Security features for IPv6

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security features for IPv6

The IPv6 protocol for Microsoft® Windows Server 2003 family incorporates Internet Protocol security (IPSec), which provides protection of IPv6 data as it is sent over the network. IPSec is a set of Internet standards that uses cryptographic security services to provide the following:

• Confidentiality

  IPSec traffic is encrypted. Captured IPSec traffic cannot be deciphered without the encryption key.

• Authentication

  IPSec traffic is digitally signed with the shared encryption key so that the receiver can verify that it was sent by the IPSec peer.

• Data integrity

  IPSec traffic contains a cryptographic checksum that incorporates the encryption key. The receiver can verify that the packet was not modified in transit.

For an example of configuring IPSec for IPv6, see Using IPSec between two local link hosts.

The IPv6 protocol for Windows Server 2003 family also provides support for temporary addresses. Temporary addresses provide a level of anonymity when accessing Internet resources. For more information about temporary addresses, see the section "Temporary address interface identifiers" in IPv6 interface identifiers.

Caution

• This implementation of IPSec for IPv6 is not recommended for use in a production environment because it relies on static keying and has no provisions for updating keys upon sequence number reuse.

Notes

• IPSec in IPv6 is separate from and not interoperable with IPSec for the TCP/IP protocol. IPSec policies that are configured with the IP Security Policies or Group Policy snap-ins have no effect on IPv6 traffic. For more information about IPSec for the TCP/IP protocol, see Internet Protocol Security (IPSec).

• IPSec in the IPv6 protocol for Windows Server 2003 family does not support the use of data encryption for data confidentiality.

• IPSec in the IPv6 protocol for Windows Server 2003 family does not support the use of Internet Key Exchange (IKE) to negotiate security associations (SAs). IPSec policies, SAs, and keys must be manually configured.