6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Internet Protocol Security (IPSec)
by Doug Roberts, Interpeak, Inc.

During the recently held USIPv6 Summit, Interpeak's co-founder and CTO Lennart Bang discussed the role of IPSec within the context of IPv6. This presentation can be viewed here [PDF].

IPSec enables the set up of virtual private networks (VPNs), secure mobile communications by way of Mobile IP and other dedicated private communications.

Lennart covered the typical aspects of IPSec, including:

  • Tunnel (network to network security) and transport (end to end security) modes

  • Authenticated Headers (AH) and Encapsulating Security Payload (ESP)

  • Mandatory for IPv6 and optional for IPv4

  • Protection for:

    • Authentication (MD5, SHA-1, RIPE-Md)

    • Private Data - encryption (DES, 3DES, CAST-128, BLOWFISH, AES, NULL)

    • Integrity Checking

    • Replay Protection

Given where IPSec sits in the TCP/IP stack, squarely in the IP layer, an efficient implementation is critical in the absence of any IPSec hardware acceleration. Interpeak's TCP/IP stack, called IPNET, includes IPSec and the IPSec module supports both hardware acceleration and a software implementation, when product manufacturing costs are to be kept low. Moreover, IPNET is implemented as a true dual IPv4 IPv6 stack, with common transports (TCP and UDP) shared between the common IPv4/v6 layer. In other words, IPNET is implemented as a single stack and the IPSec module can handle interleaved IPv4 and IPv6 packet flows.

Key Exchange
A Security Association (SA) is defined for a particular communication and is kept in the SA data base (SADB) within the IP layer. SAs define the selected algorithms and keys used for a particular communication session. These SAs can be established manually or automatically through a network application for key exchange. Not all implementers elect to use the IETF standard, known as Internet Key Exchange (IKE) so a useful feature of IPSec is to provide a standard API. IETF has one called PF_Keyv2 and is incorporated within IPNET. PF_Key defines socket extensions useable by various applications to set up IPSec's SAs.

Good security assumes that the keys are updated often during the communication session. Interpeak's IKE not only does this, but does so in advance of the key expiring, sparing a period of inactivity while a new key is negotiated.

Security Policies
At this point we can set up a security association and automatically establish digital keys to be used by the authentication and encryption algorithms. Ok, so what actually happens?

A Security Policy (SP) is defined for a particular SA. This amounts to selecting what to let pass into the system and what to block. A Security Policy can:

  • Bypass and not process any AH and ESP options

  • Apply AH and ESP processing to the packet

  • Discard the packet

  • Automatic key exchange setup, such as with IKE

Other Security
As useful as IPSec is, other applications require alternate solutions.

  • Secure Socket Library (SSL) for secure web transaction

  • Secure Shell (SSH) for secure terminal sessions and file transfer

  • SNMPv3 for securely managing network elements

  • Firewall for dynamically opening and closing network ports

In the generalized network element, one, two or all of these methods may be required.

Clearly, in the presence of IPv6, whatever security solution that is called for, it must function over both IPv4 and IPv6. Given that IPv6 defines socket extensions, applications should seamlessly use these extensions. For example,

  • A secure web server over TCP/IPv6

  • Telnet fred, where the dns client/server know about AAAA frames and returns the correct IPv6 address

  • Stateful firewall, where a port passes a response packet through to the requester application and then closes the port to any additional packets