Chapter 8 - IPv6 Security

Abstract

This chapter summarizes Internet Protocol Security (IPSec) extension headers, the security features that are included in IPv6 and provide cryptographic security services at the network layer. IPSec services consist of two security protocols—the Authentication Header (AH) and the Encapsulating Security Payload (ESP). AH is an extension header and protocol that uses a cryptographic signature to provide both connectionless integrity and data origin authentication. ESP is an extension header and protocol that provides confidentiality, data origin authentication, connectionless integrity, replay protection, and limited traffic flow confidentiality. AH and ESP protocols provide actual cryptographic services at the network layer. The tasks are accomplished through a combination of mechanisms, including the Security Policy Database (SPD), the Security Association (SA), and the Internet Key Exchange (IKE) protocol. The SPD identifies the services to be applied to IP packets, and is consulted in the processing of all traffic including non-IPSec traffic. For any packet, the SPD will identify one of the three options for processing: discard, bypass IPSec, and apply IPSec. It solves the problem of tracking the IKE agreements with respect to services, algorithms, and parameters for particular traffic flows. IKE is the mechanism that determines which services are applied to the different traffic flows, and negotiates the required cryptography for services. It is the glue the binds the IPSec building blocks together.