ipsec October 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: Re: [IPsec] Difference between IPv4 and IPv6 IPsec

Re: [IPsec] Difference between IPv4 and IPv6 IPsec

From: Khan, Fayyaz <Fayyaz_Khan_at_nospam>
Date: Wed Oct 14 2009 - 17:50:02 GMT
To: "Stephen Kent" <kent@bbn.com>, "Zhen Cao" <caozhenpku@gmail.com>


I would also add a few cents.

At 11:29 PM +0800 10/14/09, Zhen Cao wrote:
> > IPv6 hosts, like IPv4 hosts, run Linux, BSD, Windows or some other
OS. With
> > most of them, the latest versions support IPv6 for IKE and IPsec.
>I guess we do not need tunnel model for IPv6 ipsec?

>what makes you say that? unnelT mode is still needed for SG-SG SAs,
>or host-SG SAs.

Also tunnel mode will still be required for IPv6 to 4 tunnels as long as IPv4 addresses exist and IPv6 nodes need to be interoperable with them.

>>> 3) IPv4 IPsec need traversal NAT, but IPv6 don't need it, so it
>>> support more about end to end other than site to site.
> >
>> That is assuming that IPv6 does not have NAT. I don't think we have
>> implementation experience to say that for sure.
>Can it be at-least considered one advantage of IPv6 IPSEC?

>Not really.

Further motivations for NAT in IPv6 includes need for private networks i.e. a company wants to only have one machine to communicate with external world so every computer on that private network goes through that single machine.

Also, cost of owning a live ip vs. hosting a private network behind a single live ip would still be attractive, even for security reasons too.

>Another point is: "One possible advantage for IPv6 IPsec is that
>IPv6's extension header chaining feature, which is not present in
>IPv4, could be used to authenticate a secure host-to-host scenario
>exchange to a third party gateways which would provide authorized
>access into and out of secure enclaves". -quote from
>http://www.commandinformation.com/blog/?p=98. Is this valid?

>I think that is an unlikely scenario, if only due to key management

IPsec mailing list

IPsec mailing list