Another driver for v6?

Mikael Abrahamsson swmike at swm.pp.se
Wed Oct 29 01:59:09 CDT 2008


On Tue, 28 Oct 2008, Steven M. Bellovin wrote:

> Windows 7 will have a cool feature called DirectAccess that "requires
> deploying IPv6 and IPsec".  I know nothing more of this feature than is
> in the article, but if accurate it may create a client-centric demand
> for v6, i.e., desirable new functionality that isn't available on v4.

Microsoft has been at at least two events I've attended and done 
presentations about a strategy that sounds like what you're talking about.

They claim they will deploy IPv6 in their worldwide enterprise network, do 
away with central based enterprise firewalls and do host-to-host 
IPv6+IPSEC, Active Directory based certificates for authentication.

They indicate this as a strategy to do away with VPN clients, so in order 
to reach your work resources from home you'd need to have some kind of 
IPv6 connectivity, tunneled or not. You'd then connect to all resources 
using IPv6 totally transparently to you. All security would be host based.

I am quite impressed by this strategy as it re-implements the end-to-end 
principle of the Internet that most of us appreciate. I also bought their 
claim about much improved security and their 5 year long track of no 
remote exploits like Slammer, when they had to release their emergency 
patch for that RPC based remote exploit the other week, which kind of 
broke their streak... :P

Let's hope they can sell this to all the enterprise guys, as I am very 
tired of all the problems caused by multiple layers of NATs and PAT.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se




More information about the NANOG mailing list