[ipv6hackers] opportunistic encryption in IPv6

[Jim Small]

> >> Vs. this paper, I think that opportunistic IPSEC, ala Micr0$0ft's
> >> "direct- connect" or whatever they call it product is quite a bit more
> viable.
> >> It depends on AD as a PKI distribution mechanism for authentication.
> >
> > DirectAccess is neat - but it's not exactly a break through.  DA is just a
> service based (aka UNIX/Linux daemon) IPv6 IPsec VPN with good
> provisioning and automatic IPv4 tunneling.  It's essentially a nice packaging of
> certificate-based IPsec leveraging Windows Active Directory provisioning.
> 
> But doesn't that amount to opportunistic encryption once it is implemented?
> As I understand it, any host pair within the AD domain will establish an IPv6
> IPSEC SA bidirectionally and send all traffic for the other host through that
> channel (IPv4 and IPv6) rather than in clear text.

Not exactly.  DA is essentially a transparent VPN that always connects a mobile user to corporate.  Microsoft can allow any to any VPNs within an AD domain but that's more along the lines of what they call domain isolation.

> Doesn't that pretty well define "opportunistic encryption"? What am I
> missing.

This is great within a single administrative domain.  But it's not a solution for two independent organizations that want to secure traffic with each other.  My impression was that's the point of the paper.

--Jim