On Realizing Traffic-Driven Security Association Establishment for IPSec
No Thumbnail Available
Files
Date
1999-05-26
Authors
Journal Title
Series/Report No.
Journal ISSN
Volume Title
Publisher
Abstract
The rapid growth of the Internet in the past few years has led to an exponential increase in the network traffic. As more and more organizations connect to the Internet, the security of the network andthe applications that use it has become an important concern in theInternet community. The IP Security architecture (IPSec), proposed by the Internet Engineering Task Force (IETF), is aimed at providing securityservices to the network traffic at the IP layer.
The key aspect of secure communication between two machines in IPSec is the establishment of a Security Association (SA). A Security Association is a one-way relation between the sender and the receiver that provides securityservices to the traffic carried on it. Current implementations ofIPSec provide support for the establishment of only SAs i.e. theyrequire that the SAsbe established any other network traffic starts to flow between the sender and the receiver.
These static SAs may be sufficient for applications such as the VirtualPrivate Network (VPN), where only a few SAs areneeded. But certain advanced security applications potentially require the establishment and teardown of a large number of SAs dynamically.SA-establishment is a computation-intensive job, and such advanced security applicationswould benefit if SAs are established only when (and if) there is network-traffic between the sender and the receiver. This thesis deals with the motivation, design, software implementation and the performance measurement of a traffic-driven approach to dynamic IPSec SA-establishment.
Towards this, the design and implementation of a utility program,called DIANA, is presented. DIANA adds traffic-driven SA-establishmentfunctionality to an existing implementation of IPSec called FreeS/WAN. DIANA maintains a Security Policy Database (SPdb), which specifies the policies that determine the processing of all outbound IP traffic. DIANA provides traffic-driven SA-establishment by intercepting outgoing IP packets from the operating system kernel, matching them with policies specified in the SPdb and establishing the SAs if a matching policy is found.
This thesis also presents some performance measurements for IP interception andDIANA. These measurements indicate that for most applications (notably those that use the Transmission Control Protocol (TCP)), the overhead of thetraffic-driven approach to dynamic SA-establishment is minimal.
Description
Keywords
Citation
Degree
MS
Discipline
Computer Science
