[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ICMPv6 and IPsec drafts
Hi.
We've published two internet drafts around the use
of IPsec in the context of ICMPv6. Here are the
URLs to the drafts as well as the abstracts.
Feedback and comments would be greatly appreciated!
In particular, we'd be interested in hearing how
other folks who have implemented IPsec in an IPv6
environment have dealt with the issues discussed
in the first draft.
Title: Effects of ICMPv6 on IKE and IPsec Policies
Author: J. Arkko
Abstract:
The ICMPv6 protocol provides many functions
which in IPv4 were either non-existent or
provided by lower layers. IPv6 architecture also
makes it possible to secure all IP packets using
IPsec, even ICMPv6 messages. IPsec architecture
has a Security Policy Database that specifies
which traffic is protected, and how. It turns
out that the specification of policies in the
presence of ICMPv6 traffic is hard. Sound looking
policies may easily lead to loops: The establishment
of security requires ICMPv6 messages which can't
be sent since security hasn't been established yet.
The purpose of this draft is to inform system
administrators and IPsec implementors in which
manner they can handle the ICMPv6 messages.
Common understanding of the way that these
messages are handled is also necessary for
interoperability, in case vendors hardcode such
rules in to products.
http://search.ietf.org/internet-drafts/draft-arkko-icmpv6-ike-effects-00.txt
Title: Manual SA Configuration for IPv6 Link Local Messages
Authors: J. Arkko, P. Nikander, T. Kivinen, M. Rossi
Abstract:
This draft discusses the use of manually configured
IPsec SAs to protect ICMPv6 messages such as router
discovery and address resolution on the local link.
IPsec SAs are generally identified by the triple
<SPI, destination address, protocol>. For the ICMPv6
messages configuring the SAs requires some effort,
however, since there are multiple known destination
addresses plus a number of addresses that depend on
the physical link addresses. This draft describes
the security implications of protecting or not
protecting the link local ICMPv6 messages, lists
the SAs that must be configured manually, and
discusses some approaches for reducing
configuration effort.
http://search.ietf.org/internet-drafts/draft-arkko-manual-icmpv6-sas-00.txt