Module 3  Lesson 3: Security in IPv6

Security in IPv6—Objectives

Upon completion of this lesson , you will be able to :

Ø Describe how security is implemented in IPv6

Ø Describe AH and ESP security headers

Ø Describe IPv6 security issues (NAT,IKE)

1 Security –IPSec authentication Header

Ø Integrity

Ø Authentication of the source

Ø Optional replay protection

Security inside IPv6 is achieved by IPSec’s own protocols, IPSec is available in both IPv4 and IPv6, but it is mandatory in IPv6, IPSec has two separate header that can be chained in the same IPv6 packet through extension headers, there are many related protocols for IPSec such as the key management protocols

Authentication header (AH) provides integrity and authentication of the source , it also provides optional protection against replays, it protects the integrity of most of the IP header fields, but not all  as some change over the path, it authenticates the source through a signature-based algorithm,

The key difference between IPv4 and IPv6 related to security is the fact that IPSec is mandatory for IPv6, this means that all IP communications can be secured , if there is enough keying infrastructure to do on a large scale basis.

The other IPSec Security header is the Encapsulating Security Payload (ESP) header. It provides confidentiality, authentication of the source, connectionless integrity of the inner packet, anti-replay and limited traffic flow confidentiality.

2 IKE Issues

•      Internet Key Exchange (IKE) is the mechanism IPsec nodes use to change keys periodically to defeat eavesdropping/sampling attacks

•      Keys must be securely rolled over before sequence number cycles to use anti-replay service

•      Small key lengths and fast networks means keys must be rolled frequently – before 2^32 pkts are sent

•      Most currently shipping IPsec IPv6 stacks do not include IKE support, so manual keys must be used and managed

•      Key infrastructure is still lacking wide deployment, so any IPsec implementation will be difficult to scale

Note:

Ø Internet Security Association and Key Management Protocol (ISAKMP) combines authentication, key management and Security Associations (SA) management to build secure communication channels between hosts.

Ø Internet Key Exchange (IKE) can be used to negotiate security associations. 

Ø Regardless of the initial SA setup, even if symmetric pre-shared keys are used, the shared key must be rolled over (changed) before the sequence numbers (also called the initialization vector) are reused.

Ø For IPsec ESP, the sequence number is a 32-bit value, which means that a shared key can be used (securely) for no more than 4Billion packets before the key should be changed.  IKE provides a mechanism to securely change the shared key.

Ø Most IPsec implementations for IPv4 support IKE.  Most implementations for IPv6 do not at this time – static keys must be used and changed manually (rarely done).  Thus, for IPv6, many times shared keys remain constant for much too long, resulting in security risk.

3 NAT Issues

•      IPsec provides the ability to ensure packets are not modified in transit (AH) or viewed in transit (ESP)

•      NAT, by definition, modifies packets

•      Workarounds exist (NAT UDP Traversal) but are still not highly interoperable, and are still being discussed in the standards groups

•      IPsec works best as a secure connection between peers, with packets not modified in any way between these endpoints