[ipv6hackers] opportunistic encryption in IPv6
jim.small at cdw.com
Tue Jun 11 15:55:34 CEST 2013
> >> Vs. this paper, I think that opportunistic IPSEC, ala Micr0$0ft's
> >> "direct- connect" or whatever they call it product is quite a bit more
> >> It depends on AD as a PKI distribution mechanism for authentication.
> > DirectAccess is neat - but it's not exactly a break through. DA is just a
> service based (aka UNIX/Linux daemon) IPv6 IPsec VPN with good
> provisioning and automatic IPv4 tunneling. It's essentially a nice packaging of
> certificate-based IPsec leveraging Windows Active Directory provisioning.
> But doesn't that amount to opportunistic encryption once it is implemented?
> As I understand it, any host pair within the AD domain will establish an IPv6
> IPSEC SA bidirectionally and send all traffic for the other host through that
> channel (IPv4 and IPv6) rather than in clear text.
Not exactly. DA is essentially a transparent VPN that always connects a mobile user to corporate. Microsoft can allow any to any VPNs within an AD domain but that's more along the lines of what they call domain isolation.
> Doesn't that pretty well define "opportunistic encryption"? What am I
This is great within a single administrative domain. But it's not a solution for two independent organizations that want to secure traffic with each other. My impression was that's the point of the paper.
More information about the Ipv6hackers