IPv6
Click on the red underlined text to get to the source
... IPv6 Operations (v6ops) working group has selected (manually
configured) IPv6-in-IPv4 tunneling [RFC4213] as one of the IPv6
transition ...
... IPv6-in-IPv4 tunneling [RFC4213] as one of the IPv6
transition mechanisms for IPv6 deployment.
...
... RFC2893]. The most
complete solution is to use IPsec to protect IPv6-in-IPv4 tunneling.
The document was intentionally not expanded to include the details on
...
... interface" or the phrase "IP interface" refers
to the IPv6 interface that must be present on any IPv6 node to send
...
... to the IPv6 interface that must be present on any IPv6 node to send
or receive IPv6 packets. The use of the phrase "tunnel ...
... interface that must be present on any IPv6 node to send
or receive IPv6 packets. The use of the phrase "tunnel interface"
...
... interface"
refers to the interface that receives the IPv6-in-IPv4 tunneled
packets over IPv4.
...
... ingress filtering [RFC3704]. The reason threat (2) exists is
that the IPv6 packet is encapsulated in IPv4 and hence may escape
...
... encapsulated in IPv4 and hence may escape
IPv6 ingress filtering. [RFC4213] specifies the following strict
...
... o To mitigate threat (2), the decapsulator verifies whether the
inner IPv6 address is a valid IPv6 address and also applies IPv6 ...
... IPv6 address is a valid IPv6 address and also applies IPv6
ingress filtering before accepting the IPv6 packet ...
... transport mode
does not verify the contents of the payload itself where the IPv6
addresses are carried. That is, two nodes using IPsec transport mode ...
... decapsulated successfully and accepted.
This shortcoming can be partially mitigated by IPv6 ingress
filtering, i.e., check that the packet is arriving from the interface
...
... transport mode SA is applied to a normal
IPv6-in-IPv4 tunnel. Therefore, ingress filtering can be applied in
...
... SA is established to protect the traffic
defined by (IPv6-source, IPv6-destination). On receiving ...
... tunnel mode; the packets will be demultiplexed based on the SPI
and possibly the IPv6 address bound to the SA. Thus, the outer
address ...
... spoofing is irrelevant as long as the decryption succeeds and
the inner IPv6 packet can be verified to have come from the right
tunnel endpoint.
...
... transport
rather than tunnel mode is recommended, an IPv6-in-IPv4 tunnel
specified by protocol 41 still exists [RFC4213 ...
... Router-to-Router Scenario.
IPv6/IPv4 routers interconnected by an IPv4 infrastructure can tunnel ...
... IPv4 infrastructure can tunnel
IPv6 packets between themselves. In this case, the tunnel spans one
segment ...
... segment of the end-to-end path that the IPv6 packet takes.
The source and destination addresses ...
...
The source and destination addresses of the IPv6 packets traversing
the tunnel could come from a wide range ...
... IPv6 prefixes, so binding
IPv6 addresses to be used to the SA is not generally feasible. IPv6
...
... IPv6 addresses to be used to the SA is not generally feasible. IPv6
ingress filtering must be performed to mitigate the IPv6 address ...
... IPv6/IPv4 routers can tunnel IPv6 packets to their final destination
IPv6/IPv4 site. This tunnel ...
... routers can tunnel IPv6 packets to their final destination
IPv6/IPv4 site. This tunnel spans only the last segment ...
...
+---------------------+
| IPv6 Network |
| |
.--------. _----_ | .--------. |
...
...
The hosts in the site originate the packets with IPv6 source
addresses coming from a well-known prefix ...
... originate packets within the /48.
IPv6 spoofing must be prevented, and setting up ingress filtering ...
... IPv4 infrastructure can tunnel
IPv6 packets between themselves. In this case, the tunnel spans the
entire end-to-end ...
... end-to-end path.
In this case, the source and the destination IPv6 addresses are known
a priori. A tunnel mode SA ...
... IKEv2 supports dynamic address configuration, which may be used
to configure the IPv6 address of the host.
...
... header) for the scenarios listed in Section 3.
1. All of IPv6 traffic should be protected, including link-local
...
... multicast traffic. Without this,
an attacker can pollute the IPv6 neighbor cache causing
disruption in communication between the two routers ...
... interfaces. This implies that the reachability to the various
IPv6 destinations appear as routes in the routing table. This
...
... affects scenarios (2) and (3).
The IPv6 traffic can be protected using transport or tunnel mode ...
... SPD (SSPD) tunnel mode. Such usage is more complicated
because IPv6 prefixes need to be known a priori, and multicast and
link-local ...
... interface.
Manual keying must not be used as large amounts of IPv6 traffic may
be carried over the tunnels ...
...
When running IPv6-in-IPv4 tunnels (unsecured) over the Internet, it
is possible to "inject" packets into the tunnel ...
... end-to-end communication. It
protects just the tunnel part. It is still possible for an IPv6
endpoint not attached to the IPsec ...
... Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms for IPv6 Hosts and Routers", RFC 4213prop, October 2005. ...
... Gilligan, R. and E. Nordmark, "Transition Mechanisms for IPv6 Hosts and Routers", RFC 2893(-> 4213prop), August 2000. ...
... tunnel interface as the IPsec policy checks do not check the IPv6
addresses at all. Routing protocols, multicast, etc. will work
...
... router/router-to-site scenarios (i.e., when
the IPv6 prefixes can be known a priori), and it offers only a
limited set of features (e.g., no multicast) compared with a
...
... SPD entries assume that there are two hosts, Host1 and
Host2, whose IPv6 addresses are denoted IPV6-EP1 and IPV6-EP2 (global
...
... hosts, Host1 and
Host2, whose IPv6 addresses are denoted IPV6-EP1 and IPV6-EP2 (global
addresses ...
... Host2, whose IPv6 addresses are denoted IPV6-EP1 and IPV6-EP2 (global
addresses), and the IPV4 addresses ...
... Rule Local Remote Protocol Action
---- ----- ------ ---------- --------
1 IPV6-EP1 IPV6-EP2 ESP BYPASS ...
... Rule Local Remote Protocol Action
---- ----- ------ ---------- --------
1 IPV6-EP2 IPV6-EP1 ESP BYPASS ...
... The IDci and IDcr payloads of IKEv1 carry the IPV6-EP1 and IPV6-TEP2
as phase 2 identities. With IKEv2 ...
... payloads of IKEv1 carry the IPV6-EP1 and IPV6-TEP2
as phase 2 identities. With IKEv2, the traffic ...
... The following SPD entries assume that the host has the IPv6 address
IPV6-EP1 and the tunnel endpoints ...
... and a host where the router has allocated an IPV6-PREF/48 to the
host, the corresponding SPD ...
... host, the corresponding SPD entries can be derived by replacing IPV6-
EP1 with IPV6-PREF/48.
...
... host-to-router
tunneling, having a similar entry, "Local=IPV6-PREF/48 & Remote=IPV6-
PREF/48", is critical ...
... tunneling, having a similar entry, "Local=IPV6-PREF/48 & Remote=IPV6-
PREF/48", is critical for site-to-router ...
... Rule Local Remote Protocol Action
---- ----- ------ ---------- --------
1 IPV6-EP1 IPV6-EP2 ESP BYPASS ...
... Rule Local Remote Protocol Action
---- ----- ------ ---------- --------
1 IPV6-EP2 IPV6-EP1 ESP BYPASS ...
... address is zero and the end address is all
ones for ID_IPV6_ADDR_RANGE. The starting address ...
... host in the host-to-router
scenario to obtain an IPv6 address from the ISP as part of setting up
...
... address has been learned, it is
configured as the tunnel endpoint for the configured IPv6-in-IPv4
tunnel.
...