On 31-dec-04, at 18:32, Sam Stickland wrote:
Since IPSEC is an integral part of IPv6 won't this have an affect on the deep packet inspection firewalls? Is this type of inspection expected to work in IPv6?
In theory IPsec is mandatory in IPv6, but in practice this doesn't mean anything, as you still need to configure and enable it. So the chances of speaking IPsec with some random host somewhere on the net are 0 without much rounding down.
(And IPsec is the same for IPv4 and IPv6.)
There are several ways to deploy IPsec. The first choice is AH vs ESP. Authentication Header (AH) authenticates the entire packet including the IP except fields that may be modified in transit. Encapsulating Security Payload (ESP) can do authentication/encryption of the packet payload (i.e., TCP or UDP segment). Unless I'm very much mistaken, ESP can also be used just for authentication.
So if AH or ESP auth-only are used, there shouldn't be any problems.
IPsec can work in two modes: transport mode, which works between two hosts, and tunnel mode, which can work between two hosts, but can also be performed inside security gateways or what have you.
Perhaps using some kind of NAP the firewall is allowed to speak on behalf of the host(s) it firewalls, so that to the client it appears to be the firewall itself appears to be the IPSEC endpoint?
This is exactly the kind of thing IPsec encryption is supposed to protect you from. :-) But yes, this could be done in theory. (Obbviously the host then must not do IPsec with keys that the firewall doesn't know.) Whether there are any products that do it is a very different question.
