Hi. We've published two internet drafts around the use of IPsec in the context of ICMPv6. Here are the URLs to the drafts as well as the abstracts. Feedback and comments would be greatly appreciated! In particular, we'd be interested in hearing how other folks who have implemented IPsec in an IPv6 environment have dealt with the issues discussed in the first draft. Title: Effects of ICMPv6 on IKE and IPsec Policies Author: J. Arkko Abstract: The ICMPv6 protocol provides many functions which in IPv4 were either non-existent or provided by lower layers. IPv6 architecture also makes it possible to secure all IP packets using IPsec, even ICMPv6 messages. IPsec architecture has a Security Policy Database that specifies which traffic is protected, and how. It turns out that the specification of policies in the presence of ICMPv6 traffic is hard. Sound looking policies may easily lead to loops: The establishment of security requires ICMPv6 messages which can't be sent since security hasn't been established yet. The purpose of this draft is to inform system administrators and IPsec implementors in which manner they can handle the ICMPv6 messages. Common understanding of the way that these messages are handled is also necessary for interoperability, in case vendors hardcode such rules in to products. http://search.ietf.org/internet-drafts/draft-arkko-icmpv6-ike-effects-00.txt Title: Manual SA Configuration for IPv6 Link Local Messages Authors: J. Arkko, P. Nikander, T. Kivinen, M. Rossi Abstract: This draft discusses the use of manually configured IPsec SAs to protect ICMPv6 messages such as router discovery and address resolution on the local link. IPsec SAs are generally identified by the triple <SPI, destination address, protocol>. For the ICMPv6 messages configuring the SAs requires some effort, however, since there are multiple known destination addresses plus a number of addresses that depend on the physical link addresses. This draft describes the security implications of protecting or not protecting the link local ICMPv6 messages, lists the SAs that must be configured manually, and discusses some approaches for reducing configuration effort. http://search.ietf.org/internet-drafts/draft-arkko-manual-icmpv6-sas-00.txt -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
