Chapter 4 The IPv6 Header |
105 |
Next Header 
Payload Length
Reserved 
Security Parameters Index
Sequence Number 
Authentication Data
• • •
Figure 4-18 The structure of the Authentication header
The Authentication header contains a Next Header field, a Payload Length field (the number of 4-byte blocks in the Authentication header, not counting the first two), a Reserved field, a Security Parameters Index (SPI) field that helps identify a specific IP Security (IPsec) security association (SA), a Sequence Number field that provides antireplay protection, and an Authentication Data field that contains an integrity value check (ICV). The ICV provides data authentication and data integrity.
The Authentication header does not provide data confidentiality services for the upper-layer PDU by encrypting the data so that it cannot be viewed without the encryption key. To obtain data authentication and data integrity for the entire IPv6 packet and data confidentiality for the upper-layer PDU, you can use both the Authentication header and the Encapsulating Security Payload header and trailer.
Encapsulating Security Payload Header and Trailer
The Encapsulating Security Payload (ESP) header and trailer, described in RFC 2406, provide data confidentiality, data authentication, data integrity, and replay protection services to the encapsulated payload. The ESP header provides no security services for the IPv6 header or extension headers that occur before the ESP header. The ESP header and trailer are identified by the value of 50 in the previous header’s Next Header field. Figure 4-19 shows the structure of the ESP header and trailer.
Security Parameters Index 
Sequence Number
Payload Data
• • •
Padding
• • •
Padding Length
Next Header 
Authentication Data
• • •
Figure 4-19 The structure of the Encapsulating Security Payload header and trailer
106 Understanding IPv6, Second Edition
The ESP header contains an SPI field that helps identify the IPsec SA, and a Sequence Number field that provides antireplay protection. The ESP trailer contains the Padding, Padding Length, Next Header, and Authentication Data fields. The Padding field is used to ensure 4-byte boundaries for the ESP payload and appropriate data-block boundaries for encryption algorithms. The Padding Length field indicates the size of the Padding field in bytes. The Authentication Data field contains the ICV.
Details about how the ESP header and trailer provide data confidentiality, authentication, and integrity through cryptographic techniques are beyond the scope of this book.
IPv6 MTU
IPv6 requires that the link layer support a minimum MTU size of 1280 bytes. Link layers that do not support this MTU size must provide a link-layer fragmentation and reassembly scheme that is transparent to IPv6. For link layers that can support a configurable MTU size, RFC 2460 recommends that they be configured with an MTU size of at least 1500 bytes (the IPv6 MTU for Ethernet II encapsulation). An example of a configurable MTU is the Maximum Receive Unit (MRU) of a Point-to-Point Protocol (PPP) link.
Like IPv4, IPv6 provides a Path MTU Discovery process that uses the ICMPv6 Packet Too Big message described in the “Path MTU Discovery” section of Chapter 5, “ICMPv6.” Path MTU Discovery allows the transmission of IPv6 packets that are larger than 1280 bytes.
IPv6 source hosts can fragment payloads of upper-layer protocols that are larger than the path MTU by using the process and Fragment header previously described. However, the use of IPv6 fragmentation is highly discouraged. An IPv6 node must be able to reassemble a fragmented packet that is at least 1500 bytes in size.
Table 4-5 lists commonly used local area network (LAN) and wide area network (WAN) technologies and their defined IPv6 MTUs.
Table 4-5 IPv6 MTUs for Common LAN and WAN Technologies
LAN or WAN Technology |
IPv6 MTU |
Ethernet (Ethernet II encapsulation) |
1500 |
|
|
Ethernet (IEEE 802.3 SubNetwork Access Protocol [SNAP] encapsulation) |
1492 |
|
|
IEEE 802.11 |
2312 |
|
|
Token Ring |
Varies |
|
|
Fiber Distributed Data Interface (FDDI) |
4352 |
|
|
Attached Resource Computer Network (ARCNet) |
9072 |
|
|
PPP |
1500 |
|
|
X.25 |
1280 |
|
|
Frame Relay |
1592 |
|
|
Asynchronous Transfer Mode (ATM) (Null or SNAP encapsulation) |
9180 |
|
|