dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
871

mahdy
@rasana.net

mahdy

Anon

[ipv6] IPSec in IPv6

Hi all
I want to know if we configure our network with IPSec (both AH and ESP), which of fields in IPv6 header do not encrypt? i.e. flow label, source and destination address, hop limit, next header?

justbits
DSL is dead. Long live DSL!
Premium Member
join:2003-01-08
Chicago, IL

justbits

Premium Member

Re: [ipv6] IPSec in IPv6

»tools.ietf.org/html/rfc1827
Looks like source, destination, flow-id, part of the ESP Header and any other IP headers the sender chooses to not encrypt are clear text.

  |<--        Unencrypted              -->|<----    Encrypted   ------>|
  +-------------+--------------------+------------+---------------------+
  | IP Header   | Other IP Headers   | ESP Header | encrypted data      |
  +-------------+--------------------+------------+---------------------+
 
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

IPv6 does encryption within the stream (i.e. per connection), so the encryption is over the payload (ESP), and the header(s) are signed (AH).

IPv4 IPsec forms a tunnel through which many streams flow. Those streams, being payload, are entirely encrypted (ESP). AH applies to the tunnel packet headers.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to mahdy

MVM

to mahdy
Does the picture here ** answer your question OP?

Also -- and someone correct me if I'm wrong -- AH only confirms connection integrity and data origin of your packets,
but NOT encryption. ESP does all of what AH does AND encryption. IIRC this has nothing to do with IPv6 itself but
is a "legacy" item from IPSec's early days.

** original source -- here, in figure 2 "IPv6 IPsec Packet Format"

Regards
keeska
Premium Member
join:2007-04-06
Sedona, AZ

1 recommendation

keeska to mahdy

Premium Member

to mahdy
Both IPv4 and IPv6 IPSec may be tunneled. When tunneled the entire IPv4 or IPv6 packet is encrypted and a new IP header plus the ESP header is prepended. Note that the inner IP packet and the outer IP header may be different versions - i.e., v4 packet within a v6 packet or v6 within IP v4. Nothing within the prepended IP header or the ESP header is encrypted. Add AH and the packet looks like the previous poster's link.

SO answer the original question - no part of the outer IP header is encrypted. All of the inner header is encrypted.