IPv6: The Next Generation Internet Protocol

This chapter deals with several aspects regarding the security architecture. That security is then translated in to dealing with the IP Encapsulation Security Payload (ESP).
First, let us begin by discussing the Authentication Header. It is a method that can yield a powerful authentication mechanism for IP datagrams. In addition, it also yields non-repudiation. However, this is dependent on the type of cryptographic algorithm that is employed, as well as how keying is executed. This is best illustrated by using an asymmetric digital signature algorithm (e.g., RSA) which can supply non-repudiation. The authentication and security parameters index format is shown in Figure 14.1.
The ability to keep items secure and safeguard your traffic analysis (illustrated by Figure 14.2) is not given by the Authentication Header. Users who wish their information kept secure need to look at the IP Encapsulating Security Protocol (ESP) that may be used together with the Authentication Header.


The IP Authentication Header tries to yield security by calculating authentication information on an IP datagram. This authentication information is determined using all of the fields in the IP datagram that do not change during transport. The fields or options which are required to be changed in transit such as the hop count, time to live, ident, fragment offset, or routing pointer are believed to be 0 for the computation of the authentication data. This yields more security than exists in IPv4 and may...