Abstract
We discuss the strengths and weaknesses of existing tools with respect to the Internet Protocol security (IPsec) name mapping problem: how to ensure a correct mapping between application-layer target names and network-layer target names. We show that DNSSEC is neither necessary nor sufficient for solving the IPsec name mapping problem. We describe design and implementation results for new techniques that are applicable to legacy applications to partially or completely solve the IPsec name mapping problem. As a corollary, we obtain programming recommendations that make it easier to apply these techniques. We show how the set of current IPsec policy parameters can usefully be expanded. We give a prototype of a modified lookup API and argue that the modified API is the preferred long-term solution to the IPsec name mapping problem. We also cover the implications for IPsec key management. Finally, we summarize the environments where IPsec is being used today and discuss which IPsec name mapping techniques are most appropriate for these environments.
Similar content being viewed by others
References
Bellovin SM (1995) Using the Domain Name System for system break-ins. In: Proceedings of the 1995 Usenix Security Symposium, June 1995
Blaze M, Ioannidis J, Keromytis AD (2001) Trust management for IPsec. In: Proceedings of the 2001 symposium on network and distributed systems, February 2001, pp 139–151
Carpenter B (2000) Internet transparency. RFC 2775, February 2000
Carpenter B, Crowcroft J, Rekhter Y (1997) IPv4 address behaviour today. RFC 2101, February 1997
Dierks T, Allen C (1999) The TLS Protocol version 1.0. RFC 2743, January
Eastlake D (1999) Domain Name System security extensions. RFC 2535, March 1999
Handley M, Schulzrinne H, Schooler E, Rosenberg J (1999) SIP: Session Initiation Protocol. RFC 2543, March 1999
Harkins D, Carrel D (1998) The Internet Key Exchange (IKE). RFC 2409, November 1998
Kempf J, Guttman E (1999) An API for service location. RFC 2614, June 1999
Kent S, Atkinson R (1998) Security architecture for the Internet Protocol. RFC 2401, November 1998
Kent S, Atkinson R (1998) IP Encapsulating Security Payload (ESP). RFC 2406, November
Kent S, Atkinson R (1998) IP Authentication Header. RFC 2402, November 1998
Kohl J, Neuman C (1993) The Kerberos Network Authentication Service (V5). RFC 1510, September 1993
Linn J (2000) Generic Security Service Application Program Interface Version 2, Update 1. RFC 2743, January 2000
McDonald D, Metz C, Phan B (1998) PF KEY Key Management API, version 2. RFC 2367, July 1998
Mockapetris P (1987) Domain names – concepts and facilities. RFC 1034, November 1987
Mockapetris P (1987) Domain names – implementation and specification. RFC 1035, November 1987
http://www.PacketCable.com
Perlman R, Kaufman C (2000) Key exchange in IPsec: analysis of IKE. IEEE Internet Comput Nov/Dec, pp 50–56
Postel J (1980) User Datagram Protocol. RFC 768, August 1980
Postel J (1981) Transmission Control Protocol. RFC 793, September 1981
Sommerfeld B (2001) posting to IETF IPsec WG archive. Message-Id: <200105032004.f43K4J901839> 3 May 2001
Srisuresh P, Holdrege M (1999) IP Network Address Translator (NAT) terminology and considerations. RFC 2663, August 1999
Stevens WR (1998) UNIX network programming, networking APIs: sockets and XTI, vol 1, 2nd edn. Prentice Hall, Upper Saddle River, NJ
Trostle J, Kosinovsky I, Swift M (2001) Implementation of crossrealm referral handling in the MIT Kerberos client. In: Proceedings of the 2001 symposium on network and distributed systems, February 2001, pp 201–210
Vixie P (1995) DNS and BIND security issues. In: Proceedings of the 1995 Usenix Security Symposium, June 1995
Zwicky ED, Cooper S, Chapman DB (2000) Building Internet firewalls, 2nd edn. O’Reilly, Sebastopol, CA
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Trostle, J., Gossman, B. Techniques for improving the security and manageability of IPsec policy. Int J Inf Secur 4, 209–226 (2005). https://doi.org/10.1007/s10207-004-0064-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-004-0064-6