dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
643
share rss forum feed


mahdy

@rasana.net

IPSec in IPv6

Hi all
I want to know if we configure our network with IPSec (both AH and ESP), which of fields in IPv6 header do not encrypt? i.e. flow label, source and destination address, hop limit, next header?



justbits
More fiber than ATT can handle
Premium
join:2003-01-08
Chicago, IL
Reviews:
·Comcast Business..

»tools.ietf.org/html/rfc1827
Looks like source, destination, flow-id, part of the ESP Header and any other IP headers the sender chooses to not encrypt are clear text.

  |<--        Unencrypted              -->|<----    Encrypted   ------>|
  +-------------+--------------------+------------+---------------------+
  | IP Header   | Other IP Headers   | ESP Header | encrypted data      |
  +-------------+--------------------+------------+---------------------+
 

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

IPv6 does encryption within the stream (i.e. per connection), so the encryption is over the payload (ESP), and the header(s) are signed (AH).

IPv4 IPsec forms a tunnel through which many streams flow. Those streams, being payload, are entirely encrypted (ESP). AH applies to the tunnel packet headers.


HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to mahdy

Does the picture here ** answer your question OP?

Also -- and someone correct me if I'm wrong -- AH only confirms connection integrity and data origin of your packets,
but NOT encryption. ESP does all of what AH does AND encryption. IIRC this has nothing to do with IPv6 itself but
is a "legacy" item from IPSec's early days.

** original source -- here, in figure 2 "IPv6 IPsec Packet Format"

Regards


keeska
Premium
join:2007-04-06
Sedona, AZ
Reviews:
·VOIPO
·Suddenlink

1 recommendation

reply to mahdy

Both IPv4 and IPv6 IPSec may be tunneled. When tunneled the entire IPv4 or IPv6 packet is encrypted and a new IP header plus the ESP header is prepended. Note that the inner IP packet and the outer IP header may be different versions - i.e., v4 packet within a v6 packet or v6 within IP v4. Nothing within the prepended IP header or the ESP header is encrypted. Add AH and the packet looks like the previous poster's link.

SO answer the original question - no part of the outer IP header is encrypted. All of the inner header is encrypted.