[ipv6hackers] SEND implementation Patent
Douglas Otis
dotis at mail-abuse.org
Wed Mar 14 18:36:57 CET 2012
On 3/13/12 6:28 PM, Fernando Gont wrote:
> On 03/13/2012 05:15 AM, Ahmad Sadeh wrote:
> > RFC 3972: http://tools.ietf.org/html/rfc3972 is proposed by T.
> > Aura, Microsoft Research and one of authors for
> >
> > RFC 3971 http://tools.ietf.org/html/rfc3971 (B. Zill ) from
> > Microsoft.
> >
> > But, why Microsoft does not implement SEND? as we can find
> > http://technet.microsoft.com/en-us/library/bb726956.aspx
>
> Because with other unsecured pieces, such as the DNS, SEND does not
> really make sense?
Dear Fernando,
Clearly enhanced security is needed and should be much cheaper as part
of the OS rather than specialized network equipment. For example, Apple
uses TSIG/mDNS/kerberos to support Back to My Mac. Perhaps adoption of
DANE/DNSSEC will enable CA alternatives making SeND more attractive.
> Also, because many other systems do not implement it, either, so it
> doesn't pay much to be the first to do so?
When typical corporate LANs contain compromised systems, additional
efforts independent of IPv6 is required. Although Intrasite Automatic
Tunnel Addressing Protocol (ISATAP) and Teredo provide IPv6 connectivity
between hosts separated by IPv4 infrastructure, this tends to degrade
security. Nevertheless, IPv6 can be leveraged to establish end-to-end
security as demonstrated by various schemes such as DirectAccess or
BTMM. Instead of using shared secrets or SSL certs, SeND can offer a
"standard" deployment vehicle.
The challenge for such deployment is to also have local methods able to
endure disruptions. IEEE 802.1X-based authentication at the link layer
or TSIG/mDNS/kerberos could be fall-backs. Having such services bundled
into a $49 corporate grade offering could represent beginnings of a sea
change.
Regards,
Douglas Otis
More information about the Ipv6hackers
mailing list