Using IPsec to Secure IPv6-in-IPv4 Tunnels
RFC 4891
Document | Type | RFC - Informational (May 2007; No errata) | |
---|---|---|---|
Authors | Mohan Parthasarathy , Richard Graveman , Hannes Tschofenig , Pekka Savola | ||
Last updated | 2015-10-14 | ||
Replaces | draft-tschofenig-v6ops-secure-tunnels | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4891 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | David Kessens | ||
Send notices to | (None) |
Network Working Group R. Graveman Request for Comments: 4891 RFG Security, LLC Category: Informational M. Parthasarathy Nokia P. Savola CSC/FUNET H. Tschofenig Nokia Siemens Networks May 2007 Using IPsec to Secure IPv6-in-IPv4 Tunnels Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document gives guidance on securing manually configured IPv6-in- IPv4 tunnels using IPsec in transport mode. No additional protocol extensions are described beyond those available with the IPsec framework. Graveman, et al. Informational [Page 1] RFC 4891 IPsec with IPv6-in-IPv4 Tunnels May 2007 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Threats and the Use of IPsec . . . . . . . . . . . . . . . . . 3 2.1. IPsec in Transport Mode . . . . . . . . . . . . . . . . . 4 2.2. IPsec in Tunnel Mode . . . . . . . . . . . . . . . . . . . 5 3. Scenarios and Overview . . . . . . . . . . . . . . . . . . . . 5 3.1. Router-to-Router Tunnels . . . . . . . . . . . . . . . . . 6 3.2. Site-to-Router/Router-to-Site Tunnels . . . . . . . . . . 6 3.3. Host-to-Host Tunnels . . . . . . . . . . . . . . . . . . . 8 4. IKE and IPsec Versions . . . . . . . . . . . . . . . . . . . . 9 5. IPsec Configuration Details . . . . . . . . . . . . . . . . . 10 5.1. IPsec Transport Mode . . . . . . . . . . . . . . . . . . . 11 5.2. Peer Authorization Database and Identities . . . . . . . . 12 6. Recommendations . . . . . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15 10.1. Normative References . . . . . . . . . . . . . . . . . . . 15 10.2. Informative References . . . . . . . . . . . . . . . . . . 15 Appendix A. Using Tunnel Mode . . . . . . . . . . . . . . . . . . 17 A.1. Tunnel Mode Implementation Methods . . . . . . . . . . . . 17 A.2. Specific SPD for Host-to-Host Scenario . . . . . . . . . . 18 A.3. Specific SPD for Host-to-Router Scenario . . . . . . . . . 19 Appendix B. Optional Features . . . . . . . . . . . . . . . . . . 20 B.1. Dynamic Address Configuration . . . . . . . . . . . . . . 20 B.2. NAT Traversal and Mobility . . . . . . . . . . . . . . . . 20 B.3. Tunnel Endpoint Discovery . . . . . . . . . . . . . . . . 21 Graveman, et al. Informational [Page 2] RFC 4891 IPsec with IPv6-in-IPv4 Tunnels May 2007 1. Introduction The IPv6 Operations (v6ops) working group has selected (manually configured) IPv6-in-IPv4 tunneling [RFC4213] as one of the IPv6 transition mechanisms for IPv6 deployment. [RFC4213] identified a number of threats that had not been adequately analyzed or addressed in its predecessor [RFC2893]. The most complete solution is to use IPsec to protect IPv6-in-IPv4 tunneling. The document was intentionally not expanded to include the details on how to set up an IPsec-protected tunnel in an interoperable manner, but instead the details were deferred to this memo. The first four sections of this document analyze the threats and scenarios that can be addressed by IPsec and assumptions made by this document for successful IPsec Security Association (SA) establishment. Section 5 gives the details of Internet Key Exchange (IKE) and IP security (IPsec) exchange with packet formats and Security Policy Database (SPD) entries. Section 6 gives recommendations. Appendices further discuss tunnel mode usage and optional extensions. This document does not address the use of IPsec for tunnels that are not manually configured (e.g., 6to4 tunnels [RFC3056]). Presumably, some form of opportunistic encryption or "better-than-nothing security" might or might not be applicable. Similarly, propagating quality-of-service attributes (apart from Explicit Congestion Notification bits [RFC4213]) from the encapsulated packets to theShow full document text