On Realizing Traffic-Driven Security Association Establishment for IPSec

Show simple item record

dc.contributor.advisor Dr. S. F. Wu, Chair en_US
dc.contributor.advisor Dr. D. Reeves, Member en_US
dc.contributor.advisor Dr. J. Rouskas, Member en_US
dc.contributor.author Hayatnagarkar, Abhijit Nagnath en_US
dc.date.accessioned 2010-04-02T18:11:23Z
dc.date.available 2010-04-02T18:11:23Z
dc.date.issued 1999-05-26 en_US
dc.identifier.other etd-19990517-155434 en_US
dc.identifier.uri http://www.lib.ncsu.edu/resolver/1840.16/2220
dc.description.abstract The rapid growth of the Internet in the past few years has led to an exponential increase in the network traffic. As more and more organizations connect to the Internet, the security of the network andthe applications that use it has become an important concern in theInternet community. The IP Security architecture (IPSec), proposed by the Internet Engineering Task Force (IETF), is aimed at providing securityservices to the network traffic at the IP layer. The key aspect of secure communication between two machines in IPSec is the establishment of a Security Association (SA). A Security Association is a one-way relation between the sender and the receiver that provides securityservices to the traffic carried on it. Current implementations ofIPSec provide support for the establishment of only SAs i.e. theyrequire that the SAsbe established any other network traffic starts to flow between the sender and the receiver. These static SAs may be sufficient for applications such as the VirtualPrivate Network (VPN), where only a few SAs areneeded. But certain advanced security applications potentially require the establishment and teardown of a large number of SAs dynamically.SA-establishment is a computation-intensive job, and such advanced security applicationswould benefit if SAs are established only when (and if) there is network-traffic between the sender and the receiver. This thesis deals with the motivation, design, software implementation and the performance measurement of a traffic-driven approach to dynamic IPSec SA-establishment. Towards this, the design and implementation of a utility program,called DIANA, is presented. DIANA adds traffic-driven SA-establishmentfunctionality to an existing implementation of IPSec called FreeS/WAN. DIANA maintains a Security Policy Database (SPdb), which specifies the policies that determine the processing of all outbound IP traffic. DIANA provides traffic-driven SA-establishment by intercepting outgoing IP packets from the operating system kernel, matching them with policies specified in the SPdb and establishing the SAs if a matching policy is found. This thesis also presents some performance measurements for IP interception andDIANA. These measurements indicate that for most applications (notably those that use the Transmission Control Protocol (TCP)), the overhead of thetraffic-driven approach to dynamic SA-establishment is minimal. en_US
dc.rights I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. en_US
dc.title On Realizing Traffic-Driven Security Association Establishment for IPSec en_US
dc.degree.name MS en_US
dc.degree.level Master's Thesis en_US
dc.degree.discipline Computer Science en_US


Files in this item

Files Size Format View
etd.pdf 682.3Kb PDF View/Open

This item appears in the following Collection(s)

Show simple item record