Re: IPv6 FAQ

• From: Valdis . Kletnieks
• Date: Sun Aug 10 01:34:08 2008

• List-archive: <http://mailman.nanog.org/pipermail/nanog>
• List-help: <mailto:[email protected]?subject=help>
• List-id: North American Network Operators Group <nanog.nanog.org>
• List-post: <mailto:[email protected]>
• List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=subscribe>
• List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>, <mailto:[email protected]?subject=unsubscribe>

On Fri, 08 Aug 2008 18:53:23 EDT, Deepak Jain said:
>            o Security. With IPv4, IPsec is optional and you need to ask 
> the peer if it supports IPsec. With IPv6, IPsec support is mandatory. By 
> mandating IPsec, we can assume that you can secure your IP communication 
> whenever you talk to IPv6 devices.

The *actual* distinction here is that an implementation can be a fully
compliant IPv4 stack without any code to do IPSEC.  The IPv6 stack is
required to have the code.  Nowhere does it say that it has to be enabled
or configured, with the end result that probably 99.87% of the machines
running IPv6 don't actually have the ability to negotiate an IPSEC connection.

I suspect that in actual usage, it's a wash, because the sites that actually
bother to configure IPSEC for IPv6 do it because they're *already* doing
IPSEC for IPv4.  Does anybody know of an actual production site that actually
does IPSEC for IPv6 but not for IPv4?

Attachment: pgp00006.pgp
Description: PGP signature

• Follow-Ups:
  • Re: IPv6 FAQ Randy Bush

• References:
  • IPv6 FAQ Deepak Jain

• Prev by Date: Re: maybe a dumb idea on how to fix the dns problems i don't know....
• Next by Date: Re: IPv6 FAQ
• Date Index
• Thread Index
• Author Index
• Historical