On Tue, 28 Oct 2008, Steven M. Bellovin wrote:
Windows 7 will have a cool feature called DirectAccess that "requires deploying IPv6 and IPsec". I know nothing more of this feature than is in the article, but if accurate it may create a client-centric demand for v6, i.e., desirable new functionality that isn't available on v4.
Microsoft has been at at least two events I've attended and done presentations about a strategy that sounds like what you're talking about. They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. They indicate this as a strategy to do away with VPN clients, so in order to reach your work resources from home you'd need to have some kind of IPv6 connectivity, tunneled or not. You'd then connect to all resources using IPv6 totally transparently to you. All security would be host based. I am quite impressed by this strategy as it re-implements the end-to-end principle of the Internet that most of us appreciate. I also bought their claim about much improved security and their 5 year long track of no remote exploits like Slammer, when they had to release their emergency patch for that RPC based remote exploit the other week, which kind of broke their streak... :P Let's hope they can sell this to all the enterprise guys, as I am very tired of all the problems caused by multiple layers of NATs and PAT. -- Mikael Abrahamsson email: swmike@swm.pp.se