ipv6 security a technical brief · credit card transaction = $100 123456 ... cleartext + message...
TRANSCRIPT
IPv6
Sec
urity
A T
echn
ical
Brie
f
Pete
r Ata
naso
vski
Dec
200
4
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 2
Age
nda
•Se
curit
y C
once
pts
Expl
aine
d
•IP
sec
Fund
amen
tals
•In
tern
et K
ey E
xcha
nge
(IKE)
•Lo
okin
g fo
rwar
d
•IK
Ev2
•IP
sec
revi
sion
s
•R
esou
rces
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 3
Wha
t is
IPse
c?•
A fr
amew
ork
of o
pen
stan
dard
s fo
r ens
urin
g se
cure
, pr
ivat
e co
mm
unic
atio
ns o
ver p
ublic
IP n
etw
orks
. (C
ore
RFC
s24
01-2
412)
•O
ffers
cry
ptog
raph
ic s
ecur
ity a
t the
net
wor
k la
yer
•Pr
ovid
es p
rote
ctio
n ba
sed
on c
onfig
ured
sec
urity
po
licie
s
•W
orks
with
oth
er p
roto
cols
(i.e
. IK
E) to
neg
otia
te
algo
rithm
s an
d cr
ypto
grap
hic
keys
bet
wee
n co
mm
unic
atio
n en
d-po
ints
.
•R
ECO
MM
END
ED fo
r IPv
4, b
ut M
AN
DA
TOR
Y fo
r IPv
6 st
acks
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 4
Wha
t can
IPse
cpr
ovid
e?
Cre
dit C
ard
Num
ber:
12
34 5
678
9012
345
6z/
9Ak4
/OLn
LiJR
k0U
NE5
Z0a+
3lcv
IIN
TER
NET
To P
aul:
….
Sign
ed B
y: P
eter
INTE
RN
ETTo
Pau
l:…
.Si
gned
By:
Pet
er
Cre
dit C
ard
Tran
sact
ion
= $1
00
1234
56
765A
B3
Cre
dit C
ard
Tran
sact
ion
= $1
0,00
0
1234
56
INTE
RN
ET
12
51
2IN
TER
NET
11
Dat
a O
rigin
Aut
hent
icat
ion
Dat
a In
tegr
ity
Dat
a C
onfid
entia
lity
Rep
lay
Prot
ectio
n
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 5
Dat
a C
onfid
entia
lity
Abi
lity
to k
eep
data
sec
ret –
achi
eved
thro
ugh
encr
yptio
n al
gorit
hms
Encr
yptio
n
Secr
et
Key
Cle
arte
xtC
lear
text
Cip
hert
ext
Sym
met
ric-K
ey
Cry
ptog
raph
y(o
r Sec
ret K
ey C
rypt
ogra
phy)
Dec
rypt
ion
HZ h
GcQ
v kG
a jqZ
VqX
8Sk X
qoc N
w
gzu v
wG
q oc1
WH
j9m
tBG
g
hds /
4u4Z
0a+
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
Sym
met
ric a
lgor
ithm
s:
•D
ata
Encr
yptio
n St
anda
rd (D
ES) –
56-b
it ke
y le
ngth
(man
dato
ry in
cur
rent
R
FC 2
406,
but
is in
secu
re a
nd is
dep
reca
ted)
•Tr
iple
DES
–Ef
fect
ive
168-
bit k
ey le
ngth
(wid
ely
used
and
man
dato
ry in
cu
rren
t dra
fts)
•A
dvan
ced
Encr
yptio
n St
anda
rd (A
ES) –
128,
192
, 256
-bit
key
leng
ths
(will
be
man
dato
ry in
the
futu
re)
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 6
Dat
a C
onfid
entia
lity
(con
t.)
Publ
ic-K
ey A
lgor
ithm
s:R
SA,D
iffie
-Hel
lman
•Sy
mm
etric
alg
orith
ms
are
used
for b
ulk
data
enc
rypt
ion
(mor
e ef
ficie
nt to
co
mpu
te)
•A
sym
met
ric a
lgor
ithm
s ar
e us
ed fo
r dat
a in
tegr
ity a
nd a
uthe
ntic
atio
n (c
ompu
tatio
nally
inte
nsiv
e)
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
HZ h
GcQ
v kG
a jqZ
VqX
8Sk X
qoc N
w
gzu v
wG
q oc1
WH
j9m
tBG
g
hds /
4u4Z
0a+
Encr
yptio
nPubl
ic
Key
Cle
arte
xtC
lear
text
Cip
hert
ext
Asy
mm
etric
-Key
C
rypt
ogra
phy
(or P
ublic
Key
Cry
ptog
raph
y) Dec
rypt
ion
Priv
ate
Key
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 7
Mes
sage
Inte
grity
Det
ectio
n of
dat
a ta
mpe
ring
betw
een
sour
ce a
nd d
estin
atio
n
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
Has
h Fu
nctio
n
Cle
arte
xtC
lear
text
+
Mes
sage
Dig
est
AD
EFC
DB
AD
EFC
DB
To R
ecei
ver
Mes
sage
Dig
est
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
Has
h A
lgor
ithm
s:
•M
essa
ge D
iges
t 5 (M
D5)
–Pr
oduc
es a
128
-bit
dige
st
•Se
cure
Has
h A
lgor
ithm
1 (S
HA
1) –
Prod
uces
a 1
60-b
it di
gest
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 8
Aut
hent
icat
ion
Met
hods
to v
erify
and
con
firm
iden
tity
of IP
sec
peer
s
•Pr
e-sh
ared
Key
s–
out-o
f-ban
d di
strib
utio
n of
sha
red
secr
et
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
Has
h Fu
nctio
n
Cle
arte
xtC
lear
text
+
Mes
sage
Dig
est
AD
EFC
DB
AD
EFC
DB
To R
ecei
ver
Mes
sage
Dig
est
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
LSe
cret
key
can
als
o be
app
lied
toco
mpu
tatio
n -
MA
C
IPse
c re
quire
s th
e us
e of
HM
AC
-MD
5 or
HM
AC
-SH
A1
algo
rithm
s
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 9
Aut
hent
icat
ion
(con
t.)•
Dig
ital S
igna
ture
s–
base
d on
pub
lic k
ey (a
sym
met
ric) c
rypt
ogra
phy
(RSA
, DSA
)•
Prov
ides
non
-rep
udia
tion
Has
h Fu
nctio
n
Cle
arte
xt
Cle
arte
xt+
Sign
atur
e
AD
EFC
DB
Mes
sage
dig
est
AD
EFC
DB
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L4D/T
luiU
5
Mes
sage
dig
est
sign
ed (e
ncry
pted
) w
ith P
rivat
e ke
y
Mem
o:
Fina
ncia
l re
sults
for
2004
are
…
CO
NFI
DEN
TIA
L
RSA
Dig
ital S
igna
ture
sR
ecei
ver
decr
ypts
si
gnat
ure
with
Pub
lic
key
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 1
0
How
IPse
cw
orks
?•
IPse
c Pr
otoc
ols
•A
uthe
ntic
atio
n H
eade
r (A
H)
•En
caps
ulat
ing
Secu
rity
Prot
ocol
(ESP
)•
Secu
rity
Polic
y D
atab
ase
(SPD
)•
Stor
age
for s
ecur
ity p
olic
y en
trie
s de
finin
g w
hich
net
wor
k tr
affic
to
pro
tect
and
how
•Se
curit
y A
ssoc
iatio
n (S
A)
•U
ni-d
irect
iona
l con
trac
t des
crib
ing
the
secu
rity
serv
ices
and
ke
y(s)
app
lied
to c
omm
unic
atio
ns b
etw
een
two
end-
poin
ts•
SA a
nd K
ey M
anag
emen
t•
Man
ual K
eys
•In
tern
et K
ey E
xcha
nge
(IKE)
•SA
cre
atio
n•
Aut
omat
ic k
ey m
anag
emen
t
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 1
1
IPse
c Pr
otoc
ols
IPse
c H
ost
IPse
c H
ost
IPse
c G
atew
ayIP
sec
Gat
eway
Tran
spor
t Mod
e
Tunn
el M
ode
Use
d to
sec
ure
IPv4
/IPv6
pac
kets
•A
uthe
ntic
atio
n H
eade
r (A
H)
•A
uthe
ntic
atio
n, In
tegr
ity, R
epla
y Pr
otec
tion
•En
caps
ulat
ing
Secu
rity
Prot
ocol
(ESP
)
•C
onfid
entia
lity,
Aut
hent
icat
ion,
Inte
grity
, Rep
lay
Prot
ectio
n
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 1
2
Aut
hent
icat
ion
Hea
der (
AH
)
Nex
t Hea
der
Payl
oad
Leng
th
Secu
rity
Para
met
ers
Inde
x (S
PI)
Res
erve
d
Sequ
ence
Num
ber
Inte
grity
Che
ck V
alue
(IC
V)
07
1531
•Pr
ovid
es A
uthe
ntic
atio
n, In
tegr
ity, R
epla
y Pr
otec
tion
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 1
3
Aut
hent
icat
ion
Hea
der (
cont
.)
Tran
spor
t Mod
e
Tunn
el M
ode
IPv6
Bas
e H
dr +
*Ext
IPv6
Bas
e H
dr +
*Ext
IPv6
Pay
load IP
v6 P
aylo
adA
H E
xt H
dr
Aut
hent
icat
ed
*Des
t Opt
IPv6
Bas
e H
dr +
*Ext
IPv6
Pay
load
IPv6
Bas
e H
dr +
*Ext
IPv6
Pay
load
AH
Ext
Hdr
New
IPv6
Bas
e H
dr +
*Ext
Aut
hent
icat
ed
*Des
t Opt
* if p
rese
ntP
roto
col n
umbe
r = 5
1
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 1
4
Enca
psul
atin
g Se
curit
y Pa
yloa
d (E
SP)
•C
onfid
entia
lity,
Aut
hent
icat
ion,
Inte
grity
, Rep
lay
Prot
ectio
n
Pad
Prot
ecte
d D
ata
Secu
rity
Para
met
ers
Inde
x (S
PI)
Initi
aliz
atio
n Ve
ctor
(IV)
Sequ
ence
Num
ber
Inte
grity
Che
ck V
alue
(IC
V)
07
1531
Pad
Leng
thN
ext
Hea
der
23
Trai
ler
Hea
der
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 1
5
Enca
psul
atin
g Se
curit
y Pa
yloa
d (c
ont.)
Tran
spor
t Mod
e
Tunn
el M
odeIP
v6 B
ase
Hdr
+ *E
xt
IPv6
Pay
load IP
v6 P
aylo
adES
P Ex
t Hdr
ESP
Trai
ler
ICV
Encr
ypte
dA
uthe
ntic
ated
*Des
t Opt
IPv6
Bas
e H
dr +
*Ext
IPv6
Bas
e H
dr +
*Ext
IPv6
Bas
e H
dr +
*Ext
IPv6
Pay
load
IPv6
Pay
load
ESP
Ext H
drES
P Tr
aile
rIC
V
Encr
ypte
dA
uthe
ntic
ated
New
IPv6
Bas
e H
dr +
*Ext
*Des
t Opt
* if p
rese
ntP
roto
col n
umbe
r = 5
0
IPv6
Sec
urity
: A T
echn
ical
Brie
fPa
ge 1
6
•D
eter
min
es s
ecur
ity a
fford
ed to
an
IPv6
pac
ket.
•C
onsu
lted
for b
oth
inbo
und
or o
utbo
und
proc
essi
ng o
f an
IPv6
pac
ket (
incl
udin
g no
n-IP
sec
pack
ets)
•Id
entif
ies
Secu
rity
Ass
ocia
tion
for I
Pv6
pack
et
•5-
tupl
eSe
lect
ors
used
to fi
nd S
PD e
ntry
<sr
c_ip
, dst
_ip,
pr
otoc
ol,s
rc_p
ort,
dst_
port
>
Secu
rity
Polic
y D
atab
ase
(SPD
)
Hdr
Payl
oad Sr
c IP
Dst
IPPr
otoc
olSr
c Po
rtD
st P
ortP
olic
y
2000
::120
01::1
TCP
ANY
80Tu
nnel
ESP
with
HM
AC-S
HA1
Secu
rity
Polic
y D
atab
ase
Secu
rity
Ass
ocia
tion
Dat
abas
e (S
AD
B)
Byp
ass
IPse
c
Dis
card
Secu
re(d
) Pac
ket