Security for address resolution, address autoconfiguration and router discovery in IPv6
In contrast to IPv4, the design of IPv6 address resolution and router discovery considered security from the beginning. Security for address autoconguration was required as well.
The original IPv6 protocol specication in RFC 2461 (RFC 2461, 1998) and the address autoconguration protocol in RFC 2462 (RFC 2462, 1998) require use of IPsec (RFC 4301, 2005) for security. Because is at the IP layer, unlike ARP, IP level security can in theory be used to secure it.
However, subsequent study determined that IPsec was not a good match for security. IPsec was developed for one-to-one security associations developed between two specic terminals. Trafc for address resolution and address autoconguration has more of a one-to-many nature, i.e. multicast. In addition, the IPsec security associations are usually intended to last for a longer period between terminals that are exchanging traf?c frequently or at least have the potential to do so. Along with router discovery, the trafc prole of address resolution and address autoconguration is more ephemeral. A node performs router discovery, address autoconguration, and addressresolution when it rst comes upon a newlink, but afterward, these operations are done at periodic but very infrequent intervals, purely to refresh the internal caches of IP address to link address mappings and the list of available last hop routers.
As a consequence, a new protocol for securing was developed with characteristics more in tune with the ephemeral nature of the trafc prole. The protocol is called SEcure (SEND), and is documented in RFC 3971 (RFC 3971, 2005). RFC 3972 (RFC 3972, 2005) describes a new security technique called Cryptographically Generated Addresses (CGAs) which forms the basis of SEND. These topics are discussed in the next two sections.
When protocol and address autoconguration were updated in RFC 4861 (RFC 4861, 2007) and 4862 (RFC 4862, 2007), SEND was recommended for security, except in cases where the IP address mappings are statically congured.
Security for address resolution, address autoconfiguration and router discovery in IPv6
In contrast to IPv4, the design of IPv6 address resolution and router discovery considered security from the beginning. Security for address autoconguration was required as well.
The original IPv6 protocol specication in RFC 2461 (RFC 2461, 1998) and the address autoconguration protocol in RFC 2462 (RFC 2462, 1998) require use of IPsec (RFC 4301, 2005) for security. Because is at the IP layer, unlike ARP, IP level security can in theory be used to secure it.
However, subsequent study determined that IPsec was not a good match for security. IPsec was developed for one-to-one security associations developed between two specic terminals. Trafc for address resolution and address autoconguration has more of a one-to-many nature, i.e. multicast. In addition, the IPsec security associations are usually intended to last for a longer period between terminals that are exchanging traf?c frequently or at least have the potential to do so. Along with router discovery, the trafc prole of address resolution and address autoconguration is more ephemeral. A node performs router discovery, address autoconguration, and addressresolution when it rst comes upon a newlink, but afterward, these operations are done at periodic but very infrequent intervals, purely to refresh the internal caches of IP address to link address mappings and the list of available last hop routers.
As a consequence, a new protocol for securing was developed with characteristics more in tune with the ephemeral nature of the trafc prole. The protocol is called SEcure (SEND), and is documented in RFC 3971 (RFC 3971, 2005). RFC 3972 (RFC 3972, 2005) describes a new security technique called Cryptographically Generated Addresses (CGAs) which forms the basis of SEND. These topics are discussed in the next two sections.
When protocol and address autoconguration were updated in RFC 4861 (RFC 4861, 2007) and 4862 (RFC 4862, 2007), SEND was recommended for security, except in cases where the IP address mappings are statically congured.
access point vs router
Niciun comentariu:
Trimiteți un comentariu