[ipv6hackers] opportunistic encryption in IPv6

Owen DeLong owend at he.net
Tue Jun 11 21:00:15 CEST 2013 

On Jun 11, 2013, at 06:55 , Jim Small <jim.small at cdw.com> wrote:

>>>> Vs. this paper, I think that opportunistic IPSEC, ala Micr0$0ft's
>>>> "direct- connect" or whatever they call it product is quite a bit more
>> viable.
>>>> It depends on AD as a PKI distribution mechanism for authentication.
>>> 
>>> DirectAccess is neat - but it's not exactly a break through.  DA is just a
>> service based (aka UNIX/Linux daemon) IPv6 IPsec VPN with good
>> provisioning and automatic IPv4 tunneling.  It's essentially a nice packaging of
>> certificate-based IPsec leveraging Windows Active Directory provisioning.
>> 
>> But doesn't that amount to opportunistic encryption once it is implemented?
>> As I understand it, any host pair within the AD domain will establish an IPv6
>> IPSEC SA bidirectionally and send all traffic for the other host through that
>> channel (IPv4 and IPv6) rather than in clear text.
> 
> Not exactly.  DA is essentially a transparent VPN that always connects a mobile user to corporate.  Microsoft can allow any to any VPNs within an AD domain but that's more along the lines of what they call domain isolation.
> 

Interesting. Someone from Micr0$0ft was touting some sort of datacenter-oriented product where all the machines in the datacenter would automatically encrypt all M2M traffic in the manner described above if they shared a common AD domain with appropriate PKI to facilitate it.
I thought they called it Direct Connect or something like that, so perhaps we are talking about different, but similar M$ products?

>> Doesn't that pretty well define "opportunistic encryption"? What am I
>> missing.
> 
> This is great within a single administrative domain.  But it's not a solution for two independent organizations that want to secure traffic with each other.  My impression was that's the point of the paper.

As long as the two domains coordinate authentication (this must occur in order to have functional authentication anyway), I don't see why the DA techniques, if not the actual product, could not be applied.

Owen

More information about the Ipv6hackers mailing list