A challenge (was Re: Default security functions on an IPv6 CPE)
ayourtch at gmail.com
Thu May 19 14:29:32 CEST 2011
On Thu, May 19, 2011 at 1:27 PM, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
> Sorry for jumping in in the middle of the thread, but I couldn't find the
> email I wanted to find to reply to.
> There was a comment earlier about IKE (UDP/500) and IPSEC, and if the CPE
> has a default-deny-ingress stateful firewall that doesn't allow any new
> connections, would allowing IKE (UDP/500) and IPSEC (IP proto 50) by default
> make sense?
Remi mentioned RFC 6092 sometime earlier - it does have these
provisions in section 2.2:
"IPsec transport and tunnel modes are explicitly secured by
definition, so this document recommends that the DEFAULT operating
mode permit IPsec. To facilitate the use of IPsec in support of IPv6
mobility, the Internet Key Exchange (IKE) protocol [RFC5996] and the
Host Identity Protocol (HIP) [RFC5201] should also be permitted ..."
> Mikael Abrahamsson email: swmike at swm.pp.se
More information about the ipv6-ops