, additional 
efforts independent of IPv6 is required. Although Intrasite Automatic 
Tunnel Addressing Protocol (ISATAP) and Teredo provide IPv6 connectivity 
between hosts separated by IPv4 infrastructure, this tends to degrade 
security.  Nevertheless, IPv6 can be leveraged to establish end-to-end 
security as demonstrated by various schemes such as DirectAccess or 
BTMM.  Instead of using shared secrets or SSL certs, SeND can offer a 
"standard" deployment vehicle.

The challenge for such deployment is to also have local methods able to 
endure disruptions. IEEE 802.1X-based authentication at the link layer 
or TSIG/mDNS/kerberos could be fall-backs.  Having such services bundled 
into a $49 corporate grade offering could represent beginnings of a sea 

Douglas Otis

More information about the Ipv6hackers mailing list