[AusNOG] IPv6 and Xbox1 from NANOG59

[Mark ZZZ Smith]

----- Original Message -----
> From: Mark ZZZ Smith <markzzzsmith at yahoo.com.au>
> To: Matthew Moyle-Croft <mmc at mmc.com.au>; "AusNOG (AusNOG at lists.ausnog.net)" <ausnog at lists.ausnog.net>
> Cc: 
> Sent: Sunday, 13 October 2013 8:45 AM
> Subject: Re: [AusNOG] IPv6 and Xbox1 from NANOG59
> 
> 
> 
> 
> 
> ----- Original Message -----
>>  From: Matthew Moyle-Croft <mmc at mmc.com.au>
>>  To: "AusNOG (AusNOG at lists.ausnog.net)" 
> <ausnog at lists.ausnog.net>
>>  Cc: 
>>  Sent: Sunday, 13 October 2013 5:44 AM
>>  Subject: [AusNOG] IPv6 and Xbox1 from NANOG59
>> 
>>  Hi,
>> 
<snip>

> 
> 
> Use of IPsec in transport mode is quite interesting and significant though. 
> IPsec isn't necessary to get around any of the IPv4 CGN issues. IPsec in 
> transport mode will detect middle boxes such as NATs/CGNs because they look like 
> Man-In-The-Middle attacks (because they violate the packets' end-to-end 
> integrity), so they may have decided to use it as a another method of detecting 
> NATs/CGNs. Or it could be just that knowing that the packets received were 
> actually the ones sent is valuable - perhaps there are game hacks which are 
> implemented in some middle boxes that Microsoft would like to prevent.
> 

Hmm, getting a bit rusty on my IPsec. They're only using the IPsec ESP header, which doesn't protect the preceding IP header(s), in either IPsec transport or tunnel modes, it only protects the payload after the ESP header (AH is necessary to protect both the preceding IP header and the payload after the AH header, but it doesn't encrypt, so to get full packet integrity plus encryption, you need AH+ESP). So that means Microsoft aren't using IPsec it at all for any form of NAT/CGN detection, and are using it purely for it's end-to-end security purposes.