IPv6 Security (IV)

The first posts about IPv6 Security [1,2,3] introduced the enlarged address space, other main features and how the security of the new Internet protocol is affected by them.

But what about the security features directly implemented into IPv6. This is what is called IPsec.

IPsec is a mandatory part of the IPv6 protocol standard and describes how a secure connection is made through an insecure network. It uses two main mechanisms to ensure security. The Authentication Header (AH) which guarantees that the communication partner is really the one he pretends to be (Authenticity). And the Encrypted Security Payload (ESP) ensuring that only the communication parter can read the information which is exchanged with him (Confidentiality). Further more the Authentication Header can be used to detect if data is altered during transmit (Integrity).

Authentication Header (AH)
Different authentication mechanisms are provided by the AH protocol to generate a checksum over included headers. The AH header is shown below and related fields are discussed in the following:

Security Parameter Index
The SPI value is checked by the receiver to identify to which Security Association (SA) the incoming packet belongs to. Basically this holds detailed information about the algorithms and parameters used for the encryption.

Authentication Data
This field holds the checksum (Integrity Check Value ICV) for the packet. The size is depending on the algorithm used for calculating this checksum; but always a multiple of four bytes.

The checksum is calculated over different fields. Basically it is calculated over all fields of previous headers including the AH Header – but only over fields which do not change during transmit to the destination. So for example the Hop Limit field of the IPv6 Header – which is decreased by every router during transmit – is not used for calculation.

Encrypted Security Payload Header (ESP)
ESP means encrypting the packet data (payload) including upper layer protocols like UDP or TCP. Everything including the ESP Header itself is ciphered. It is possible to use ESP and AH mechanisms autonomously; this is the reason why some of the following fields in the ESP Header are known from the AH:

Security Parameter Index
The SPI value is checked by the receiver to identify to which Security Association (SA) the incoming packet belongs to.

Payload Data
The upper layer protocol header (e.g. TCP or UDP Header) including payload data. The ESP Payload Data is completely encrypted.

Authentication Data
The checksum (Integrity Check Value ICV) is optional in the ESP Header. It is calculated over the ESP Header including the encrypted payload data.

The algorithm used for encryption is either manually specified or dynamically negotiated by the key exchange protocol. ESP authentication and encryption are both optional, which means either one of these two methods or both together can be used.

Only a few related parts are missing to complete the secure communication with IPv6 – this will be explained in the following post.

Clemens Kurtenbach
S21sec e-crime

Recommended Posts

Leave a Comment