> ------------------------------ > > Date: Fri, 31 Dec 2004 17:32:24 +0000 (GMT Standard Time) > From: Sam Stickland <[EMAIL PROTECTED]> > Subject: IPv6, IPSEC and deep packet inspection > > Since IPSEC is an integral part of IPv6 won't this have an affect on the > deep packet inspection firewalls? Is this type of inspection expected to > work in IPv6? > > Perhaps using some kind of NAP the firewall is allowed to speak on behalf > of the host(s) it firewalls, so that to the client it appears to be the > firewall itself appears to be the IPSEC endpoint? > > Sam
Some related issues as they apply to IPv4, were discussed in the following: IPSEC and the Internet: http://techreports.isr.umd.edu/reports/1999/MS_99-14.pdf as well as: A Multi-Layer IP Security Protocol for TCP Performance Enhancement in Wireless Networks: http://www.yongguangzhang.net/papers/jsac04.html Both of the above essentially proposed using a layering scheme that differentiates between keys used to encrypt different parts of a packet, this would allow people the flexibility to then selectively disclose keys as necessary for the deep packet inspector boxes to work, without compromising the security of the entire packet payload. In this approach, the "middlebox" does not have to be an IPSEC end-point. Both of the above argued that without such layering, IPSEC would essentially render any network monitoring or analysis based on information deeper than the IP hdr, useless(which is actually the intent of IPSEC). -manish
