IPsec: a basis for IPv6 security (Part 1)

Mitsuru Kanda
Toshiba Research and Development Center


IPsec performs security functions of encryption and non-repudiation protection on IP layer. IPsec standard itself supports both IPv4 and IPv6, but in IPv6, IPsec is defined as a mandatory feature.

In IPv4, widely-used NATs rewrite IP headers, which inherently makes IPsec non-repudiation feature useless. But IPv6 expands address space, making NAT unnecessary. IPv6 is expected to increase the use of IPsec in terminal-to-terminal communications. This article explains IPsec, especially its use in IPv6.


IPsec architecture

IPsec architecture is defined in RFC2401. IPsec is realized through the following components:

• AH and ESP security protocols
  
• Two modes of operation: tunnel mode and transport mode
  
• Security Policy Database (SPD) for managing security policy (SP) and selector that correlates SP with actual data traffic.
  
• Security Association Database (SAD) for containing Security Association (SA), parameters necessary for expressing IPsec connections and applying IPsec.
  
• Key exchange protocols

Security Protocols

IPsec defines two security protocols: AH and ESP. Both AH and ESP are defined as IPv6 extension headers. Both or either of them is used in applying IPsec to data packets. Figure 1 shows the positions of AH and ESP headers in IPv6 extension header.

Hop-by-Hop option header Detination option header Routing header Fragment header AH header ESP header "Detination option header (to specify processing only at the destination)" upper layer protocol headers

Figure 1 Position of AH and ESP headers in IPv6 extension header

AH (Authentication Header)

AH is provided for integrity for data packets. It uses authentication algorithm and key agreed by sender and receiver to compute Integrity Check Value (ICV) on entire IP packets¹ and add the result as authentication data. Receiver can compute the ICV of received packets to check their integrity, thereby avoiding repudiation. AH format is shown in Figure 2.

Authentication algorithm used is not limited to one. It can be one of several options agreed on beforehand with communication partners. At present, HMAC-MD5 and HMAC-SHA1 are the most widely used. AH doesn't provide encryption, so it doesn't offer data confidentiality.

Next Header Payload Length Reserved Security Parameter Index (SPI) Sequence Number Authentication Data

Figure 2 AH format
Security Parameter Index (SPI) is the value agreed on by sender and receiver to identify SA

1 Except for the field which changes values in the process of packet transfer (Hop Limit, etc)

ESP(Encapsulating Security Payload)

ESP offers packet payload encryption and non-repudiation protection. It uses encryption algorithm agreed on between sender and receiver to encrypt the payload portion of packets. In addition, this encrypted ESP header is given ICV, computed with authentication algorithm similarly agreed on between sender and receiver. The ICV works as the authentication data, ensuring non-repudiation of ESP header itself. ESP format is shown in Figure 2.

Encryption and data integrity features can be applied separately, but it is not recommended to apply encryption without data integrity feature, because it doesn't offer assurance that encryption is done by a legitimate party.

It should be noted that ESP doesn't ensure data integrity of the whole packet as AH does, but it only covers the payload. Authentication algorithm used is not limited to one. It can be one of several options agreed on beforehand with communication opponents. At present, DES-CBC², 3DES-CBC and AES-CBC are the most widely used.


Figure 3 ESP format

2 DES key length is too short for adequate security protection. Therefore, its use is not recommended.

IPsec modes

IPsec has two modes of operation: tunnel mode and transport mode. Tunnel mode applies IPsec by adding a new IP header with the whole IP packet as payload. This mode is often used in VPN. Transport mode applies IPsec for transmission of IP packets by hosts. It is used for end-to-end communication between nodes (Figure 5).


Figure 4 Tunnel mode


Figure 5 Transport mode

Security Policy (SP)
Security Policy is a rule that defines application of the following actions to which types of packets in IPsec:

• discard _ discard packets
  
• bypass - no IPsec processing
  
• apply _ apply IPsec

SP is registered in Security Policy Database (SPD). SP is expressed as actual parameters of IP addresses, TCP port numbers, etc. It's called Selector.
How SP, SPD, and Selector are employed is up to each IPsec system, as it causes no interoperability issue.

Security Association (SA)
Security Association (SA) shows secure connection controlled under the same IPsec rules (SPs). SA is directional: transmission and reception with the same opponent are treated as separate SA. Each SA is uniquely identified by three parameters of SPI, sender address, and security protocol. SA is registered in Security Association Database (SAD).
How SA and SAD are employed is up to each IPsec system, as it causes no interoperability issue.


IPsec transmission process

Transmission

When transmitted packets are judged by Selector to match SP in SPD, SA that corresponds to this SP is searched in SAD. Then, actual IPsec processing (such as encryption) is performed based on SA parameters for transmission (Figure 6).


Figure 6 IPsec transmission process

Receipt

When received packet has no IPsec headers (AH or ESP), the receiver searches SPD to check relevant SP (for rejecting packets classified for discard). When received packet has IPsec headers (AH or ESP), SPI, sender address and security protocol information is used to search SAD. The receiver obtains SA to conduct decryption, integrity check and other actions, followed by the check with SP obtained by the search in SAD (Figure 7).
In PART2, I will explain IKE, a protocol for exchange of encryption/authentication keys with communication opponents, as well as IPsec revisions being discussed in IETF.


Figure 7 IPsec reception process