Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] [ipv6hackers] opportunistic encryption in IPv6

Eugen Leitl eugen at
Wed Jun 12 07:58:14 PDT 2013

----- Forwarded message from Jim Small <jim.small at> -----

Date: Wed, 12 Jun 2013 14:30:03 +0000
From: Jim Small <jim.small at>
To: IPv6 Hackers Mailing List <ipv6hackers at>
Subject: Re: [ipv6hackers] opportunistic encryption in IPv6
Reply-To: IPv6 Hackers Mailing List <ipv6hackers at>

Hi Eugen,

> > Going back to the roots of IPv6 - the end to end principal, wouldn't
> > it make more sense to just do OE at the endpoint?  That seems to have
> > the highest
> If we want to increase deployment rate, it should be easier in the residential
> or enterprise firewall (e.g. rolling it into OpenWRT or pfSense).

I see where you're going, but from reviewing the proposal it would seem to require setup on the endpoint.  If setup is required, why not just do OE from the endpoint?  I don't see how a gateway is making it easier in this case - if anything it seems like the gateways add more complexity.

> Not sure whether NAT is still prevalent in IPv6 deployments -- if it's running
> as an IPv6 router/firewall instead of NAT you'll probably have to handle OE at
> host level? That would pretty much kill it.
> > chance of adoption.  If Owen and I want to do OE we just enable it on
> > our
> Is this the BTNS approach, or do you need PKI or DNS access for it to works?
> IPv4 or IPv6, or both?

BTNS - you could do for either v4 or v6 but I was thinking v6 with CGAs.

> > Linux hosts and away we go.  Do you think there is interest/demand for
> > an OE gateway solution as described in the paper?
> I'm reasonably sure that there is a potentially huge demand for passive
> attack protection for end users

For savvy end users I believe there would be an interest in OE.

> and enterprises.

Based on my experience in the US market, there would be little interest in OE for the (American) enterprise space.  If an enterprise is going to do something with security, authentication must be a component.  The other factor that you may not have considered is supportability.  By enabling OE, I'm adding complexity and potential problems.  It makes things harder to troubleshoot.  It's also possible it could break some communications.  I'm not convinced the value is sufficient to justify the increased support/troubleshooting requirements.

> If this could be package-
> ready for Linux or FreeBSD then eventual deployment numbers could be
> considerable.

For OE at the host level I agree.  For the gateway solution I'm not so sure.


Ipv6hackers mailing list
Ipv6hackers at

----- End forwarded message -----
Eugen* Leitl <a href="">leitl</a>
ICBM: 48.07100, 11.36820
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the liberationtech mailing list