ipsec October 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Difference between IPv4 and IPv6 IPsec

Re: [IPsec] Difference between IPv4 and IPv6 IPsec

From: Zhen Cao <caozhenpku_at_nospam>
Date: Wed Oct 14 2009 - 15:29:17 GMT
To: Yoav Nir <ynir@checkpoint.com>

On Sun, Oct 11, 2009 at 6:15 PM, Yoav Nir <ynir@checkpoint.com> wrote:
> Hi Hui
> I think there is very little difference between IPv4 and IPv6 as regards to
> IPsec. See below
> On Oct 11, 2009, at 9:50 AM, Hui Deng wrote:
>> Dear IPsec forks,
>> May I get advice about the differnce between them:
>> 1) IPv4 doesn't mandate the support IPsec, IPv6 also doesn't mandate
>> it based on RFC?
> IPv4 does not mandate it, because IPv4 predates IPsec. RFC 4294 says in
> section 8.1:
> † Security Architecture for the Internet Protocol [RFC-4301] MUST be
> † supported.
>> 2) Most IPv4 hosts have(Linux, BSD, Windows) by default implemented
>> IPsec(IKE), but don't launch it, need more configuration?
>> † Most IPv6 hosts haven't by default implemented IPsec(IKE), it need
>> further download and configuration?
> IPv6 hosts, like IPv4 hosts, run Linux, BSD, Windows or some other OS. With
> most of them, the latest versions support IPv6 for IKE and IPsec.

I guess we do not need tunnel model for IPv6 ipsec?

>> 3) IPv4 IPsec need traversal NAT, but IPv6 don't need it, so it could
>> support more about end to end other than site to site.
> That is assuming that IPv6 does not have NAT. I don't think we have enough
> implementation experience to say that for sure.

Can it be at-least considered one advantage of IPv6 IPSEC?

Another point is: "One possible advantage for IPv6 IPsec is that IPv6ís extension header chaining feature, which is not present in IPv4, could be used to authenticate a secure host-to-host scenario exchange to a third party gateways which would provide authorized access into and out of secure enclaves". -quote from http://www.commandinformation.com/blog/?p=98. Is this valid?

Thanks for discussion.

>> 4) IPv6 IPsec support is based on extension header which is different
>> from IPv4, it may more closer to the kernal level implementation.
> I don't see why this would necessarily be true.
>> thanks for the discussion.
>> best regards,
>> -Hui
> _______________________________________________
> IPsec mailing list
> IPsec@ietf.org
> https://www.ietf.org/mailman/listinfo/ipsec

IPsec mailing list