datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

Using IPsec to Secure IPv6-in-IPv4 Tunnels
RFC 4891

Network Working Group                                        R. Graveman
Request for Comments: 4891                             RFG Security, LLC
Category: Informational                                 M. Parthasarathy
                                                                   Nokia
                                                               P. Savola
                                                               CSC/FUNET
                                                           H. Tschofenig
                                                  Nokia Siemens Networks
                                                                May 2007

               Using IPsec to Secure IPv6-in-IPv4 Tunnels

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document gives guidance on securing manually configured IPv6-in-
   IPv4 tunnels using IPsec in transport mode.  No additional protocol
   extensions are described beyond those available with the IPsec
   framework.

Graveman, et al.             Informational                      [Page 1]
RFC 4891            IPsec with IPv6-in-IPv4 Tunnels             May 2007

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Threats and the Use of IPsec . . . . . . . . . . . . . . . . .  3
     2.1.  IPsec in Transport Mode  . . . . . . . . . . . . . . . . .  4
     2.2.  IPsec in Tunnel Mode . . . . . . . . . . . . . . . . . . .  5
   3.  Scenarios and Overview . . . . . . . . . . . . . . . . . . . .  5
     3.1.  Router-to-Router Tunnels . . . . . . . . . . . . . . . . .  6
     3.2.  Site-to-Router/Router-to-Site Tunnels  . . . . . . . . . .  6
     3.3.  Host-to-Host Tunnels . . . . . . . . . . . . . . . . . . .  8
   4.  IKE and IPsec Versions . . . . . . . . . . . . . . . . . . . .  9
   5.  IPsec Configuration Details  . . . . . . . . . . . . . . . . . 10
     5.1.  IPsec Transport Mode . . . . . . . . . . . . . . . . . . . 11
     5.2.  Peer Authorization Database and Identities . . . . . . . . 12
   6.  Recommendations  . . . . . . . . . . . . . . . . . . . . . . . 13
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
   8.  Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 14
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 14
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 15
     10.2. Informative References . . . . . . . . . . . . . . . . . . 15
   Appendix A.  Using Tunnel Mode . . . . . . . . . . . . . . . . . . 17
     A.1.  Tunnel Mode Implementation Methods . . . . . . . . . . . . 17
     A.2.  Specific SPD for Host-to-Host Scenario . . . . . . . . . . 18
     A.3.  Specific SPD for Host-to-Router Scenario . . . . . . . . . 19
   Appendix B.  Optional Features . . . . . . . . . . . . . . . . . . 20
     B.1.  Dynamic Address Configuration  . . . . . . . . . . . . . . 20
     B.2.  NAT Traversal and Mobility . . . . . . . . . . . . . . . . 20
     B.3.  Tunnel Endpoint Discovery  . . . . . . . . . . . . . . . . 21

Graveman, et al.             Informational                      [Page 2]
RFC 4891            IPsec with IPv6-in-IPv4 Tunnels             May 2007

1.  Introduction

   The IPv6 Operations (v6ops) working group has selected (manually
   configured) IPv6-in-IPv4 tunneling [RFC4213] as one of the IPv6
   transition mechanisms for IPv6 deployment.

   [RFC4213] identified a number of threats that had not been adequately
   analyzed or addressed in its predecessor [RFC2893].  The most
   complete solution is to use IPsec to protect IPv6-in-IPv4 tunneling.
   The document was intentionally not expanded to include the details on
   how to set up an IPsec-protected tunnel in an interoperable manner,
   but instead the details were deferred to this memo.

   The first four sections of this document analyze the threats and
   scenarios that can be addressed by IPsec and assumptions made by this
   document for successful IPsec Security Association (SA)
   establishment.  Section 5 gives the details of Internet Key Exchange
   (IKE) and IP security (IPsec) exchange with packet formats and
   Security Policy Database (SPD) entries.  Section 6 gives
   recommendations.  Appendices further discuss tunnel mode usage and
   optional extensions.

   This document does not address the use of IPsec for tunnels that are
   not manually configured (e.g., 6to4 tunnels [RFC3056]).  Presumably,
   some form of opportunistic encryption or "better-than-nothing

[include full document text]