Abstract
There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications. One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority. In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure. We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA. We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs.
An erratum to this chapter can be found at http://dx.doi.org/10.1007/11915034_125.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (1998)
Kent, S., Atkinso, R.: IP Authentication Header. RFC 2402 (1998)
Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 2406 (1998)
Thayer, R., Doraswamy, N., Glenn, R.: IP Security Document Roadmap, RFC 2411 (1998)
FreeS/WAN Project, http://www.freeswan.org/
Ionnadis, J.: Why don’t we still have IPsec, dammit. In: NDSS 2003 (2003)
Aura, T.: Cryptographically Generated Addresses (CGA). RFC 3972 (2005)
Maughan, D., Schertler, M., Schneider, M., Turner, J.: Internet Security Association and Key Management Protocol (ISAKMP). RFC 2408
Piper, D.: The Internet IP Security Domain of Interpretation for ISAKMP. RFC 2407 (1998)
Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (1998)
Orman, H.: The OAKLEY Key Determination Protocol. RFC 2412 (1998)
Laganier, J.: Using IKE with IPv6 Cryptographically Generated Address. Internet Draft (2003)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions, RFC 4035 (2005)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions. RFC 4034 (2005)
Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (2005)
Richardson, M.: A Method for Storing IPsec Keying Material in DNS. RFC 4025 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Merino, P.J.M., García-Martínez, A., Organero, M.M., Kloos, C.D. (2006). Enabling Practical IPsec Authentication for the Internet. In: Meersman, R., Tari, Z., Herrero, P. (eds) On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. OTM 2006. Lecture Notes in Computer Science, vol 4277. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11915034_63
Download citation
DOI: https://doi.org/10.1007/11915034_63
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-48269-7
Online ISBN: 978-3-540-48272-7
eBook Packages: Computer ScienceComputer Science (R0)