North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Another driver for v6?

  • From: Mikael Abrahamsson
  • Date: Wed Oct 29 02:59:34 2008

On Tue, 28 Oct 2008, Steven M. Bellovin wrote:

Windows 7 will have a cool feature called DirectAccess that "requires
deploying IPv6 and IPsec".  I know nothing more of this feature than is
in the article, but if accurate it may create a client-centric demand
for v6, i.e., desirable new functionality that isn't available on v4.

Microsoft has been at at least two events I've attended and done presentations about a strategy that sounds like what you're talking about.


They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication.

They indicate this as a strategy to do away with VPN clients, so in order to reach your work resources from home you'd need to have some kind of IPv6 connectivity, tunneled or not. You'd then connect to all resources using IPv6 totally transparently to you. All security would be host based.

I am quite impressed by this strategy as it re-implements the end-to-end principle of the Internet that most of us appreciate. I also bought their claim about much improved security and their 5 year long track of no remote exploits like Slammer, when they had to release their emergency patch for that RPC based remote exploit the other week, which kind of broke their streak... :P

Let's hope they can sell this to all the enterprise guys, as I am very tired of all the problems caused by multiple layers of NATs and PAT.

--
Mikael Abrahamsson    email: [email protected]