[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ICMPv6 and IPsec drafts




Hi.

We've published two internet drafts around the use
of IPsec in the context of ICMPv6. Here are the
URLs to the drafts as well as the abstracts.
Feedback and comments would be greatly appreciated!
In particular, we'd be interested in hearing how
other folks who have implemented IPsec in an IPv6
environment have dealt with the issues discussed
in the first draft.

Title: Effects of ICMPv6 on IKE and IPsec Policies
Author: J. Arkko
Abstract:
    The  ICMPv6 protocol provides many functions
    which in IPv4 were either non-existent or
    provided by lower layers. IPv6 architecture also
    makes it possible to secure all IP packets using
    IPsec, even ICMPv6 messages. IPsec architecture
    has a Security Policy Database that specifies
    which traffic is protected, and how. It turns
    out that the specification of policies in the
    presence of ICMPv6 traffic is hard. Sound looking
    policies may easily lead to loops: The establishment
    of security requires ICMPv6 messages which can't
    be sent since security hasn't been established yet.
    The purpose of this draft is to inform system
    administrators and IPsec implementors in which
    manner they can handle the ICMPv6 messages.
    Common understanding of the way that these
    messages are handled is also necessary for
    interoperability, in case vendors hardcode such
    rules in to products.
http://search.ietf.org/internet-drafts/draft-arkko-icmpv6-ike-effects-00.txt

Title: Manual SA Configuration for IPv6 Link Local Messages
Authors: J. Arkko, P. Nikander, T. Kivinen, M. Rossi
Abstract:
    This draft discusses the use of manually configured
    IPsec SAs to protect ICMPv6 messages such as router
    discovery and address resolution on  the local link.
    IPsec SAs are generally identified by the triple
    <SPI, destination address, protocol>. For the ICMPv6
    messages configuring the SAs requires some effort,
    however, since there are multiple known destination
    addresses plus a number of addresses that depend on
    the physical link addresses. This draft describes
    the security implications of protecting or not
    protecting the link local ICMPv6 messages, lists
    the SAs that must be configured manually, and
    discusses some approaches for reducing
    configuration effort.
http://search.ietf.org/internet-drafts/draft-arkko-manual-icmpv6-sas-00.txt