A challenge (was Re: Default security functions on an IPv6 CPE)

Andrew Yourtchenko ayourtch at gmail.com
Thu May 19 14:29:32 CEST 2011

On Thu, May 19, 2011 at 1:27 PM, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> Sorry for jumping in in the middle of the thread, but I couldn't find the
> email I wanted to find to reply to.
> There was a comment earlier about IKE (UDP/500) and IPSEC, and if the CPE
> has a default-deny-ingress stateful firewall that doesn't allow any new
> connections, would allowing IKE (UDP/500) and IPSEC (IP proto 50) by default
> make sense?

Remi mentioned RFC 6092 sometime earlier - it does have these
provisions in section 2.2:

   "IPsec transport and tunnel modes are explicitly secured by
   definition, so this document recommends that the DEFAULT operating
   mode permit IPsec.  To facilitate the use of IPsec in support of IPv6
   mobility, the Internet Key Exchange (IKE) protocol [RFC5996] and the
   Host Identity Protocol (HIP) [RFC5201] should also be permitted ..."


> --
> Mikael Abrahamsson    email: swmike at swm.pp.se

More information about the ipv6-ops mailing list