One document matched: draft-raza-6lo-ipsec-02.ps
%!PS-Adobe-3.0
%%BoundingBox: 76 24 574 716
%%Title: Enscript Output
%%For: Shahid Raza
%%Creator: GNU enscript 1.6.4
%%CreationDate: Mon Oct 12 12:04:54 2015
%%Orientation: Portrait
%%Pages: (atend)
%%DocumentMedia: Letter 612 792 0 () ()
%%DocumentNeededResources: (atend)
%%EndComments
%%BeginProlog
%%BeginResource: procset Enscript-Prolog 1.6 4
%
% Procedures.
%
/_S { % save current state
/_s save def
} def
/_R { % restore from saved state
_s restore
} def
/S { % showpage protecting gstate
gsave
showpage
grestore
} bind def
/MF { % fontname newfontname -> - make a new encoded font
/newfontname exch def
/fontname exch def
/fontdict fontname findfont def
/newfont fontdict maxlength dict def
fontdict {
exch
dup /FID eq {
% skip FID pair
pop pop
} {
% copy to the new font dictionary
exch newfont 3 1 roll put
} ifelse
} forall
newfont /FontName newfontname put
% insert only valid encoding vectors
encoding_vector length 256 eq {
newfont /Encoding encoding_vector put
} if
newfontname newfont definefont pop
} def
/MF_PS { % fontname newfontname -> - make a new font preserving its enc
/newfontname exch def
/fontname exch def
/fontdict fontname findfont def
/newfont fontdict maxlength dict def
fontdict {
exch
dup /FID eq {
% skip FID pair
pop pop
} {
% copy to the new font dictionary
exch newfont 3 1 roll put
} ifelse
} forall
newfont /FontName newfontname put
newfontname newfont definefont pop
} def
/SF { % fontname width height -> - set a new font
/height exch def
/width exch def
findfont
[width 0 0 height 0 0] makefont setfont
} def
/SUF { % fontname width height -> - set a new user font
/height exch def
/width exch def
/F-gs-user-font MF
/F-gs-user-font width height SF
} def
/SUF_PS { % fontname width height -> - set a new user font preserving its enc
/height exch def
/width exch def
/F-gs-user-font MF_PS
/F-gs-user-font width height SF
} def
/M {moveto} bind def
/s {show} bind def
/Box { % x y w h -> - define box path
/d_h exch def /d_w exch def /d_y exch def /d_x exch def
d_x d_y moveto
d_w 0 rlineto
0 d_h rlineto
d_w neg 0 rlineto
closepath
} def
/bgs { % x y height blskip gray str -> - show string with bg color
/str exch def
/gray exch def
/blskip exch def
/height exch def
/y exch def
/x exch def
gsave
x y blskip sub str stringwidth pop height Box
gray setgray
fill
grestore
x y M str s
} def
/bgcs { % x y height blskip red green blue str -> - show string with bg color
/str exch def
/blue exch def
/green exch def
/red exch def
/blskip exch def
/height exch def
/y exch def
/x exch def
gsave
x y blskip sub str stringwidth pop height Box
red green blue setrgbcolor
fill
grestore
x y M str s
} def
% Highlight bars.
/highlight_bars { % nlines lineheight output_y_margin gray -> -
gsave
setgray
/ymarg exch def
/lineheight exch def
/nlines exch def
% This 2 is just a magic number to sync highlight lines to text.
0 d_header_y ymarg sub 2 sub translate
/cw d_output_w cols div def
/nrows d_output_h ymarg 2 mul sub lineheight div cvi def
% for each column
0 1 cols 1 sub {
cw mul /xp exch def
% for each rows
0 1 nrows 1 sub {
/rn exch def
rn lineheight mul neg /yp exch def
rn nlines idiv 2 mod 0 eq {
% Draw highlight bar. 4 is just a magic indentation.
xp 4 add yp cw 8 sub lineheight neg Box fill
} if
} for
} for
grestore
} def
% Line highlight bar.
/line_highlight { % x y width height gray -> -
gsave
/gray exch def
Box gray setgray fill
grestore
} def
% Column separator lines.
/column_lines {
gsave
.1 setlinewidth
0 d_footer_h translate
/cw d_output_w cols div def
1 1 cols 1 sub {
cw mul 0 moveto
0 d_output_h rlineto stroke
} for
grestore
} def
% Column borders.
/column_borders {
gsave
.1 setlinewidth
0 d_footer_h moveto
0 d_output_h rlineto
d_output_w 0 rlineto
0 d_output_h neg rlineto
closepath stroke
grestore
} def
% Do the actual underlay drawing
/draw_underlay {
ul_style 0 eq {
ul_str true charpath stroke
} {
ul_str show
} ifelse
} def
% Underlay
/underlay { % - -> -
gsave
0 d_page_h translate
d_page_h neg d_page_w atan rotate
ul_gray setgray
ul_font setfont
/dw d_page_h dup mul d_page_w dup mul add sqrt def
ul_str stringwidth pop dw exch sub 2 div ul_h_ptsize -2 div moveto
draw_underlay
grestore
} def
/user_underlay { % - -> -
gsave
ul_x ul_y translate
ul_angle rotate
ul_gray setgray
ul_font setfont
0 0 ul_h_ptsize 2 div sub moveto
draw_underlay
grestore
} def
% Page prefeed
/page_prefeed { % bool -> -
statusdict /prefeed known {
statusdict exch /prefeed exch put
} {
pop
} ifelse
} def
% Wrapped line markers
/wrapped_line_mark { % x y charwith charheight type -> -
/type exch def
/h exch def
/w exch def
/y exch def
/x exch def
type 2 eq {
% Black boxes (like TeX does)
gsave
0 setlinewidth
x w 4 div add y M
0 h rlineto w 2 div 0 rlineto 0 h neg rlineto
closepath fill
grestore
} {
type 3 eq {
% Small arrows
gsave
.2 setlinewidth
x w 2 div add y h 2 div add M
w 4 div 0 rlineto
x w 4 div add y lineto stroke
x w 4 div add w 8 div add y h 4 div add M
x w 4 div add y lineto
w 4 div h 8 div rlineto stroke
grestore
} {
% do nothing
} ifelse
} ifelse
} def
% EPSF import.
/BeginEPSF {
/b4_Inc_state save def % Save state for cleanup
/dict_count countdictstack def % Count objects on dict stack
/op_count count 1 sub def % Count objects on operand stack
userdict begin
/showpage { } def
0 setgray 0 setlinecap
1 setlinewidth 0 setlinejoin
10 setmiterlimit [ ] 0 setdash newpath
/languagelevel where {
pop languagelevel
1 ne {
false setstrokeadjust false setoverprint
} if
} if
} bind def
/EndEPSF {
count op_count sub { pos } repeat % Clean up stacks
countdictstack dict_count sub { end } repeat
b4_Inc_state restore
} bind def
% Check PostScript language level.
/languagelevel where {
pop /gs_languagelevel languagelevel def
} {
/gs_languagelevel 1 def
} ifelse
%%EndResource
%%BeginResource: procset Enscript-Encoding-88591 1.6 4
/encoding_vector [
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/space /exclam /quotedbl /numbersign
/dollar /percent /ampersand /quoteright
/parenleft /parenright /asterisk /plus
/comma /hyphen /period /slash
/zero /one /two /three
/four /five /six /seven
/eight /nine /colon /semicolon
/less /equal /greater /question
/at /A /B /C
/D /E /F /G
/H /I /J /K
/L /M /N /O
/P /Q /R /S
/T /U /V /W
/X /Y /Z /bracketleft
/backslash /bracketright /asciicircum /underscore
/quoteleft /a /b /c
/d /e /f /g
/h /i /j /k
/l /m /n /o
/p /q /r /s
/t /u /v /w
/x /y /z /braceleft
/bar /braceright /tilde /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/.notdef /.notdef /.notdef /.notdef
/space /exclamdown /cent /sterling
/currency /yen /brokenbar /section
/dieresis /copyright /ordfeminine /guillemotleft
/logicalnot /hyphen /registered /macron
/degree /plusminus /twosuperior /threesuperior
/acute /mu /paragraph /bullet
/cedilla /onesuperior /ordmasculine /guillemotright
/onequarter /onehalf /threequarters /questiondown
/Agrave /Aacute /Acircumflex /Atilde
/Adieresis /Aring /AE /Ccedilla
/Egrave /Eacute /Ecircumflex /Edieresis
/Igrave /Iacute /Icircumflex /Idieresis
/Eth /Ntilde /Ograve /Oacute
/Ocircumflex /Otilde /Odieresis /multiply
/Oslash /Ugrave /Uacute /Ucircumflex
/Udieresis /Yacute /Thorn /germandbls
/agrave /aacute /acircumflex /atilde
/adieresis /aring /ae /ccedilla
/egrave /eacute /ecircumflex /edieresis
/igrave /iacute /icircumflex /idieresis
/eth /ntilde /ograve /oacute
/ocircumflex /otilde /odieresis /divide
/oslash /ugrave /uacute /ucircumflex
/udieresis /yacute /thorn /ydieresis
] def
%%EndResource
%%EndProlog
%%BeginSetup
%%IncludeResource: font Courier-Bold
%%IncludeResource: font Courier
/HFpt_w 10 def
/HFpt_h 10 def
/Courier-Bold /HF-gs-font MF
/HF /HF-gs-font findfont [HFpt_w 0 0 HFpt_h 0 0] makefont def
/Courier /F-gs-font MF
/F-gs-font 10 10 SF
/#copies 1 def
% Pagedevice definitions:
gs_languagelevel 1 gt {
<<
/PageSize [612 792]
>> setpagedevice
} if
/d_page_w 498 def
/d_page_h 692 def
/d_header_x 0 def
/d_header_y 692 def
/d_header_w 498 def
/d_header_h 0 def
/d_footer_x 0 def
/d_footer_y 0 def
/d_footer_w 498 def
/d_footer_h 0 def
/d_output_w 498 def
/d_output_h 692 def
/cols 1 def
%%EndSetup
%%Page: (1) 1
%%BeginPageSetup
_S
76 24 translate
/pagenum 1 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 635 M
(6Lo Working Group S. Raza) s
5 624 M
(Internet-Draft S. Duquennoy) s
5 613 M
(Intended Status: Standard Track SICS, Stockholm) s
5 602 M
( G. Selander) s
5 591 M
( Ericsson, Stockholm) s
5 580 M
(Expires: April 14, 2016 October 12, 2015) s
5 547 M
( Compression of IPsec AH and ESP Headers for Constrained Environments) s
5 536 M
( draft-raza-6lo-ipsec-02) s
5 514 M
(Abstract) s
5 492 M
( This document describes the header compression mechanisms for IPsec) s
5 481 M
( [RFC4301] based on the encoding scheme standardized in [RFC6282]. The) s
5 470 M
( IPsec Authentication Header \(AH\) and Encapsulated Security Payload) s
5 459 M
( \(ESP\) headers are compressed using Next Header Compression \(NHC\)) s
5 448 M
( defined in [RFC6282]. This document does not invalidate any encoding) s
5 437 M
( schemes proposed in 6LoWPAN [RFC6282] but rather complements it with) s
5 426 M
( compressed IPsec AH and ESP headers using the free bits in the IPv6) s
5 415 M
( Extension Header encoding. Also, this document does not require any) s
5 404 M
( changes in a conventional IPsec host on the Internet; the header) s
5 393 M
( compression is applied only at the 6LoWPAN layer and is effective) s
5 382 M
( within 6LoWPAN networks.) s
5 360 M
(Status of this Memo) s
5 338 M
( This Internet-Draft is submitted in full conformance with the) s
5 327 M
( provisions of BCP 78 and BCP 79.) s
5 305 M
( Internet-Drafts are working documents of the Internet Engineering) s
5 294 M
( Task Force \(IETF\). Note that other groups may also distribute) s
5 283 M
( working documents as Internet-Drafts. The list of current Internet-) s
5 272 M
( Drafts is at http://datatracker.ietf.org/drafts/current/.) s
5 250 M
( Internet-Drafts are draft documents valid for a maximum of six months) s
5 239 M
( and may be updated, replaced, or obsoleted by other documents at any) s
5 228 M
( time. It is inappropriate to use Internet-Drafts as reference) s
5 217 M
( material or to cite them other than as "work in progress.") s
5 195 M
( This Internet-Draft will expire on December 24, 2015.) s
5 162 M
(Copyright and License Notice) s
5 140 M
( Copyright \(c\) 2015 IETF Trust and the persons identified as the) s
5 129 M
( document authors. All rights reserved.) s
5 74 M
(Raza Expires April 14, 2016 [Page 1]) s
_R
S
%%Page: (2) 2
%%BeginPageSetup
_S
76 24 translate
/pagenum 2 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( This document is subject to BCP 78 and the IETF Trust's Legal) s
5 624 M
( Provisions Relating to IETF Documents) s
5 613 M
( \(http://trustee.ietf.org/license-info\) in effect on the date of) s
5 602 M
( publication of this document. Please review these documents) s
5 591 M
( carefully, as they describe your rights and restrictions with respect) s
5 580 M
( to this document. Code Components extracted from this document must) s
5 569 M
( include Simplified BSD License text as described in Section 4.e of) s
5 558 M
( the Trust Legal Provisions and are provided without warranty as) s
5 547 M
( described in the Simplified BSD License.) s
5 514 M
(Table of Contents) s
5 492 M
( 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3) s
5 481 M
( 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4) s
5 470 M
( 2. Linking IPsec Headers Compression with 6LoWPAN . . . . . . . . 4) s
5 459 M
( 3. LOWPAN_NHC for Authentication Header . . . . . . . . . . . . . 4) s
5 448 M
( 4. LOWPAN_NHC for Encapsulated Security Payload \(ESP\) . . . . . . 6) s
5 437 M
( 5. Implementation Considerations . . . . . . . . . . . . . . . . . 8) s
5 426 M
( 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 8) s
5 415 M
( 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8) s
5 404 M
( 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9) s
5 393 M
( 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9) s
5 382 M
( 9.2. Informative References . . . . . . . . . . . . . . . . . . 10) s
5 371 M
( Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10) s
5 74 M
(Raza Expires April 14, 2016 [Page 2]) s
_R
S
%%Page: (3) 3
%%BeginPageSetup
_S
76 24 translate
/pagenum 3 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
(1 Introduction) s
5 613 M
( [RFC6282] defines how IPv6 datagrams can be routed over IEEE 802.15.4) s
5 602 M
( [IEEE802.15.4]-based networks. [RFC6282] defines header compression) s
5 591 M
( schemes that can significantly reduce the size of IP, IP extension,) s
5 580 M
( and UDP headers. This enables the routing of heavy-weight IP traffic) s
5 569 M
( to resource-constrained [IEEE802.15.4]-based wireless networks. The) s
5 558 M
( security in [IEEE802.15.4]-based IP networks or what is more commonly) s
5 547 M
( known as 6LoWPAN networks is particularly important when we connect) s
5 536 M
( vulnerable wireless networks with the insecure Internet. The) s
5 525 M
( standardized and SHOULD be supported security solution for IPv6 is IP) s
5 514 M
( security \(IPsec\) [RFC4301][RFC6434]. This means that every IPv6 host) s
5 503 M
( on the Internet SHOULD be able to process IP packets secured with) s
5 492 M
( IPsec. IPsec, in transport mode, can provide end-to-end \(E2E\) secure) s
5 481 M
( communication between two hosts in the Internet. Thus, it is) s
5 470 M
( beneficial to extend 6LoWPAN so that IPsec communication between an) s
5 459 M
( IPv6 device \(e.g. a sensor node\) in 6LoWPAN networks and a IPv6 host) s
5 448 M
( on the Internet becomes possible. This document does not cover the) s
5 437 M
( tunnel mode of IPsec.) s
5 415 M
( Unlike IPv4, IPv6 ICMPv6 messages are protected by IPsec. As the RPL) s
5 404 M
( Control Message [RFC6550] is an ICMPv6 message, it is therefore) s
5 393 M
( possible to protect it with IPsec. However, all RPL Control) s
5 382 M
( Messages, except DAO / DAO-ACK messages in non-storing mode, are) s
5 371 M
( exchanged between two neighboring devices and have the scope of a) s
5 360 M
( link. Though IPsec security associations can be created between two) s
5 349 M
( neighboring devices, IEEE 802.15.4 security at the link layer is more) s
5 338 M
( suitable for per-hop protection, and IPsec in transport mode can be) s
5 327 M
( used to protect DAO/DAO-ACK messages in non-storing mode.) s
5 316 M
( Furthermore, as the IP address is a part of IPsec AH integrity) s
5 305 M
( protection, IPsec can protect against the IP spoofing attack that is) s
5 294 M
( one of the most likely attacks against constrained nodes running IP.) s
5 283 M
( Though IPv6 stateless address auto-configuration is proposed, it is) s
5 272 M
( not a requirement for IPv6 hosts. IPv6 addresses are assigned to) s
5 261 M
( resource-constrained nodes in 6LoWPAN networks at the deployment time) s
5 250 M
( and they most likely stay the same during the lifetime of a nodes) s
5 239 M
( unless manually changed through software/firmware updates. Address) s
5 228 M
( auto-configurations for 6LoWPAN networks that ensure end-to-end) s
5 217 M
( connectivity is in fact out of question unless an efficient and) s
5 206 M
( suitable mechanism is developed targeting 6loWPAN networks. Though) s
5 195 M
( mostly there is only one application running in a 6LoWPAN node, IPv6) s
5 184 M
( offers potentially unlimited address space which allows using) s
5 173 M
( multiple IPv6 addresses for a simple 6LoWPAN node, hence allowing) s
5 162 M
( unique IPsec security association per application. Also, if IPsec is) s
5 151 M
( using IKE [RFC7427] unique security association per application can) s
5 140 M
( be dynamically established.) s
5 118 M
( There are previous proposals to compress IPsec headers. Those) s
5 74 M
(Raza Expires April 14, 2016 [Page 3]) s
_R
S
%%Page: (4) 4
%%BeginPageSetup
_S
76 24 translate
/pagenum 4 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( compression schemes are applicable to any Internet host and are not) s
5 624 M
( specific to resource-constrained 6LoWPAN networks. Migault et al.) s
5 613 M
( [draft-mglt-6lo-diet-esp-01][draft-mglt-6lo-aes-implicit-iv-01]) s
5 602 M
( propose compressing IPsec but require corresponding modifications in) s
5 591 M
( the conventional Internet host. Similarly, the RObust Header) s
5 580 M
( Compression \(ROHC\) [RFC5795][RFC5856] is an efficient and flexible) s
5 569 M
( header compression concept but targeted to any Internet host and is) s
5 558 M
( not specific to 6LoWPAN network. These previous schemes plus Generic) s
5 547 M
( Header Compression [RFC7400] are complementary to our approach. Our) s
5 536 M
( header compression mechanisms are confined to 6LoWPAN networks and do) s
5 525 M
( not require any change in the IPsec AH and ESP standards or in a) s
5 514 M
( conventional IPsec host on the Internet.) s
5 492 M
( It is desirable to complement 6LoWPAN header compression with IPsec) s
5 481 M
( to keep packet sizes reasonable in resource constrained) s
5 470 M
( [IEEE802.15.4]-based network. There are no header compression) s
5 459 M
( specified for IPsec's AH[RFC4302] and ESP[RFC4303] extension headers) s
5 448 M
( for 6LoWPAN networks. This draft therefore proposes AH and ESP) s
5 437 M
( extension header encoding schemes.) s
5 415 M
(1.1 Terminology) s
5 393 M
( The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",) s
5 382 M
( "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this) s
5 371 M
( document are to be interpreted as described in RFC 2119 [RFC2119].) s
5 338 M
(2. Linking IPsec Headers Compression with 6LoWPAN) s
5 316 M
( [RFC6282] defines the general format of NHC that can be used to) s
5 305 M
( encode IP extension headers. [RFC6282] already defines an NHC) s
5 294 M
( encoding for IPv6 Extension Headers \(NHC_EH\) that can be used to link) s
5 283 M
( uncompressed AH and ESP headers to the 6LoWPAN header compression. In) s
5 272 M
( order to compress the IP extension headers a GHC byte for Extension) s
5 261 M
( Header \(GHC_EH\) [RFC7400] is proposed which has the same layout as) s
5 250 M
( NHC_EH with different ID bits. NHC_EH and GHC_EH consist of an octet) s
5 239 M
( where three bits \(bits 4, 5 and 6\) are used to encode the IPv6) s
5 228 M
( Extension Header ID \(EID\). Out of eight possible values for the EID,) s
5 217 M
( six are assigned and the remaining two slots \(101 and 110\) are) s
5 206 M
( currently unassigned. As AH and ESP are IP extension headers it makes) s
5 195 M
( sense to use one of these unassigned slots for the IPsec headers. We) s
5 184 M
( propose to use the reserved slot 101 for the IPsec headers, AH or) s
5 173 M
( ESP. The corresponding ID field in the AH or ESP will distinguish) s
5 162 M
( these headers from each other. It is also necessary to set the NH bit) s
5 151 M
( in NHC_EH or GHC_EH to 1 to specify that the next header \(a header) s
5 140 M
( after AH or ESP, e.g. UDP\) is NHC-encoded.) s
5 118 M
(3. LOWPAN_NHC for Authentication Header) s
5 74 M
(Raza Expires April 14, 2016 [Page 4]) s
_R
S
%%Page: (5) 5
%%BeginPageSetup
_S
76 24 translate
/pagenum 5 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( 6LoWPAN can be used to compress a significant number of bits in AH.) s
5 624 M
( The next header is decided based on the value of NH bit in the IPv6) s
5 613 M
( Extension Header Encoding in [RFC6282]. This draft proposes to always) s
5 602 M
( elide the length field. The payload length field \(the length of AH) s
5 591 M
( header in 32-bit words units minus "2" [RFC4302]\) in the AH header is) s
5 580 M
( always elided, as it can be inferred from the lower layers: either) s
5 569 M
( from the IEEE 802.15.4 header or the 6LoWPAN header. The size of ICV) s
5 558 M
( can be obtained from the SPI value because the length of the) s
5 547 M
( authenticating data depend on the the algorithm used and are fixed) s
5 536 M
( for any input size. The RESERVED field in the AH header is also) s
5 525 M
( always elided. The SPI and SN are compressed using the proposed NHC) s
5 514 M
( encoding for the AH header shown in Figure 1 and are explained) s
5 503 M
( below.) s
5 481 M
( 0 1 2 3 4 5 6 7) s
5 470 M
( +---+---+---+---+---+---+---+---+) s
5 459 M
( | 1 | 1 | 0 | 1 | SPI | SN |) s
5 448 M
( +---+---+---+---+---+---+---+---+) s
5 426 M
( Figure 1: Proposed LOWPAN NHC encoding for AH) s
5 404 M
( o The first four bits in the NHC AH represent the NHC ID we define) s
5 393 M
( for AH. These are set to 1101.) s
5 371 M
( o If SPI = 00: the default SPI for the IEEE 802.15.4 network is used) s
5 360 M
( and the SPI field is omitted. We set the default SPI value to 1.) s
5 349 M
( This does not mean that all nodes use the same security) s
5 338 M
( association \(SA\), but that every node has a single preferred SA,) s
5 327 M
( identified by SPI 1. If SPI = 01: the least significant 8 bits of) s
5 316 M
( the SPI are carried inline; the remaining 24 bits are elided. If) s
5 305 M
( SPI = 10: the least significant 16 bits of the SPI are carried) s
5 294 M
( inline; the remaining 16 bits are elided. If SPI = 11: All 32) s
5 283 M
( bits of the SPI are carried inline.) s
5 261 M
( o If SN = 00: the least significant 8 bits of sequence number are) s
5 250 M
( carried inline. The remaining bits are elided. If SN = 01: the) s
5 239 M
( least significant 16 bits of the SN are carried inline; the) s
5 228 M
( remaining 16 bits are elided. If SPI = 10: the least significant) s
5 217 M
( 24 bits of the SPI are carried inline; the remaining 8 bits are) s
5 206 M
( elided. If SPI = 11: All 32 bits of the SPI are carried inline.) s
5 184 M
( The sequence number field in the AH header [RFC4302] contains a) s
5 173 M
( value 1 for the first packet sent using a given Security) s
5 162 M
( Association \(SA\), and it is incremented sequentially for the) s
5 151 M
( subsequent packets. Note that by using 8-bit sequence number we do) s
5 140 M
( not limit the size of sequence number to 255, but propose to use 8) s
5 129 M
( bits for the sequence number prior to the transmission of the) s
5 118 M
( 256th packet on an SA. From the 2^8 to 2^\(16-1\) we propose to use) s
5 74 M
(Raza Expires April 14, 2016 [Page 5]) s
_R
S
%%Page: (6) 6
%%BeginPageSetup
_S
76 24 translate
/pagenum 6 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( 16-bit sequence number. Follow the same procedure for the 24-bit) s
5 624 M
( sequence number as well. However, the sender and the receiver) s
5 613 M
( sequence number counters must be reset prior to sending 2^32nd) s
5 602 M
( packet as proposed in [RFC4302].) s
5 580 M
( Note that even when used in 6LoWPAN, AH calculates the ICV on the) s
5 569 M
( uncompressed IP header, thus allowing authenticated communication) s
5 558 M
( with Internet hosts. The minimum length of a standard AH, supporting) s
5 547 M
( the mandatory HMAC-SHA1-96[RFC4835], consists of 12 bytes of header) s
5 536 M
( fields plus 12 bytes of ICV. Figure 2 shows a sample NHC compressed) s
5 525 M
( IP/UDP packet secured with AH. Using NHC encoding for the AH we can) s
5 514 M
( reduce the AH header overhead from 24 bytes to 14 bytes: 1 byte of) s
5 503 M
( next header, 1 byte of length, 2 bytes of Reserved field, 4 bytes of) s
5 492 M
( SPI, and 2 bytes of sequence number. However, two additional bytes) s
5 481 M
( are used to define NHC_EH and NHC_AH. Therefore, in the best case,) s
5 470 M
( with AES-XCBC-MAC-96 [RFC3566] or HMAC-SHA1-96 ciphers \(when 12 bytes) s
5 459 M
( are used for ICV\), applying NHC encoding for AH saves 8 bytes in each) s
5 448 M
( data packet secured with IPsec AH.) s
5 426 M
( | octet 1 | octet 2 | octet 1 | octet 1 |) s
5 415 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 404 M
( | LOWPAN_IPHC | Hop Limit | Source Address|) s
5 393 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 382 M
( | Source Address| Destination Address | LOWPAN_NHC_EH |) s
5 371 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 360 M
( | LOWPAN_NHC_AH | Sequence Number | |) s
5 349 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +) s
5 338 M
( | |) s
5 327 M
( + +) s
5 316 M
( | Integrity Check Value-ICV \(Variable\) |) s
5 305 M
( + +-+-+-+-+-+-+-+-+) s
5 294 M
( | | LOWPAN_NHC_UDP|) s
5 283 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 272 M
( |S Port | D Port| |) s
5 261 M
( +-+-+-+-+-+-+-+-+ +) s
5 250 M
( | |) s
5 239 M
( + +) s
5 228 M
( | UDP Payload \(Variable\) |) s
5 217 M
( + +) s
5 206 M
( | |) s
5 195 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 173 M
( Figure 2: A sample NHC compressed IP/UDP packet secured with AH.) s
5 151 M
(4. LOWPAN_NHC for Encapsulated Security Payload \(ESP\)) s
5 129 M
( The encryption in the IPsec ESP includes Payload Data, Padding, Pad) s
5 118 M
( Length and Next Header fields in the ESP. Therefore, we cannot) s
5 74 M
(Raza Expires April 14, 2016 [Page 6]) s
_R
S
%%Page: (7) 7
%%BeginPageSetup
_S
76 24 translate
/pagenum 7 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( compress these fields at the 6LoWPAN layer, and these fields are) s
5 624 M
( always carried inline. Also, when using ESP the UDP header and) s
5 613 M
( payload is also encrypted, hence cannot be compressed using NHC) s
5 602 M
( encodings for UDP defined in the [RFC6282]. However, we can compress) s
5 591 M
( the SPI and and sequence number \(SN\) fields in the ESP header. Figure) s
5 580 M
( 3 shows a proposed NHC encodings for the ESP that are explained) s
5 569 M
( below.) s
5 547 M
( 0 1 2 3 4 5 6 7) s
5 536 M
( +---+---+---+---+---+---+---+---+) s
5 525 M
( | 1 | 1 | 1 | 0 | SPI | SN |) s
5 514 M
( +---+---+---+---+---+---+---+---+) s
5 492 M
( Figure 3: Proposed LOWPAN NHC encoding for ESP) s
5 470 M
( o The first four bits in the NHC ESP represent the NHC ID we define) s
5 459 M
( for ESP. These are set to 1110.) s
5 437 M
( o The SPI and SN bits are encoded exactly the same way as in) s
5 426 M
( Section 3 for the AH header.) s
5 404 M
( In case of ESP we cannot skip the next header unless the end hosts) s
5 393 M
( are able to execute 6LoWPAN compression/decompression and) s
5 382 M
( encryption/decryption jointly. The nodes in the 6LoWPAN network make) s
5 371 M
( their decision about the next header based on the NH value not the) s
5 360 M
( actual header that is carried inline. In the case of ESP we MUST set) s
5 349 M
( the NH value in the NHC_EH or GHC_EH to zero to indicate that the) s
5 338 M
( full 8 bits of next header field are carried inline.) s
5 316 M
( | octet 1 | octet 2 | octet 1 | octet 1 |) s
5 305 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 294 M
( | LOWPAN_IPHC | Hop Limit | Source Address|) s
5 283 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 272 M
( | Source Address| Destination Address | LOWPAN_NHC_EH |) s
5 261 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 250 M
( | LOWPAN_NHC_ESP| Sequence Number | IV |) s
5 239 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 228 M
( | Initialization Vector \(IV\) [Variable Size] | Source Port |) s
5 217 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 206 M
( | Source Port | Destination Port | Length |) s
5 195 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 184 M
( | Length | Checksum | |) s
5 173 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +) s
5 162 M
( | UDP Payload \(Variable\) |) s
5 151 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 140 M
( | Pad | Pad Length | Next Header |) s
5 129 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 118 M
( | |) s
5 74 M
(Raza Expires April 14, 2016 [Page 7]) s
_R
S
%%Page: (8) 8
%%BeginPageSetup
_S
76 24 translate
/pagenum 8 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( + +) s
5 624 M
( | Integrity Check Value \(Variable\) |) s
5 613 M
( + +) s
5 602 M
( | |) s
5 591 M
( +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+) s
5 569 M
( Figure 4: A sample NHC compressed IP/UDP packet secured with ESP.) s
5 547 M
( With perfect block alignment, the minimum ESP overhead without) s
5 536 M
( authentication is 10 bytes [RFC4303]. After optimal compression this) s
5 525 M
( header overhead is reduced to 6 bytes, considering that two bytes are) s
5 514 M
( used for NHC_EH and NHC_ESP. ESP also includes an IV which is equal) s
5 503 M
( to the size of an encryption block; 16 bytes in the case of AES. If) s
5 492 M
( authentication is enabled in the ESP, additional 12 bytes of ICV are) s
5 481 M
( also required. Figure 4 shows an UDP/IP packet secured with) s
5 470 M
( compressed ESP.) s
5 437 M
(5. Implementation Considerations) s
5 415 M
( We provide an open source implementation of the proposed compression) s
5 404 M
( scheme in the Contiki operating system. The implementation is) s
5 393 M
( released under BSD license and can be obtained through the) s
5 382 M
( contikiprojects repository at the following URI:) s
5 371 M
( svn://svn.code.sf.net/p/contikiprojects/code/sics.se/ipsec) s
5 349 M
(6. Security Considerations) s
5 327 M
( The compression scheme proposed in this document does not compromise) s
5 316 M
( any security properties provided by IPsec AH and ESP. In particular,) s
5 305 M
( the SN field is compressed in an on-demand fashion, as described in) s
5 294 M
( Section 3. In order to overcome replay attacks, it is recommended) s
5 283 M
( that the communication end-points should re-establish a security) s
5 272 M
( association before the sequence number overflows. However, in) s
5 261 M
( constrained environments, different implementations can decide the) s
5 250 M
( overflow size; 2^8, 2^16, 2^24, or 2^32. This leads to a trade-off) s
5 239 M
( between the overhead incurred by establishing a new security) s
5 228 M
( association and by sending more bits of sequence number. The) s
5 217 M
( Initialization Vector \(IV\) and Integrity Check Value \(ICV\) are also) s
5 206 M
( not compressed to take full advantage of IPsec AH and ESP security.) s
5 184 M
(7. IANA Considerations) s
5 162 M
( [RFC6282] creates a new IANA registry for the LOWPAN_NHC header type) s
5 151 M
( where the two slots, 1110101N and 1110110N, in LOWPAN_NHC for the) s
5 140 M
( IPv6 Extension Header are unassigned. This document requests the) s
5 129 M
( assignment of one of these two unassigned values, 1110101N, to IPsec) s
5 118 M
( AH and ESP. This document also requests the assignment of following) s
5 74 M
(Raza Expires April 14, 2016 [Page 8]) s
_R
S
%%Page: (9) 9
%%BeginPageSetup
_S
76 24 translate
/pagenum 9 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( contents:) s
5 613 M
( 1101XXYY: The 6LOWPAN_NHC encoding for the IPsec Authentication) s
5 602 M
( Header.) s
5 580 M
( 1110XXYY: The 6LOWPAN_NHC encoding for the IPsec Encapsulated) s
5 569 M
( Security Payload Header.) s
5 547 M
( Capital letters in bit positions represent class-specific bit) s
5 536 M
( assignments. The letters XX and YY represent SPI and SN) s
5 525 M
( respectively, as defined in Section 3.) s
5 481 M
(9. References) s
5 459 M
(9.1. Normative References) s
5 437 M
( [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate) s
5 426 M
( Requirement Levels", BCP 14, RFC 2119, DOI) s
5 415 M
( 10.17487/RFC2119, March 1997, <http://www.rfc-) s
5 404 M
( editor.org/info/rfc2119>.) s
5 382 M
( [RFC4301] Kent, S. and K. Seo, "Security Architecture for the) s
5 371 M
( Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,) s
5 360 M
( December 2005, <http://www.rfc-editor.org/info/rfc4301>.) s
5 338 M
( [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, DOI) s
5 327 M
( 10.17487/RFC4302, December 2005, <http://www.rfc-) s
5 316 M
( editor.org/info/rfc4302>.) s
5 294 M
( [RFC4303] Kent, S., "IP Encapsulating Security Payload \(ESP\)",) s
5 283 M
( RFC 4303, DOI 10.17487/RFC4303, December 2005,) s
5 272 M
( <http://www.rfc-editor.org/info/rfc4303>.) s
5 250 M
( [RFC6282] Hui, J., Ed., and P. Thubert, "Compression Format for IPv6) s
5 239 M
( Datagrams over IEEE 802.15.4-Based Networks", RFC 6282,) s
5 228 M
( DOI 10.17487/RFC6282, September 2011, <http://www.rfc-) s
5 217 M
( editor.org/info/rfc6282>.) s
5 195 M
( [RFC6434] Jankiewicz, E., Loughney, J., and T. Narten, "IPv6 Node) s
5 184 M
( Requirements", RFC 6434, DOI 10.17487/RFC6434, December) s
5 173 M
( 2011, <http://www.rfc-editor.org/info/rfc6434>.) s
5 151 M
( [RFC7400] C. Bormann , "6LoWPAN-GHC: Generic Header Compression for) s
5 140 M
( IPv6 over Low-Power Wireless Personal Area Networks) s
5 129 M
( \(6LoWPANs\)", RFC 7400, November 2014) s
5 74 M
(Raza Expires April 14, 2016 [Page 9]) s
_R
S
%%Page: (10) 10
%%BeginPageSetup
_S
76 24 translate
/pagenum 10 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
(9.2. Informative References) s
5 613 M
( [draft-mglt-6lo-diet-esp-01] Migault, D., Guggemos, T., "Diet-ESP: a) s
5 602 M
( flexible and compressed format for IPsec/ESP", August) s
5 591 M
( 2015, <https://tools.ietf.org/html/draft-mglt-6lo-diet-) s
5 580 M
( esp-01>) s
5 558 M
( [draft-mglt-6lo-aes-implicit-iv-01] Migault, D., Guggemos, T,) s
5 547 M
( "Implicit IV for AES-CBC, AES-CTR, AES-CCM and AES-GCM",) s
5 536 M
( August 2015, <https://tools.ietf.org/html/draft-mglt-6lo-) s
5 525 M
( aes-implicit-iv-01>) s
5 503 M
( [RFC3095] Bormann, C., Burmeister, C., Degermark, M., Fukushima, H.,) s
5 492 M
( Hannu, H., Jonsson, L-E., Hakenberg, R., Koren, T., Le,) s
5 481 M
( K., Liu, Z., Martensson, A., Miyazaki, A., Svanbro, K.,) s
5 470 M
( Wiebke, T., Yoshimura, T., and H. Zheng, "RObust Header) s
5 459 M
( Compression \(ROHC\): Framework and four profiles: RTP, UDP,) s
5 448 M
( ESP, and uncompressed", RFC 3095, DOI 10.17487/RFC3095,) s
5 437 M
( July 2001, <http://www.rfc-editor.org/info/rfc3095>.) s
5 415 M
( [RFC3566] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 Algorithm) s
5 404 M
( and Its Use With IPsec", RFC 3566, DOI 10.17487/RFC3566,) s
5 393 M
( September 2003, <http://www.rfc-editor.org/info/rfc3566>.) s
5 371 M
( [RFC5856] Ertekin, E., Jasani, R., Christou, C., and C. Bormann,) s
5 360 M
( "Integration of Robust Header Compression over IPsec) s
5 349 M
( Security Associations", RFC 5856, DOI 10.17487/RFC5856,) s
5 338 M
( May 2010, <http://www.rfc-editor.org/info/rfc5856>.) s
5 316 M
( [RFC7427] Kivinen, T. and J. Snyder, "Signature Authentication in) s
5 305 M
( the Internet Key Exchange Version 2 \(IKEv2\)", RFC 7427,) s
5 294 M
( DOI 10.17487/RFC7427, January 2015, <http://www.rfc-) s
5 283 M
( editor.org/info/rfc7427>.) s
5 261 M
( [RFC7400] Bormann, C., "6LoWPAN-GHC: Generic Header Compression for) s
5 250 M
( IPv6 over Low-Power Wireless Personal Area Networks) s
5 239 M
( \(6LoWPANs\)", RFC 7400, DOI 10.17487/RFC7400, November) s
5 228 M
( 2014, <http://www.rfc-editor.org/info/rfc7400>.) s
5 184 M
(Authors' Addresses) s
5 151 M
( Shahid Raza) s
5 140 M
( SICS Swedish ICT AB \(SICS\)) s
5 129 M
( Isafjordsgatan 22, 16440 Kista) s
5 118 M
( SWEDEN) s
5 74 M
(Raza Expires April 14, 2016 [Page 10]) s
_R
S
%%Page: (11) 11
%%BeginPageSetup
_S
76 24 translate
/pagenum 11 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
/user_footer_p false def
%%EndPageSetup
5 668 M
(INTERNET DRAFT IPsec-for-6LoWPAN October 12, 2015) s
5 635 M
( Phone: +46-\(0\)768831797) s
5 624 M
( EMail: shahid@sics.se) s
5 591 M
( Simon Duquennoy) s
5 580 M
( SICS Swedish ICT AB \(SICS\)) s
5 569 M
( Isafjordsgatan 22, 16440 Kista) s
5 558 M
( SWEDEN) s
5 536 M
( Phone: +46-\(0\)702021482) s
5 525 M
( EMail: simonduq@sics.se) s
5 492 M
( Goeran Selander) s
5 481 M
( Ericsson) s
5 470 M
( Farogatan 6, 16480 Kista) s
5 459 M
( SWEDEN) s
5 437 M
( Email: goran.selander@ericsson.com) s
5 74 M
(Raza Expires April 14, 2016 [Page 11]) s
_R
S
%%Trailer
%%Pages: 11
%%DocumentNeededResources: font Courier-Bold Courier
%%EOF
| PAFTECH AB 2003-2026 | 2026-04-24 07:28:23 |