On Sun, Oct 11, 2009 at 6:15 PM, Yoav Nir <y...@checkpoint.com> wrote: > Hi Hui > > I think there is very little difference between IPv4 and IPv6 as regards to > IPsec. See below > > On Oct 11, 2009, at 9:50 AM, Hui Deng wrote: > >> Dear IPsec forks, >> >> May I get advice about the differnce between them: >> 1) IPv4 doesn't mandate the support IPsec, IPv6 also doesn't mandate >> it based on RFC? > > IPv4 does not mandate it, because IPv4 predates IPsec. RFC 4294 says in > section 8.1: > > Security Architecture for the Internet Protocol [RFC-4301] MUST be > supported. > >> 2) Most IPv4 hosts have(Linux, BSD, Windows) by default implemented >> IPsec(IKE), but don't launch it, need more configuration? >> Most IPv6 hosts haven't by default implemented IPsec(IKE), it need >> further download and configuration? > > IPv6 hosts, like IPv4 hosts, run Linux, BSD, Windows or some other OS. With > most of them, the latest versions support IPv6 for IKE and IPsec.
I guess we do not need tunnel model for IPv6 ipsec? > >> 3) IPv4 IPsec need traversal NAT, but IPv6 don't need it, so it could >> support more about end to end other than site to site. > > That is assuming that IPv6 does not have NAT. I don't think we have enough > implementation experience to say that for sure. Can it be at-least considered one advantage of IPv6 IPSEC? Another point is: "One possible advantage for IPv6 IPsec is that IPv6’s extension header chaining feature, which is not present in IPv4, could be used to authenticate a secure host-to-host scenario exchange to a third party gateways which would provide authorized access into and out of secure enclaves". -quote from http://www.commandinformation.com/blog/?p=98. Is this valid? Thanks for discussion. > >> 4) IPv6 IPsec support is based on extension header which is different >> from IPv4, it may more closer to the kernal level implementation. > > I don't see why this would necessarily be true. > >> >> thanks for the discussion. >> best regards, >> >> -Hui > > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > > _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
