Skip to main content
SpringerLink
Log in

Techniques for improving the security and manageability of IPsec policy

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We discuss the strengths and weaknesses of existing tools with respect to the Internet Protocol security (IPsec) name mapping problem: how to ensure a correct mapping between application-layer target names and network-layer target names. We show that DNSSEC is neither necessary nor sufficient for solving the IPsec name mapping problem. We describe design and implementation results for new techniques that are applicable to legacy applications to partially or completely solve the IPsec name mapping problem. As a corollary, we obtain programming recommendations that make it easier to apply these techniques. We show how the set of current IPsec policy parameters can usefully be expanded. We give a prototype of a modified lookup API and argue that the modified API is the preferred long-term solution to the IPsec name mapping problem. We also cover the implications for IPsec key management. Finally, we summarize the environments where IPsec is being used today and discuss which IPsec name mapping techniques are most appropriate for these environments.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bellovin SM (1995) Using the Domain Name System for system break-ins. In: Proceedings of the 1995 Usenix Security Symposium, June 1995

  2. Blaze M, Ioannidis J, Keromytis AD (2001) Trust management for IPsec. In: Proceedings of the 2001 symposium on network and distributed systems, February 2001, pp 139–151

  3. Carpenter B (2000) Internet transparency. RFC 2775, February 2000

  4. Carpenter B, Crowcroft J, Rekhter Y (1997) IPv4 address behaviour today. RFC 2101, February 1997

  5. Dierks T, Allen C (1999) The TLS Protocol version 1.0. RFC 2743, January

  6. Eastlake D (1999) Domain Name System security extensions. RFC 2535, March 1999

  7. Handley M, Schulzrinne H, Schooler E, Rosenberg J (1999) SIP: Session Initiation Protocol. RFC 2543, March 1999

  8. Harkins D, Carrel D (1998) The Internet Key Exchange (IKE). RFC 2409, November 1998

  9. Kempf J, Guttman E (1999) An API for service location. RFC 2614, June 1999

  10. Kent S, Atkinson R (1998) Security architecture for the Internet Protocol. RFC 2401, November 1998

  11. Kent S, Atkinson R (1998) IP Encapsulating Security Payload (ESP). RFC 2406, November

  12. Kent S, Atkinson R (1998) IP Authentication Header. RFC 2402, November 1998

  13. Kohl J, Neuman C (1993) The Kerberos Network Authentication Service (V5). RFC 1510, September 1993

  14. Linn J (2000) Generic Security Service Application Program Interface Version 2, Update 1. RFC 2743, January 2000

  15. McDonald D, Metz C, Phan B (1998) PF KEY Key Management API, version 2. RFC 2367, July 1998

  16. Mockapetris P (1987) Domain names – concepts and facilities. RFC 1034, November 1987

  17. Mockapetris P (1987) Domain names – implementation and specification. RFC 1035, November 1987

  18. http://www.PacketCable.com

  19. Perlman R, Kaufman C (2000) Key exchange in IPsec: analysis of IKE. IEEE Internet Comput Nov/Dec, pp 50–56

    Google Scholar 

  20. Postel J (1980) User Datagram Protocol. RFC 768, August 1980

  21. Postel J (1981) Transmission Control Protocol. RFC 793, September 1981

  22. Sommerfeld B (2001) posting to IETF IPsec WG archive. Message-Id: <200105032004.f43K4J901839> 3 May 2001

  23. Srisuresh P, Holdrege M (1999) IP Network Address Translator (NAT) terminology and considerations. RFC 2663, August 1999

  24. Stevens WR (1998) UNIX network programming, networking APIs: sockets and XTI, vol 1, 2nd edn. Prentice Hall, Upper Saddle River, NJ

  25. Trostle J, Kosinovsky I, Swift M (2001) Implementation of crossrealm referral handling in the MIT Kerberos client. In: Proceedings of the 2001 symposium on network and distributed systems, February 2001, pp 201–210

  26. Vixie P (1995) DNS and BIND security issues. In: Proceedings of the 1995 Usenix Security Symposium, June 1995

  27. Zwicky ED, Cooper S, Chapman DB (2000) Building Internet firewalls, 2nd edn. O’Reilly, Sebastopol, CA

Download references

Author information

Authors and Affiliations

  1. ASK Consulting and Research, Inc., 87966, Vancouver, WA, 98683, USA

    Jonathan Trostle

  2. Cisco Systems, 180 W. Tasman Dr., San Jose, CA, 95134, USA

    Bill Gossman

Authors
  1. Jonathan Trostle
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bill Gossman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jonathan Trostle.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Trostle, J., Gossman, B. Techniques for improving the security and manageability of IPsec policy. Int J Inf Secur 4, 209–226 (2005). https://doi.org/10.1007/s10207-004-0064-6

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-004-0064-6

Keywords

Search

Navigation