Hindering Eavesdropping via IPv6 Opportunistic Encryption Claude Castelluccia 1 , Gabriel Montenegro 2 , Julien Laganier 2,3 , and Christoph Neumann 1 1 INRIA Rhˆone-Alpes, 655 Avenue de l’Europe, 38334 Saint Ismier CEDEX, France {claude.castelluccia,christoph.neumann}@inrialpes.fr 2 Sun Labs, Europe, 180 Avenue de l’Europe, 38334 Saint Ismier CEDEX, France {gab,ju}@sun.com 3 LIP (UMR #5668 CNRS/ENS Lyon/INRIA/UCB Lyon) 46, All´ ee d’Italie, 69007 Lyon, France Abstract. This paper presents an opportunistic encryption scheme strictly layered on top of IPv6. Assuming that a node needs to send data toward another node, our proposal enables the dynamic configu- ration of an encrypted tunnel between the two nodes’ IPsec gateways. The main contribution of this paper is to propose a solution that is fully distributed and does not rely on any global Trusted Third Party (such as DNSSEC or a PKI). The IPsec gateways are discovered using IPv6 anycast, and they derive authorization from authorization certificates and Crypto-Based Identifiers (CBIDs). The result is a robust and easily deployable opportunistic encryption service for IPv6. Keywords: Security, IPv6, Opportunistic Encryption, IPsec, CBID, del- egation, IKE. 1 Introduction Because of its massive and widespread use, it is easy to overlook that the Internet remains a very hostile environment. Given that most of the packets are sent in the clear, there is a strong incentive both for legitimate as well as illegitimate reasons to install wiretaps [1] or to carry out passive eavesdropping. While end- to-end encryption is arguably the best solution for those concerned, currently it is not practical for several reasons: (1) most of the current hosts do not implement any encryption algorithms, (2) these can be quite expensive and prohibitive for constrained devices, and (3) end-to-end encryption requires a key management infrastructure which does not exist today. Opportunistic encryption is a practical solution to this problem. It allows secure (encrypted, authenticated) communication without connection-by-con- nection pairwise pre-arrangement. To accomplish further ease-of use, instead of end-to-end encryption special security gateways can intercept packets and encrypt them for their traversal over the general Internet. The main idea is that the local security gateway intercepts an outgoing packet addressed to a remote P. Samarati et al. (Eds.): ESORICS 2004, LNCS 3193, pp. 309–321, 2004. c  Springer-Verlag Berlin Heidelberg 2004