I'm not a security guru, and will step aside instantly if someone with those credentials says I'm wrong. However, from my perspective, the assertion that IPv6 had any security properties that differed from IPv4 *at*all* has never made any sense. It is essentially a marketing claim, and - well, we all have marketing departments.
>From my perspective - this is what I am saying in the Smart Grid world and >related places - security is a matter of reducing the probability and >effectiveness of a set of threats to an acceptable level at an acceptable >cost. In a network, it starts out with three questions: - why do you have access to my [local or network] bandwidth - why is your machine talking with my machine - why is your application talking with my application For the application, there are at least two more: - why should I <listen to>/<act on>/<divulge to you> what you say - How do I know that this message is really from you and is really what you said? In some cases, how will I know next week? There are also the questions of - obfuscation or encryption, at the application or network layers, - diagnostic tools such as intrusion management - attack management tools like uRPF or BGP filters Reasonable solutions for addressing the questions include (and are obviously not limited to) - IEEE 802.1X + EAP-TLS on a LAN, and a firewall on a network - IPsec AH or ESP-NULL - TLS and friends - Application-specific procedures like user-specific credentials - DKIM and W3C XML signatures plus - various encryption services include IPsec ESP, SSH, and so on - lots of proprietary tools for intrusion management - various operational tools for dealing with ddos etc IPsec was designed for IPv4 and IPv6; it is either a shim header (IPv4) or one of the extension headers (IPv6). Most IPv4 and IPv6 implementations I know of support it, and have for a long time. Yes, the Node Requirements document makes a statement about IPv6 implementations and IPsec that isn't made regarding IPsec/IPv4; as a practical matter, folks that have it implemented for one generally have it for the other. In the scope of things, wh does having one of out of the many needed tools make IPv6 different than IPv4, especially given that the indicated tool is present in both IPv4 and IPv6 implementations? Scratch-a-my-head. I don't see it. _______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
