IPsec
Click on the red underlined text to get to the source
... analyzed or addressed in its predecessor [RFC2893]. The most
complete solution is to use IPsec to protect IPv6-in-IPv4 tunneling.
...
... tunneling.
The document was intentionally not expanded to include the details on
how to set up an IPsec-protected tunnel in an interoperable manner,
but instead the details were deferred to this memo.
...
...
The first four sections of this document analyze the threats and
scenarios that can be addressed by IPsec and assumptions made by this
document for successful IPsec Security Association (SA ...
... scenarios that can be addressed by IPsec and assumptions made by this
document for successful IPsec Security Association (SA)
establishment. Section 5 gives the details of Internet Key Exchange ...
...
This document does not address the use of IPsec for tunnels that are
not manually configured (e.g., 6to4 ...
... Threats and the Use of IPsec ...
... IPv6 packet.
This memo proposes using IPsec for providing stronger security in
preventing these threats and additionally providing integrity ...
... IPsec in Transport Mode ...
... IPv4-dest, protocol =
41). On receiving such an IPsec packet, the receiver first applies
the IPsec ...
... IPsec packet, the receiver first applies
the IPsec transform (e.g., ESP) and then matches the packet against
the Security Parameter Index ...
... source address.
This prevents threat (1) but not threat (2). IPsec in transport mode
does not verify the contents of the payload ...
... payload itself where the IPv6
addresses are carried. That is, two nodes using IPsec transport mode
to secure the tunnel ...
... IPsec in Tunnel Mode ...
... destination). On receiving such an
IPsec packet, the receiver first applies the IPsec transform (e.g.,
...
... IPsec packet, the receiver first applies the IPsec transform (e.g.,
ESP) and then matches the packet against the SPI ...
...
The outer IPv4 addresses may be spoofed, and IPsec cannot detect this
in tunnel mode; the packets will be demultiplexed based on the SPI ...
... This section discusses the different versions of the IKE and IPsec
security architecture and their applicability to this document.
...
... architecture and their applicability to this document.
The IPsec security architecture was previously defined in [RFC2401]
...
... Network Address Translation (NAT) traversal works with both the old
and revised IPsec architectures, but the negotiation is integrated
...
... IPsec Configuration Details ...
... This section describes the SPD entries for setting up the IPsec
transport mode SA to protect the IPv6 traffic ...
... There are many problems when using tunnel mode as implementations may
or may not model the IPsec tunnel mode SA as an interface as
...
... described in Appendix A.1.
If IPsec tunnel mode SA is not modeled as an interface (e.g., as of
...
... IPsec Transport Mode ...
... tunnel interface on all
the packets that pass the inbound IPsec processing.
The following SPD ...
... IKEv1 or IKEv2 must be used for
establishing the IPsec SAs. IKEv2 should be used where supported and
...
... IKEv2 provides a secure signaling protocol for
establishing, maintaining, and deleting an IPsec tunnel.
...
... limited traffic flow
confidentiality.
IPsec provides access control mechanisms through the distribution of
keys and also through the application of policies dictated by the
...
... IKEv2 introduces some
weaknesses into IKE and IPsec. These issues are discussed in more
detail in [RFC4306].
...
... RFC4306].
Please note that using IPsec for the scenarios described in Figures
1, 2, and 3 does not aim to protect the end-to-end communication. It
...
... Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. Stenberg, "UDP Encapsulation of IPsec ESP Packets", RFC 3948prop, January 2005. ...
... Patel, B., Aboba, B., Dixon, W., Zorn, G., and S. Booth, "Securing L2TP using IPsec", RFC 3193prop, November 2001. ...
... Touch, J., Eggert, L., and Y. Wang, "Use of IPsec Transport Mode for Dynamic Routing", RFC 3884 ...
... created and used with "any" addresses ("::/0 <-> ::/0" ) as IPsec
traffic selectors while setting up ...
... all traffic between the two nodes to be protected by IPsec, the
routing table would decide what traffic ...
... tunnel interface as the IPsec policy checks do not check the IPv6
addresses at all. Routing protocols, multicast ...
... specific SPD entries, e.g., "2001:db8:1::/48 <-> 2001:db8:
2::/48". As the IPsec session between two endpoints does not
...
...
Ingress filtering is guaranteed by IPsec processing when option (2)
is chosen, whereas the operator has to enable it explicitly when
transport mode ...
... ISP as part of setting up
the IPsec tunnel mode SA. The details of these procedures are out of
scope for this memo.
...
... networks. A detailed description of the problem and
requirements of IPsec-protected data traffic traversing a NAT is
provided in [RFC3715 ...
... NAT is detected and both
endpoints support IPsec NAT traversal extensions, UDP encapsulation ...
... More details about UDP encapsulation of IPsec-protected IP packets
can be found in [RFC3948].
...
... using protocol 41, is not guaranteed to traverse the
NAT. Hence, using IPsec tunnels would enable one to set up both
a secure tunnel ...
... reconfigured if an address changes. Therefore, an easy and efficient
way to re-establish the IPsec tunnel if the IP address changes would
...