On Oct 26, 2010, at 10:39 49PM, Fred Baker wrote:
I'm not a security guru, and will step aside instantly if someone with those
credentials says I'm wrong. However, from my perspective, the assertion that
IPv6 had any security properties that differed from IPv4 *at*all* has never
made any sense. It is essentially a marketing claim, and - well, we all have
marketing departments.
Actually, the claim was made, and was correct at the time under assumptions
that proved false.
The core issue was indeed that IPsec was mandated for v6. We were *very*
overoptimistic about how long it would take before roll-out started in earnest.
In fact, we underestimated how long it would take to get good specs for all
the important pieces. We also underestimated how long IPsec would take, though
that was partially (but only partially) because IPsec version 1 (RFCs
1825-1829) had to be thrown away.
Quite simply, we assumed (in 1994) that IPv6 rollouts would start around
1996-1997. Given that, we didn't think that any vendors were going to bother
adding IPsec to their v4 stacks. If that had all come to pass, v6 would indeed
have been more secure. Even as late as 2000, I could still assert that v6 had
some advantages; see http://www.cs.columbia.edu/~smb/talks/v6-security/index.htm
We all know what happened. It's 2010, and deployment is finally starting in
earnest. Virtually v4 stacks have IPsec. There's a a way to send IPsec
through NATs (under certain circumstances). And no one cares much about
host-to-host IPsec, as opposed to host-to-gateway VPNs.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf