Another driver for v6?
Mikael Abrahamsson
swmike at swm.pp.se
Wed Oct 29 06:59:09 UTC 2008
On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
> Windows 7 will have a cool feature called DirectAccess that "requires
> deploying IPv6 and IPsec". I know nothing more of this feature than is
> in the article, but if accurate it may create a client-centric demand
> for v6, i.e., desirable new functionality that isn't available on v4.
Microsoft has been at at least two events I've attended and done
presentations about a strategy that sounds like what you're talking about.
They claim they will deploy IPv6 in their worldwide enterprise network, do
away with central based enterprise firewalls and do host-to-host
IPv6+IPSEC, Active Directory based certificates for authentication.
They indicate this as a strategy to do away with VPN clients, so in order
to reach your work resources from home you'd need to have some kind of
IPv6 connectivity, tunneled or not. You'd then connect to all resources
using IPv6 totally transparently to you. All security would be host based.
I am quite impressed by this strategy as it re-implements the end-to-end
principle of the Internet that most of us appreciate. I also bought their
claim about much improved security and their 5 year long track of no
remote exploits like Slammer, when they had to release their emergency
patch for that RPC based remote exploit the other week, which kind of
broke their streak... :P
Let's hope they can sell this to all the enterprise guys, as I am very
tired of all the problems caused by multiple layers of NATs and PAT.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the NANOG
mailing list