[ipv6hackers] opportunistic encryption in IPv6

Eugen Leitl eugen at leitl.org
Wed Jun 12 12:32:32 CEST 2013


On Wed, Jun 12, 2013 at 03:46:31AM +0000, Jim Small wrote:

> I read this again and I apologize for missing the bus.  So the basic idea
> is how to provide scalable confidentiality to prevent passive eavesdropping.

Correct.

> Going back to the roots of IPv6 - the end to end principal, wouldn't it make
> more sense to just do OE at the endpoint?  That seems to have the highest

If we want to increase deployment rate, it should be easier in the
residential or enterprise firewall (e.g. rolling it into OpenWRT or pfSense).
Not sure whether NAT is still prevalent in IPv6 deployments --
if it's running as an IPv6 router/firewall instead of NAT 
you'll probably have to handle OE at host level? That would pretty
much kill it.

> chance of adoption.  If Owen and I want to do OE we just enable it on our

Is this the BTNS approach, or do you need PKI or DNS access for it to works?
IPv4 or IPv6, or both?

> Linux hosts and away we go.  Do you think there is interest/demand for an OE
> gateway solution as described in the paper?

I'm reasonably sure that there is a potentially huge demand for 
passive attack protection for end users and enterprises. If this
could be package-ready for Linux or FreeBSD then eventual deployment
numbers could be considerable.



More information about the Ipv6hackers mailing list