Chapter 17. Ipsec With Ipv6; Ipsec Protocols - IBM RackSwitch G8000 Application Manual

Chapter 17. IPsec with IPv6

IPsec Protocols

© Copyright IBM Corp. 2011
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol
(IP) communications by authenticating and encrypting each IP packet of a
communication session. IPsec also includes protocols for establishing mutual
authentication between agents at the beginning of the session and negotiation of
cryptographic keys to be used during the session.
Since IPsec was implemented in conjunction with IPv6, all implementations of IPv6
must contain IPsec. To support the National Institute of Standards and Technology
(NIST) recommendations for IPv6 implementations, IBM Networking OS IPv6
feature compliance has been extended to include the following IETF RFCs, with an
emphasis on IP Security (IPsec) and Internet Key Exchange version 2, and
authentication/confidentiality for OSPFv3:
• RFC 4301 for IPv6 security
• RFC 4302 for the IPv6 Authentication Header
• RFCs 2404, 2410, 2451, 3602, and 4303 for IPv6 Encapsulating Security
Payload (ESP), including NULL encryption, CBC-mode 3DES and AES ciphers,
and HMAC-SHA-1-96.
• RFCs 4306, 4307, 4718, and 4835 for IKEv2 and cryptography
• RFC 4552 for OSPFv3 IPv6 authentication
• RFC 5114 for Diffie-Hellman groups
Note: This implementation of IPsec supports DH groups 1, 2, 5, 14, and 24.
The following topics are discussed in this chapter:
• "IPsec Protocols" on page 203
• "Using IPsec with the RackSwitch G8000" on page 204
The IBM N/OS implementation of IPsec supports the following protocols:
• Authentication Header (AH)
AHs provide connectionless integrity outand data origin authentication for IP
packets, and provide protection against replay attacks. In IPv6, the AH protects
the AH itself, the Destination Options extension header after the AH, and the IP
payload. It also protects the fixed IPv6 header and all extension headers before
the AH, except for the mutable fields DSCP, ECN, Flow Label, and Hop Limit. AH
is defined in RFC 4302.
• Encapsulating Security Payload (ESP)
ESPs provide confidentiality, data origin authentication, integrity, an anti-replay
service (a form of partial sequence integrity), and some traffic flow confidentiality.
ESPs may be applied alone or in combination with an AH. ESP is defined in RFC
4303.
• Internet Key Exchange Version 2 (IKEv2)
IKEv2 is used for mutual authentication between two network elements. An IKE
establishes a security association (SA) that includes shared secret information to
efficiently establish SAs for ESPs and AHs, and a set of cryptographic algorithms
to be used by the SAs to protect the associated traffic. IKEv2 is defined in RFC
4306.
Using IKEv2 as the foundation, IPsec supports ESP for encryption and/or
authentication, and/or AH for authentication of the remote partner.
Chapter 17. IPsec with IPv6
203