Using IPsec to Secure IPv6-in-IPv4 Tunnels
RFC 4891
Document Type RFC - Informational (May 2007; No errata)
Authors Mohan Parthasarathy  , Richard Graveman  , Hannes Tschofenig  , Pekka Savola 
Last updated 2015-10-14
Replaces draft-tschofenig-v6ops-secure-tunnels
Stream IETF
Formats plain text html pdf htmlized bibtex
Reviews
SECDIR Telechat Review
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4891 (Informational)
Action Holders
(None)
Consensus Boilerplate Unknown
Telechat date
Responsible AD David Kessens
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                        R. Graveman
Request for Comments: 4891                             RFG Security, LLC
Category: Informational                                 M. Parthasarathy
                                                                   Nokia
                                                               P. Savola
                                                               CSC/FUNET
                                                           H. Tschofenig
                                                  Nokia Siemens Networks
                                                                May 2007

               Using IPsec to Secure IPv6-in-IPv4 Tunnels

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document gives guidance on securing manually configured IPv6-in-
   IPv4 tunnels using IPsec in transport mode.  No additional protocol
   extensions are described beyond those available with the IPsec
   framework.

Graveman, et al.             Informational                      [Page 1]
RFC 4891            IPsec with IPv6-in-IPv4 Tunnels             May 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Threats and the Use of IPsec . . . . . . . . . . . . . . . . .  3
     2.1.  IPsec in Transport Mode  . . . . . . . . . . . . . . . . .  4
     2.2.  IPsec in Tunnel Mode . . . . . . . . . . . . . . . . . . .  5
   3.  Scenarios and Overview . . . . . . . . . . . . . . . . . . . .  5
     3.1.  Router-to-Router Tunnels . . . . . . . . . . . . . . . . .  6
     3.2.  Site-to-Router/Router-to-Site Tunnels  . . . . . . . . . .  6
     3.3.  Host-to-Host Tunnels . . . . . . . . . . . . . . . . . . .  8
   4.  IKE and IPsec Versions . . . . . . . . . . . . . . . . . . . .  9
   5.  IPsec Configuration Details  . . . . . . . . . . . . . . . . . 10
     5.1.  IPsec Transport Mode . . . . . . . . . . . . . . . . . . . 11
     5.2.  Peer Authorization Database and Identities . . . . . . . . 12
   6.  Recommendations  . . . . . . . . . . . . . . . . . . . . . . . 13
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
   8.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 14
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 15
     10.2. Informative References . . . . . . . . . . . . . . . . . . 15
   Appendix A.  Using Tunnel Mode . . . . . . . . . . . . . . . . . . 17
     A.1.  Tunnel Mode Implementation Methods . . . . . . . . . . . . 17
     A.2.  Specific SPD for Host-to-Host Scenario . . . . . . . . . . 18
     A.3.  Specific SPD for Host-to-Router Scenario . . . . . . . . . 19
   Appendix B.  Optional Features . . . . . . . . . . . . . . . . . . 20
     B.1.  Dynamic Address Configuration  . . . . . . . . . . . . . . 20
     B.2.  NAT Traversal and Mobility . . . . . . . . . . . . . . . . 20
     B.3.  Tunnel Endpoint Discovery  . . . . . . . . . . . . . . . . 21

Graveman, et al.             Informational                      [Page 2]
RFC 4891            IPsec with IPv6-in-IPv4 Tunnels             May 2007

1.  Introduction

   The IPv6 Operations (v6ops) working group has selected (manually
   configured) IPv6-in-IPv4 tunneling [RFC4213] as one of the IPv6
   transition mechanisms for IPv6 deployment.

   [RFC4213] identified a number of threats that had not been adequately
   analyzed or addressed in its predecessor [RFC2893].  The most
   complete solution is to use IPsec to protect IPv6-in-IPv4 tunneling.
   The document was intentionally not expanded to include the details on
   how to set up an IPsec-protected tunnel in an interoperable manner,
   but instead the details were deferred to this memo.

   The first four sections of this document analyze the threats and
   scenarios that can be addressed by IPsec and assumptions made by this
   document for successful IPsec Security Association (SA)
   establishment.  Section 5 gives the details of Internet Key Exchange
   (IKE) and IP security (IPsec) exchange with packet formats and
   Security Policy Database (SPD) entries.  Section 6 gives
   recommendations.  Appendices further discuss tunnel mode usage and
   optional extensions.

   This document does not address the use of IPsec for tunnels that are
   not manually configured (e.g., 6to4 tunnels [RFC3056]).  Presumably,
   some form of opportunistic encryption or "better-than-nothing
   security" might or might not be applicable.  Similarly, propagating
   quality-of-service attributes (apart from Explicit Congestion
   Notification bits [RFC4213]) from the encapsulated packets to the
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools