IPv6 Security ConsiderationsMohammad [email protected] version 4 has played a main role in the interworking environments for many years,it has proved flexible enough to work on many different networking technologies andhowever it has become a victim of its own success – explosive growth! - In the 1990sthe “World Wide Web “and personal computers shifted the user of the Internet to thegeneral public. This change has created heavy demands for new IP addresses; the lakeof IPv4 addressing space was the basic problem. In the early 1990s IETF began to workon the IPv4 for solving the address exhaustion and other scalability problem .Afterseveral proposals were investigated a new IP version was recommended in late 1994 ,the new version is called IPv6 (also called IPng: IP next generation). IPv6 uses a 128 bitIP address made up at eight 16 bit integers separated by colons; IPv6 contains many newfeatures including native security. In this article I try to explain IPv6 security concepts.September 2, 20041

Introduction to IP next generationIPv6 retains many of the design features that have made IPv4 so successful. Some of thechanges from IPv4 to IPv6 include:1- Address size: The length of address field is extended from 32 bits to 128 bits; theaddress structure also provides more level of hierarchy. With the increased IP addresssize, the address space can support to 3.4 * 10 38 hosts.2- Simplified header format: the IPv6 datagram header is completely different thanthe IPv4 header, some of the header fields in IPv4 such as check sum, IHL,identification flag and fragment offset do not appear in the IPv6 header.3- Extension header: IPv6 encodes information into separate headers, this features iscalled flexible support for option.4- Flow label capability: IPv6 adds a “flow label “to identify a certain packet flowThat requires a certain quality of service.5- Fragmentation at source only: Routers do not perform packet fragmentation if apacket needs to be fragmented, the source should check the minimum MTU alongthe path and perform the necessary fragmentation.6- Support for audio and video: IPv6 includes a mechanism that allows a sender andreceiver to establish a high quality path through the underlying network and toassociate Datagrams with the path. Although the mechanism is intended for usewith audio and video applications that require high performance guarantees, themechanism can also be used to associate Datagrams with low-cost paths.7- No checksum field: the checksum field has been removed to reduce the packetprocessing time in a router, Packets carried by the physical network are typicallyalready checked, furthermore, high-layer protocol such as TCP and UDP alsoperform their own verification, thus the removal of the checksum field is unlikelyto introduce a serious problem in most situations.8- Large packets: IPv6 supports payloads that are longer than 64 Kbytes.9- Extensible protocol: Unlike IPv4, IPv6 does not specify all possible protocol features,instead the designers have provided a scheme that allows a sender to add additionalinformation to a datagram .the extension scheme make IPv6 more flexible than IPv4 ,and means that new features can be added to the design as needed.10- Security: IPv6 supports built-in authentication and confidentiality.2

IP SecurityIP security provides security mechanism to (IPv4 or IPv6). It includes a set of facilitiesthat support security services such as authentication, integrity, confidentiality and accesscontrol at the IP layer. We can use IP Security in two ways:1- Transport mode: implemented directly between remote systems but remote systemsmust support IP Security2- Tunnel mode: implemented between intermediate systems that is used forencapsulating insecure IP datagrams.Transport mode and Tunnel mode by figures:IP datagramIP Security Datagram (Transport Mode)IP Security datagram (Tunnel Mode)3

How is IP Security transmitted?IP Security adds a new header in the IP datagram between the original header and thepayload .In ESP, data are encrypted and a new datagram trailer is added.IP DatagramIP Security Datagram4

IP security has four main functionalities:1234-Security Associations ( SA )Authentication only ( Authentication Header or AH )Encryption and authentication known as Encapsulating Security Payload ( ESP )Key management1- Security Association (SA)A key concept that appears in both the authentication and confidentiality mechanisms forIP is the SA. An association is a one-way relationship between a sender and a receiverthat affords security services to the traffic carried on it. If a peer relation is needed fortwo way secure exchange, then two security associations are required .Security servicesare afforded to an SA for the use of AH or ESP, but not both. A security association isuniquely identified by three parameters:1- Security Parameter Index (SPI): Bit string assigned to the SA with local meaning, it isTransmitted in the AH and ESP headers to enable the receiving system to select the SAunder which a received packet will be processed.2- IP Destination Address: it supports only Unicast (The address corresponds to a singlecomputer) addresses3- Security Protocol Identifier: This indicates whether the association is an AH or ESPsecurity associationHence, in any IP packet (IPv4 datagram or an IPv6 packet) the security association isuniquely identified by the destination address in the IPv4 or IPv6 header and the SPI inthe enclosed extension header (AH or ESP). A Security Association is normally definedby the following Parameters:1- Sequence Number Counter: A 32-bit value used to generate the sequence number fieldin AH or ESP headers2- Sequence Counter Overflow: A flag indicating whether of the Sequence NumberCounter should generate an auditable event and prevent further transmission of packetson this SA3- Anti Reply Window: Used to determine whether an inbound AH/ESP packet is a reply4- AH Information: Authentication algorithm, keys, key lifetimes, and related parametersbeing used with AH.5

5- ESP Information: Encryption and Authentication Algorithm, keys, initialization valueskey lifetimes, and related parameters being used with ESP6- Lifetime of this security association: A time interval or byte count after which an SAmust be replaced with a new SA (and new SPI) or terminated, plus an indication ofwhich of these actions should occur7- IP Security Protocol mode: Tunnel, Transport (required for all implementations)8- Path MTU: Any observed path maximum transmission unitAs mentioned earlier Both Authentication Header and Encapsulating Security Payloadsupport the Transport and Tunnel modes (IP Security supports two modes) this tablesummarizes transport and tunnel mode functionality:Transport Mode SAAHES PESP withAuthenticationAuthenticates IP payload andselected portions of IP headerand IPv6 extensions headerTunnel Mode SAAuthenticates entire inner IP packetsand selected portions of outer IPheader and outer IPv6 extensionsheaderEncrypts IP payload and any IPv6extensions headers following the Encrypts inner IP packetsESP headerEncrypts IP payload and any IPv6extensions headers following theESP header, Authenticates IPpayload but not IP header2- Authentication Header (AH)The IP Authentication Header (AH) is used to provide connectionless integrity and dataorigin authentication for IP Datagrams and to provide protection against replay attack.AH is based on the use of the integrity check value with an algorithm specified in the SA.It avoids IP-Spoofing attack.6

IP Security Authentication HeaderAuthentication Header consists of the following fields:123456-Next Header: Data protocol transmitted inside IP (e.g. TCP, UDP, etc.)Payload length : Length of Authentication HeaderSecurity Parameter Index ( SPI ) : Identification of the SA of this datagramSequence Number : Counter monotonically incremented with each packetAuthentication Data : it contains the Integrity Check Value ( ICV )Reserved: (16 bits) for future use7

But what is “Authentication Data “?What is Reply Attack and How does AH prevent it?A reply attack is one in which an attacker obtains a copy of an authenticated packet andlater transmits it to the intended destination. The receipt of duplicate, Authenticated IPpackets may disrupt service in some way or may have some other undesiredconsequence. The sequence number field is designed to thwart such attacks .When a newSA is established, the sender initializes a sequence number counter to 0. Each time that apacket is sent on this SA, the sender increments the counter and places the value in thesequence number field. Thus, the first value to be used is 1.If anti-reply is the enabledsender must not allow the sequence number to cycle past 2 32 – 1 back to zero.Otherwise, there would be multiple valid packets with the same sequence number. If thelimit of 2 32 – 1 is reached, the sender should terminate this SA and negotiate a new SAwith a new key. Because IP is a connectionless, unreliable service, the protocol does notguarantee that packets will be delivered in order and does not guarantee that all packetswill be delivered. Therefore, the IP security authentication document dictates that thereceiver should implement a window of size W, with a default of W 64.The right edge ofthe window represents the highest sequence number in the range from N-W 1 to N thathas been correctly received .8

3- Encapsulating Security Payload (ESP)The Encapsulating Security Payload provides confidentiality, authentication, and dataintegrity. An ESP can be applied alone or in combination with an AH.Encapsulating Security Payload includes:1234-Security Parameter Index (SPI): Identification of the SA of this datagramSequence Number : Counter which is incremented with each packetPayload Data : Encrypted Data of the IP protocolPadding : Extra bytes needed if the encryption algorithm needs complete textblocks5- Pad Length : Number of padding bytes6- Next Header : Data protocol in the payload data7- Authentication Data : ICV computed over all the datagram ( ExceptAuthentication Data Field )9

Limitations:The AH and ESP do not provide security against traffic analysis, It is not economical toprovide protection against traffic analysis at the IP layer. One approach in the protectionagainst the traffic analysis is the use of bulk link encryption, another technique is sendingfalse traffic in order to increase the noise in the data listened by the traffic analyst .AH orESP do not provide non-repudiation when used with the default algorithms . Use ofcertain algorithm for example RSA with appropriate transformation provides nonRepudiation. Non-Repudiation should be concerned with the application layer security.4- Key managementThe key management portion of IP Security involves the determination and distributionof secret keys. The IP Security architecture document mandates support for two types ofkey management:1- Manual: A system administrator manually configures each system with its ownkeys and the rest of system’s keys; this is practical for small and staticenvironments.2- Automated: An automated system enables the on-demand creation of keys forSecurity Associations and facilities, the use of keys in a large distributed systemwith an evolving configuration.10

The default automated key management protocol for IPSEC is referred to asISAKMP/Oakley and consists of the following elements:1- Oakley Key Determination: Oakley is a key exchange protocol based on theDiffie-Hellman algorithm but providing added security. Oakley is generic in thatit does not dictate specific formats.2- Internet Security Association and Key Management Protocol (ISAKMP):ISAKMP provides a framework for Internet Key management and provides thespecific protocol support, including formats, for negotiation of security attributes.1- Oakley Key Determination ProtocolOakley is a refinement of the Diffie-Hellman key exchange algorithm. Diffie-Hellmaninvolves the following interaction between users A and B:- q is a large primus number- Į is a primitive root of q- A selects a random integer X(A) ( Secret Key ) and transmits to B : Y(A) Į.X(A)- B selects a random integer X(B) ( Secret Key ) and transmits to A : Y(B) Į.X(B)- each side can now compute the secret session key :K Y(B) X(A) mod q Y(A) X(B) mod qThe Diffie-Hellman algorithm has two attraction features:1- Secret keys are created only when needed, there is no need to store secret key for along period of time, exposing them to increased vulnerability2- The exchange requires no preexisting infrastructure other than an agreement on theglobal parameters.However there are a number of weaknesses to Diffie-Hellman as painted out in[HUTT98]:1- It does not provide any information about the identities of the parties2- It is computationally intensive. As a result, it is vulnerable to a clogging attack inwhich an opponent requests a high number of keys. The victims spends considerablecomputing resources doing useless modular exponentiation rather than real work3- It is subject to man-in-the-middle attack , in which a third party C impersonates Bwhile communicating with A and impersonates A while communicating with B. Both Aand B end up negotiating a key with C, which can then listen to and pass on traffic11

Oakley is designed to retain the advantages of Diffie-Hellman while countering itsweaknesses .The Oakley algorithm is characterized by five important features:12345-It employs a mechanism known as cookies to thwart clogging attacks.It enables the two parties to negotiate a group.It uses nonces to ensure against reply attacks.It enables the exchange of Diffie-Hellman public key valuesIt authenticates the Diffie-Hellman exchange to thwart man-in-the-middle attacks2- ISAKMPISAKMP defines procedures and packet formats to establish, negotiate, modify, anddelete security association as part of SA establishment, ISAKMP defines payloads forexchanging key generation and authentication data. These payload formats provide aconsistent framework independent of the specific key exchange protocol, encryptionalgorithm, and authentication mechanism. An ISAKMP message consists of an ISAKMPheader followed by one or more payloads. The header format of ISAKMP messageconsists of Initiator Cookie ( 64 bits ), Responder Cookie ( 64 bits ), Next Payload ( 8 bits) , Major Version ( 4 bits ), Minor Version ( 4 bits )Exchange Type ( 8 bits ), Message ID( 32 bits ), Length ( 32 bits )ISAKMP ExchangeISAKMP provides a framework for message exchange, with the payload types serving asthe building blocks. The specification identifies five default exchange types that shouldbe supported.1- Base Exchange Allows key exchange and authentication material to be transmittedtogether.2- Identity Protection Exchange expands the Base Exchange to protect the user’sidentities. ( First key exchange then Authentication )3- Authentication Only Exchange is used to perform mutual authentication, without a keyexchange4- Aggressive Exchange minimizes the number of exchanges at the expense of notproviding identity protection5- Informational Exchange is use for one-way transmittal of information for SAmanagement12

CONCLUSIONThis paper explains the main aspects of IP security in IPv6. SA, AH, ESP, and keymanagement are discussed in this article. IP Security may solve many issues on theInternet such as : FTP , Telnet , DNS , and SNMP but other security issues exist : IPsecurity tunnels break through firewall or NAT or tunneled IP security traffic maycontain malicious data . QOS does not work in IP security, Dynamic IP addresses causeIP security to fail.AKNOWLEDEGMENTI am grateful to Zahra Heidari for her efforts in editing this paper, and special thanks tomy brother “Vahid” for his technical supportReferences[1] R. Atkinson. Security Architecture for the Internet Protocol, RFC2401[2] R. Atkinson. IP Authentication Header (AH), RFC2402[3] R. Atkinson. IP Encapsulating Security Payload (ESP), RFC2406[4] Douglas E.Comer. Computer Networks and Internets, Prentice Hall, 2004[5] C. Huitema. IPv6 The New Internet Protocol, Prentice Hall, New Jersey, 199613

The receipt of duplicate, Authenticated IP packets may disrupt service in some way or may have some other undesired . keys and the rest of system’s keys; this is practical for small and static . - q is a large