----- Forwarded message from Jim Small <jim.sm...@cdw.com> ----- Date: Wed, 12 Jun 2013 14:30:03 +0000 From: Jim Small <jim.sm...@cdw.com> To: IPv6 Hackers Mailing List <ipv6hack...@lists.si6networks.com> Subject: Re: [ipv6hackers] opportunistic encryption in IPv6 Reply-To: IPv6 Hackers Mailing List <ipv6hack...@lists.si6networks.com>
Hi Eugen, > > Going back to the roots of IPv6 - the end to end principal, wouldn't > > it make more sense to just do OE at the endpoint? That seems to have > > the highest > > If we want to increase deployment rate, it should be easier in the residential > or enterprise firewall (e.g. rolling it into OpenWRT or pfSense). I see where you're going, but from reviewing the proposal it would seem to require setup on the endpoint. If setup is required, why not just do OE from the endpoint? I don't see how a gateway is making it easier in this case - if anything it seems like the gateways add more complexity. > Not sure whether NAT is still prevalent in IPv6 deployments -- if it's running > as an IPv6 router/firewall instead of NAT you'll probably have to handle OE at > host level? That would pretty much kill it. > > > chance of adoption. If Owen and I want to do OE we just enable it on > > our > > Is this the BTNS approach, or do you need PKI or DNS access for it to works? > IPv4 or IPv6, or both? BTNS - you could do for either v4 or v6 but I was thinking v6 with CGAs. > > Linux hosts and away we go. Do you think there is interest/demand for > > an OE gateway solution as described in the paper? > > I'm reasonably sure that there is a potentially huge demand for passive > attack protection for end users For savvy end users I believe there would be an interest in OE. > and enterprises. Based on my experience in the US market, there would be little interest in OE for the (American) enterprise space. If an enterprise is going to do something with security, authentication must be a component. The other factor that you may not have considered is supportability. By enabling OE, I'm adding complexity and potential problems. It makes things harder to troubleshoot. It's also possible it could break some communications. I'm not convinced the value is sufficient to justify the increased support/troubleshooting requirements. > If this could be package- > ready for Linux or FreeBSD then eventual deployment numbers could be > considerable. For OE at the host level I agree. For the gateway solution I'm not so sure. --Jim _______________________________________________ Ipv6hackers mailing list ipv6hack...@lists.si6networks.com http://lists.si6networks.com/listinfo/ipv6hackers ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
