Re: [IPsec] Difference between IPv4 and IPv6 IPsec
On Sun, Oct 11, 2009 at 6:15 PM, Yoav Nir wrote: > Hi Hui > > I think there is very little difference between IPv4 and IPv6 as regards to > IPsec. See below > > On Oct 11, 2009, at 9:50 AM, Hui Deng wrote: > >> Dear IPsec forks, >> >> May I get advice about the differnce between them: >> 1) IPv4 doesn't mandate the support IPsec, IPv6 also doesn't mandate >> it based on RFC? > > IPv4 does not mandate it, because IPv4 predates IPsec. RFC 4294 says in > section 8.1: > > Security Architecture for the Internet Protocol [RFC-4301] MUST be > supported. > >> 2) Most IPv4 hosts have(Linux, BSD, Windows) by default implemented >> IPsec(IKE), but don't launch it, need more configuration? >> Most IPv6 hosts haven't by default implemented IPsec(IKE), it need >> further download and configuration? > > IPv6 hosts, like IPv4 hosts, run Linux, BSD, Windows or some other OS. With > most of them, the latest versions support IPv6 for IKE and IPsec. I guess we do not need tunnel model for IPv6 ipsec? > >> 3) IPv4 IPsec need traversal NAT, but IPv6 don't need it, so it could >> support more about end to end other than site to site. > > That is assuming that IPv6 does not have NAT. I don't think we have enough > implementation experience to say that for sure. Can it be at-least considered one advantage of IPv6 IPSEC? Another point is: "One possible advantage for IPv6 IPsec is that IPv6’s extension header chaining feature, which is not present in IPv4, could be used to authenticate a secure host-to-host scenario exchange to a third party gateways which would provide authorized access into and out of secure enclaves". -quote from http://www.commandinformation.com/blog/?p=98. Is this valid? Thanks for discussion. > >> 4) IPv6 IPsec support is based on extension header which is different >> from IPv4, it may more closer to the kernal level implementation. > > I don't see why this would necessarily be true. > >> >> thanks for the discussion. >> best regards, >> >> -Hui > > > ___ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Difference between IPv4 and IPv6 IPsec
On Thu, Oct 15, 2009 at 1:50 AM, Khan, Fayyaz wrote: > > > > > I would also add a few cents. > > At 11:29 PM +0800 10/14/09, Zhen Cao wrote: >>O... >> > IPv6 hosts, like IPv4 hosts, run Linux, BSD, Windows or some other > OS. With >> > most of them, the latest versions support IPv6 for IKE and IPsec. >> >>I guess we do not need tunnel model for IPv6 ipsec? > >>what makes you say that? unnelT mode is still needed for SG-SG SAs, >>or host-SG SAs. > > Also tunnel mode will still be required for IPv6 to 4 tunnels as long as > IPv4 addresses exist and IPv6 nodes need to be interoperable with them. > I thought transport mode is enough for all requirements...I must be wrong. Thanks. ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] Traffic visibility - consensus call
Yes to both. Zhen China Mobile On Tue, Jan 5, 2010 at 6:27 AM, Yaron Sheffer wrote: > Hi, > > We have had a few "discusses" during the IESG review of the WESP draft. To > help resolve them, we would like to reopen the following two questions to WG > discussion. Well reasoned answers are certainly appreciated. But plain "yes" > or "no" would also be useful in judging the group's consensus. > > - The current draft ( > http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-11) > defines the ESP trailer's ICV calculation to include the WESP header. This > has been done to counter certain attacks, but it means that WESP is no > longer a simple wrapper around ESP - ESP itself is modified. Do you support > this design decision? > Yes, we need to protect the message integrity while offering traffic visibility. > > - The current draft allows WESP to be applied to encrypted ESP flows, in > addition to the originally specified ESP-null. This was intended so that > encrypted flows can benefit from the future extensibility offered by WESP. > But arguably, it positions WESP as an alternative to ESP. Do you support > this design decision? > Yes, future extensibility is a feature that will benefit traffic control for operators and other entities. > Thanks, > Yaron > ___ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
Re: [IPsec] [HOKEY] New VersionNotification for draft-nir-ipsecme-erx-03.txt
+1 Willing to see this work progress. Thanks, Zhen On Wed, May 9, 2012 at 9:56 AM, Qin Wu wrote: > +1 > I support this work and would love to see this document progress fast. > > Regards! > -Qin > - Original Message - > From: "Tero Kivinen" > To: "Yoav Nir" > Cc: "IPsecme WG" ; > Sent: Friday, May 04, 2012 8:16 PM > Subject: Re: [IPsec] New VersionNotification for draft-nir-ipsecme-erx-03.txt > > >> Yoav Nir writes: >>> So if any of you are interested, and are willing to review, please >>> let us know. >> >> I am willing to review. >> -- >> kivi...@iki.fi >> ___ >> IPsec mailing list >> IPsec@ietf.org >> https://www.ietf.org/mailman/listinfo/ipsec > ___ > HOKEY mailing list > ho...@ietf.org > https://www.ietf.org/mailman/listinfo/hokey -- Best regards, Zhen ___ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec