tech-kern: Re: IPSEC in GENERIC

Subject: Re: IPSEC in GENERIC
To: Martin S. Weber <Ephaeton@gmx.net>
From: Igor Sobrado <igor@string1.ciencias.uniovi.es>
List: tech-kern
Date: 02/20/2006 20:57:48
In message <20060220190314.GD753@circe.entropie.net>, "Martin S. Weber" writes:
> On Mon, Feb 20, 2006 at 07:50:20PM +0100, Igor Sobrado wrote:
> > At some time in the near future, IPsec will be required in GENERIC
> > kernels (...)
> > IPsec is becoming the standard for VPNs really fast and it is a
> > required component for IPv6.  IPsec is only optional for IPv4.
> 
> (aha. Thus ipsec is only optional but will be required ? Why ?)

IPsec is an optional component on IPv4, but a required component
on IPv6.  Security services are an integral part of IPv6, IPv4 was
not designed with security in mind.  That is the reason a lot of
incompatible security proposals are available for IPv4.

> Rather the question should be, why is INET6 in GENERIC?

IPv6 is a fine and powerful protocol, much faster[*] and expandable
than IPv4.  It is certainly a protocol we should start using very soon.
On the other hand, KAME project did a fine implementation of IPv6 even if,
as observed in this thread, IPsec requires some work to be done yet for
performance and scalability improvements.

[*] there are few fields in the default IPv6 header and flow labels
    allow routers to send traffic without a lot of calculation.  Only
    the first package on a flow needs to be fully processed by routers.

    In fact, IPv6 simplifies network management and protocol specification:
    for example, the current broadcast addressing scheme is a special
    case of multicast addressing in IPv6.  There are a lot of new and
    very useful features, as the new anycast addressing model.

> (to achieve a deployment it doesn't have and never will ?)

We need a serious migration effort.  I think that the _true reasons_
IPv6 is not being widely used yet are economical and not technical.
ISPs ask for money to people that want static IP addresses for their
servers.  DDNS servers are a poor workaround.  With IPv6 this requirement
will dissapear (as NAT itself).  Recent NICs support IEEE EUI-64 identifiers
and there is a method to map 48-bit IEEE MAC addresses to the IPv6 host ID
field for those NICs that do not provide EUI-64 identifiers (e.g., with
the surface mount component DS2502P-E64 from Dallas Semiconductor).
In both cases, we can assure that if our machine has a NIC we have a valid
static IPv6 address on any network.  With more than three million IPv6
addresses on each square cm, there is not a requirement for dynamic addresses
anymore!

Cheers,
Igor.