[ipv6hackers] opportunistic encryption in IPv6

Jim Small jim.small at cdw.com
Wed Jun 12 16:30:03 CEST 2013 

Hi Eugen,

> > Going back to the roots of IPv6 - the end to end principal, wouldn't
> > it make more sense to just do OE at the endpoint?  That seems to have
> > the highest
> 
> If we want to increase deployment rate, it should be easier in the residential
> or enterprise firewall (e.g. rolling it into OpenWRT or pfSense).

I see where you're going, but from reviewing the proposal it would seem to require setup on the endpoint.  If setup is required, why not just do OE from the endpoint?  I don't see how a gateway is making it easier in this case - if anything it seems like the gateways add more complexity.

> Not sure whether NAT is still prevalent in IPv6 deployments -- if it's running
> as an IPv6 router/firewall instead of NAT you'll probably have to handle OE at
> host level? That would pretty much kill it.
> 
> > chance of adoption.  If Owen and I want to do OE we just enable it on
> > our
> 
> Is this the BTNS approach, or do you need PKI or DNS access for it to works?
> IPv4 or IPv6, or both?

BTNS - you could do for either v4 or v6 but I was thinking v6 with CGAs.

> > Linux hosts and away we go.  Do you think there is interest/demand for
> > an OE gateway solution as described in the paper?
> 
> I'm reasonably sure that there is a potentially huge demand for passive
> attack protection for end users

For savvy end users I believe there would be an interest in OE.

> and enterprises.

Based on my experience in the US market, there would be little interest in OE for the (American) enterprise space.  If an enterprise is going to do something with security, authentication must be a component.  The other factor that you may not have considered is supportability.  By enabling OE, I'm adding complexity and potential problems.  It makes things harder to troubleshoot.  It's also possible it could break some communications.  I'm not convinced the value is sufficient to justify the increased support/troubleshooting requirements.

> If this could be package-
> ready for Linux or FreeBSD then eventual deployment numbers could be
> considerable.

For OE at the host level I agree.  For the gateway solution I'm not so sure.

--Jim

More information about the Ipv6hackers mailing list