tech/IPv6AndIPsec written at 23:12:22; Add Comment
What IPsec being mandatory in IPv6 really means
You read here and there that in IPv6, IPsec is mandatory; depending on which side of the firewall divide you're on, this either sounds great or alarming. But what does it actually mean? Recently, I got curious and did some digging, and it turns out that it is less than it sounds.
The IPsec RFCs spell out the mechanics of IPsec; how you go about encrypting and decrypting and signing and so on, and how you respond to various sorts of packets. In the process it requires that conformant hosts have certain capabilities (some of them slightly weird ones). This is what is mandatory in IPv6.
It is not mandatory that you be willing to actually do IPsec connections with anyone; that is up to your local security policy to decide. This is unlike something like SSL/TLS, where having 'mandatory SSL' does not merely mean that you have SSL crypto code available and might theoretically use it if you liked someone, it means that you are actually using it to get encrypted connections.
(If I am reading the IPsec RFC correctly, it is also mandatory that hosts support IKE, which is a protocol for negotiating automatic keys. However, they do not have to be willing to do it; the capability just has to be there if you want to set things up.)
Thus, in practice IPv6 is no more likely to do IPsec than any modern IPv4 system, all of which are going to have IPsec available too, and turning on IPv6 does not get you any more encrypted connections than you had before.
My reference for this is skimming through RFC 2401, the core IPsec RFC, or at least the core RFC for the version of IPsec that seems to be implemented on Linux. (There is RFC 4301 from 2005 which theoretically supersedes RFC 2401, but it doesn't really change the picture.)
* * *
Atom feeds are available; see the bottom of most pages.