On Realizing Traffic-Driven Security Association Establishment for IPSec
| dc.contributor.advisor | Dr. S. F. Wu, Chair | en_US |
| dc.contributor.advisor | Dr. D. Reeves, Member | en_US |
| dc.contributor.advisor | Dr. J. Rouskas, Member | en_US |
| dc.contributor.author | Hayatnagarkar, Abhijit Nagnath | en_US |
| dc.date.accessioned | 2010-04-02T18:11:23Z | |
| dc.date.available | 2010-04-02T18:11:23Z | |
| dc.date.issued | 1999-05-26 | en_US |
| dc.degree.discipline | Computer Science | en_US |
| dc.degree.level | Master's Thesis | en_US |
| dc.degree.name | MS | en_US |
| dc.description.abstract | The rapid growth of the Internet in the past few years has led to an exponential increase in the network traffic. As more and more organizations connect to the Internet, the security of the network andthe applications that use it has become an important concern in theInternet community. The IP Security architecture (IPSec), proposed by the Internet Engineering Task Force (IETF), is aimed at providing securityservices to the network traffic at the IP layer. The key aspect of secure communication between two machines in IPSec is the establishment of a Security Association (SA). A Security Association is a one-way relation between the sender and the receiver that provides securityservices to the traffic carried on it. Current implementations ofIPSec provide support for the establishment of only SAs i.e. theyrequire that the SAsbe established any other network traffic starts to flow between the sender and the receiver. These static SAs may be sufficient for applications such as the VirtualPrivate Network (VPN), where only a few SAs areneeded. But certain advanced security applications potentially require the establishment and teardown of a large number of SAs dynamically.SA-establishment is a computation-intensive job, and such advanced security applicationswould benefit if SAs are established only when (and if) there is network-traffic between the sender and the receiver. This thesis deals with the motivation, design, software implementation and the performance measurement of a traffic-driven approach to dynamic IPSec SA-establishment. Towards this, the design and implementation of a utility program,called DIANA, is presented. DIANA adds traffic-driven SA-establishmentfunctionality to an existing implementation of IPSec called FreeS/WAN. DIANA maintains a Security Policy Database (SPdb), which specifies the policies that determine the processing of all outbound IP traffic. DIANA provides traffic-driven SA-establishment by intercepting outgoing IP packets from the operating system kernel, matching them with policies specified in the SPdb and establishing the SAs if a matching policy is found. This thesis also presents some performance measurements for IP interception andDIANA. These measurements indicate that for most applications (notably those that use the Transmission Control Protocol (TCP)), the overhead of thetraffic-driven approach to dynamic SA-establishment is minimal. | en_US |
| dc.identifier.other | etd-19990517-155434 | en_US |
| dc.identifier.uri | http://www.lib.ncsu.edu/resolver/1840.16/2220 | |
| dc.rights | I hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to NC State University or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report. | en_US |
| dc.title | On Realizing Traffic-Driven Security Association Establishment for IPSec | en_US |
Files
Original bundle
1 - 1 of 1
