IPv6 IPsec – Reviving the Debate

John Spence from Nephos6 had a great article discussing IPsec and its place in the newest draft of the IPv6 Node Requirements RFC.  They offer a good opinion and perspective of the current state of the industry on IPv6 adoption, and how vendors (especially of small appliances) feel about adding IPsec to their IPv6 stack.  The history of this controversial requirement of whether to make IPsec required for everything, or for only certain devices (like routers, servers and workstations) has been fought since the inception of RFC 1883 (the original IPv6 standard).  RFC 2460, (the latest IPv6 standard) states the same as mentioned by Spence in his blog, “a full IPv6 implementation includes…Encapsulation Security Payload and Authentication Header,” – also what we will refer as to as IPsec.

However, we would like to take the opposite position and state everything should be built to spec and have IPsec mandated in each and every device from the largest supercomputer to the nanometer-long sensor.

IPsec For Everything – Our Case

When building the specification, many of these engineers had to settle on whether to go with fixed or variable-length 64-bit or 160-bit addresses.  Many of the predecessors of IPv6 had very immature options beyod basic header functionality except SIPP (Simple Internet Protocol Plus).

SIPP had it all: (see RFC 1710 on SIPP)

  • Extensible options (re: extension headers)
  • Added QoS functionality (Flow Label)
  • Authentication and Encryption (i.e. IPsec)

Bob Hinden (the SIPP RFC author) made a point to even state that it is basic and not additional capability:

SIPP includes the definition of extensions which provide support
for authentication, data integrity, and confidentiality.  This
is included as a basic element of SIPP.

So if SIPP is the parent to IPv6, it seems IPv6 was meant to have IPsec mandated.  Many of those in the commercial product world will have us beleive there’s no reaseon to implement IPsec on a printer or a small sensor.  Why would you ever need to encrypt data from your printer in the next cubical over?  Each time I hear this, it causes me concern.  Especially now.  In the time where more people own cell phones than desktop computers, most in the developing world are using only smart phones, and more enterprises are looking to the cloud for service.   Then I ask, what better way to secure client to server enterprise communication than IPsec?  SSL and TLS have proven too vulnerable to Man-in-the-middle attacks.

I can sympathize with those vendors who see technologies coming and going, and having to somehow prioritize their implementation.  But their motives are short-sighted and should be recognized as such.

Imagine the scenario of using your Android/iPhone smartphone to connect to your workplace desktop.  Check an email and print to a printer half-way around the world.  Would you really trust SSL to secure that?  This is why IPsec is needed in our future cloud-base and thin-client infrastructure, and especially with IPv6.

2 thoughts on “IPv6 IPsec – Reviving the Debate”

  1. My hope (and I am an eternal optimist) is that even if the spec only says they “should”, the vendors will. Customers pushing the vendors in that direction will help …

    /TJ

    1. Your optimism maybe unfounded. I’ve dealt with waaaay too many vendors who’d rather not support it. Cisco even tried to argue not supporting IPsec on their routers in 2006. Hard to believe, but still…

Comments are closed.

Scroll to Top