IPsec protocol with IPv6

[Talleen]

I have given an assignment on an IPsec protocol that works with an IPv6. Now I am not having enough knowledge about it. Since, you guys explained me lot of things, I thought that instead of searching on net, it would be better to ask you directly.!! So please provide me an information about the IPsec protocol with IPv6 as soon as possible.

[Baser-X]

Ipsec is a protocol designed to secure the exchange of data at the network layer. The IPv4 network is widely deployed and migration to IPv6 is inevitable, yet long, it seemed interesting to develop techniques to protect data common to IPv4 and IPv6. These mechanisms are commonly referred to as IPSec for IP Security Protocols. IPSec is based on two mechanisms. The first AH for Authentication Header is designed to ensure the integrity and authenticity of IP datagrams. It provides no confidentiality by cons: the data provided and transmitted by this "protocol" are not encoded. The second, Esp for Encapsulating Security Payload can also provide authentication data but is primarily used for encrypting information. Although independent these two mechanisms are almost always used together. Finally, the protocol can manage Ike exchanges or associations between security protocols. Before describing these protocols, we will outline the different elements used in IPSec.

[Luther]

An SA(security association) is unidirectional and, therefore, protect a two-way classical communication requires two associations, one in each direction. The security services are provided by the use of either AH or ESP. If AH and ESP are both applied to the traffic in question, two SA (or more) are created, a situation called package (bundle) of SA. Each association is uniquely identified with a triplet composed of :

• The destination address of packets,
• The identifier of the security protocol (AH or ESP),
• An index of security settings (Security Parameter Index, SPI). An SPI is a block of 32-bit registered clear in the header of each packet exchanged, it was chosen by the receiver.

[Wilbur]

When the "layer" Ipsec receives data to send, it starts by looking for database security policies (SPD) on how to handle these data. If this basis he says traffic should be applying security mechanisms, it retrieves the required characteristics for the corresponding SA and will consult the database of SA (SAD). If necessary the SA already exists, it is used to treat the traffic in question. Otherwise, IPsec uses IKE to establish a new SA with the necessary characteristics.

[Jannat]

When the layer receives an IPsec packet from the network, it examines the header to find out if this package has been applied to one or more IPsec services and if so, what are the credentials of the SA. She consults the SAD to find the parameters to be used for verification and / or decrypting the packet. Once the package checked and / or decrypted, the SPD is consulted to determine if the security association applied to the packet corresponded to that required by security policies. If the received packet is an IP packet classical, Spd can know whether it is nevertheless entitled to pass. For example, IKE packets are an exception. They are treated by Ike, which can send administrative alerts in case of unsuccessful login attempt.

[Twitter]

Secure protocols presented in the previous paragraphs rely on cryptographic algorithms and thus need keys. One of the fundamental problems of use of cryptography is the management of these keys. The term "management" includes the generation, distribution, storage and removal of keys. IKE (Internet Key Exchange) is a system developed specifically for IPsec, which aims to provide mechanisms for authentication and key exchange adapted to all situations that may arise on the Internet. It is composed of several elements: the generic framework and part of ISAKMP Oakley Skeme protocols. When used for IPSec, IKE is further supplemented by a "domain of interpretation" for IPsec.

[Michael Sabin]

Isakmp's role negotiation, establishment, modification and removal of security associations and their attributes. It lays the foundation for building various key management protocols (and more generally of security associations). It has three main aspects :

• It defines a way to proceed in two phases called Phase 1 and Phase 2: In the first, a number of specific security parameters are established ISAKMP to establish between two-thirds a secure channel, in a Secondly, this channel is used to negotiate security associations for security mechanisms that you want to use.
• It defines message formats, through blocks each having a specific role and to form clear messages.
• It presents a number of trade types consist of such messages, which allows negotiations with different properties: protection or not the identity, perfect forward secrecy ...