The last post talked about the security features of IPv6 itself which are commonly referred as IPsec. The Authentication Header and Encrypted Security Payload were introduced which are responsible to ensure authenticity and confidentiality.
Both communication partners have to agree to a set of security parameters and algorithms to use. This set of rules to secure the communication channel is called Security Association. Not only parameters and algorithms, also the cipher keys itself are part of this agreement.
Security Associations know two types of connecting two hosts, the Transport Mode and the Tunnel Mode. These types of connection - including the interface and IPv6 address on which to apply them are set as Security Policy.
The transport mode is considered for end-to-end connections between two communication partners. It is a real point-to-point mechanism which encrypts the payload with the specific header of each protocol (ICMP,TCP,UDP,..). The IP header is plain and not encrypted but usually included in the authentication.
Encryption partners can directly communicate with each other.
This mode is used for gateway-to-gateway connections, but can be used also for end-to-end communication. Mainly it is designed to connect two corporate networks through designated gateway computers. The whole original packet is encrypted and encapsulated in a new datagram. Encryption partners can not directly communicate with each other, only the networks which are connected through this gateways.
All cryptographic communication in IPsec makes use of encryption/decryption keys. If two communication partners want to agree about a SA they have to exchange information and finally the keys to use. Because in this phase there is no encryption the exchange of information is made over an insecure connection. The IKE (Internet Key Exchange) protocol is used to handle this task.
Public Key Infrastructure
IPsec requirements are specified in RFC4301 - but there is nothing to find about how the keys are exchanged. This can be done either by using pre-shared keys which is only practicable in a small network. Enterprise networks from huge companies need another method to distribute the keys. In this large environments a central certificate server is the most practical. This central server is responsible to distribute the keys for encryption and also for building a chain of trust.
If two communication partners want to get sure each other is the one he pretends to be - they need another trusted instance to assure their identity. The Certification Authority server takes the role of this trusted instance. This way a chain of trusted instances is build where the root instance is called Root CA - the certificate server in PKI based environments.
The next post will be the last of this IPv6 series. It will summarize and give information about the recent IPv6 development. Stay tuned.