Abstract
In the IPv6 world, the IP protocol itself, i.e., IPv6, is used for a number of functions that currently fall beyond the scope of the IPv4 protocol. These functions include address configuration, neighbour detection, router discovery, and others. It is either suggested to or required that IPsec is used to secure these functions. Furthermore, IPsec is used to protect a number of functions that are considered dangerous in the IPv4 world, including mobility management and source routing. Now, the currently prominent method for creating IPsec Security Associations, the Internet Key Exchange (IKE) protocol, is both relatively heavy and requires that the underlying IP stacks are already fully functional, at least to the point that UDP may be used. As a result, the combination of the widened responsibility of IPsec and the relative heavy weight of IKE creates a vicious cycle that is a potential source of various denial-of-service attacks. Additionally, if we want to use IPsec to secure IPv6 autoconfiguration, a chicken-and-egg problem is created: fully configured IPsec is needed to configure IP, and fully configured IP is needed to configure IPsec. In this paper, we describe these problems in detail.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
S. Deering and R. Hinden, Internet Protocol, Version 6 (IPv6) Specification, RFC2460, Internet Engineering Task Force, December 1998.
S. Thomson and T. Narten, IPv6 Stateless Address Autoconfiguration, RFC2462, Internet Engineering Task Force, December 1998.
David B. Johnson and Charles Perkins, Mobility Support in IPv6, work in progress, Internet Draft draft-ietf-mobileip-ipv6-12.txt (expired), Internet Engineering Task Force, April 2000.
M. Crawford, Router Renumbering for IPv6, RFC2894, Internet Engineering Task Force, August 2000.
A. Conta and S. Deering, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification, RFC2463, Internet Engineering Task Force, December 1998.
Discussion at the IETF ipsec mailing list in January 2001, ftp://ftp.tis.com/pub/lists/ipsec/ipsec.0101
C. de Laat, G. Gross, L. Gommans, J. Vollbrecht, D. Spence, Generic AAA Architecture, RFC2903, Internet Engineering Task Force, August 2000.
Greg O’Shea and Michael Roe, Child-proof authentication for MIPv6 (CAM). Computer Communications Review, April 2001.
T. Narten, E. Nordmark, and W. Simpson, Neighbor Discovery for IP Version 6 (IPv6), RFC2461, Internet Engineering Task Force, December 1998.
Tero Kivinen, Markku Rossi and Jari Arkko, Manual SA Configuration for IPv6 Link Local Messages, work in progress, Internet-Draft draft-arkko-manual-icmpv6-sas-01.txt (expired), February 2001.
Tuomas Aura, Pekka Nikander, and Jussipekka Leiwo, DOS-resistant Authentication with Client Puzzles, presented at Cambridge Security Protocols Workshop 2000, April 3–5, 2000, Cambridge University. LNCS 2133, pp. 170–178, Springer, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nikander, P. (2002). Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds) Security Protocols. Security Protocols 2001. Lecture Notes in Computer Science, vol 2467. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45807-7_3
Download citation
DOI: https://doi.org/10.1007/3-540-45807-7_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44263-9
Online ISBN: 978-3-540-45807-4
eBook Packages: Springer Book Archive