Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Sun Aug 10 00:33:01 CDT 2008

On Fri, 08 Aug 2008 18:53:23 EDT, Deepak Jain said:
>            o Security. With IPv4, IPsec is optional and you need to ask 
> the peer if it supports IPsec. With IPv6, IPsec support is mandatory. By 
> mandating IPsec, we can assume that you can secure your IP communication 
> whenever you talk to IPv6 devices.

The *actual* distinction here is that an implementation can be a fully
compliant IPv4 stack without any code to do IPSEC.  The IPv6 stack is
required to have the code.  Nowhere does it say that it has to be enabled
or configured, with the end result that probably 99.87% of the machines
running IPv6 don't actually have the ability to negotiate an IPSEC connection.

I suspect that in actual usage, it's a wash, because the sites that actually
bother to configure IPSEC for IPv6 do it because they're *already* doing
IPSEC for IPv4.  Does anybody know of an actual production site that actually
does IPSEC for IPv6 but not for IPv4?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20080810/0432b1f5/attachment.bin>

More information about the NANOG mailing list