Re: IPv6, IPSEC and deep packet inspection

["Kevin Oberman" <oberman () es net>]

> From: "Stephen Sprunk" <stephen () sprunk org>
> Date: Fri, 31 Dec 2004 22:42:17 -0600
> Sender: owner-nanog () merit edu
>
>
> Thus spake <bmanning () vacation karoshi com>
> > as one who has been "bit" by this already - i can say amen to
> > what Rob preacheth...  the hardest part is getting folks up to
> > speed on IPv6 as a threat vector.
>
> Are there any layman-readable presentations or whitepapers out there that
> discuss what _new_ threat vectors IPv6 brings?  Or how firewall or ACL
> tuning might be different?
>
> > Swat teams that can neutralize an IPv4 based flareup in minutes/
> > hours can take days/weeks to contain a v6 channel...
>
> The thing about that is that, if IPv6 is identified as the channel, it's
> still quite possible to shut down IPv6 connectivity until you figure out how
> to fix things.  After all, there's nothing significant out there yet on v6
> that can't be reached with v4...

Stephen,

This may the case in your world, but in mine there are a few major
international research projects that are IPv6 only and I am not in a
position where I can just shut down IPv6 at some spot and assume that
customers won't notice (or at least won't care).
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman () es net                       Phone: +1 510 486-8634