Building an application-aware IPsec policy system

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Building an application-aware IPsec policy system

Full text

Pdf (1.60 MB)

Source

IEEE/ACM Transactions on Networking (TON) archive
Volume 15 , Issue 6 (December 2007) table of contents

Pages 1502-1513

Year of Publication: 2007

ISSN:1063-6692

Authors

Heng Yin	Department of Computer Science, College of William and Mary, Williamsburg, VA
Haining Wang	Department of Computer Science, College of William and Mary, Williamsburg, VA

Publisher

IEEE Press Piscataway, NJ, USA

Bibliometrics

Downloads (6 Weeks): 16, Downloads (12 Months): 208, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	10.1109/TNET.2007.896536

ABSTRACT

As a security mechanism at the network-layer, the IP security protocol (IPsec) has been available for years, but its usage is limited to Virtual Private Networks (VPNs). The end-to-end security services provided by IPsec have not been widely used. To bring the IPsec services into wide usage, a standard IPsec API is a potential solution. However, the realization of a user-friendly IPsec API involves many modifications on the current IPsec and Internet Key Exchange (IKE) implementations. An alternative approach is to configure application-specific IPsec policies, but the current IPsec policy system lacks the knowledge of the context of applications running at upper layers, making it infeasible to configure application-specific policies in practice.

In this paper, we propose an application-aware IPsec policy system on the existing IPsec/IKE infrastructure, in which a socket monitor running in the application context reports the socket activities to the application policy engine. In turn, the engine translates the application policies into the underlying security policies, and then writes them into the IPsec Security Policy Data-base (SPD) via the existing IPsec policy management interface. We implement a prototype in Linux (Kernel 2.6) and evaluate it in our testbed. The experimental results show that the overhead of policy translation is insignificant, and the overall system performance of the enhanced IPsec is comparable to those of security mechanisms at upper layers. Configured with the application-aware IPsec policies, both secured applications at upper layers and legacy applications can transparently obtain IP security enhancements.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	[1] R. T. Morris, "A weakness in the 4.2 BSD UNIX TCP/IP software," AT&T Bell Laboratories, Murray Hill, NJ, Computing Science Tech. Rep. 117, Feb. 1985.
	2	Charlie Kaufman , Radia Perlman , Bill Sommerfeld, DoS protection for UDP-based protocols, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948113]
	3	[3] S. Kent, "IP authentication header," Internet Engineering Task Force, RFC 4302, Dec. 2005.
	4	[4] S. Kent, "IP Encapsulating Security Payload (ESP)," Internet Engi neering Task Force, RFC 4303, Dec. 2005.
	5	S. Kent , R. Atkinson, Security Architecture for the Internet Protocol, RFC Editor, 1998
	6	D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, RFC Editor, 1998
	7	D. Harkins , D. Carrel, The Internet Key Exchange (IKE), RFC Editor, 1998
	8	D. Maughan , M. Schertler , M. Schneider , J. Turner, Internet Security Association and Key Management Protocol (ISAKMP), RFC Editor, 1998
	9	[9] J. Arkko and P. Nikander, "Limitations of IPsec policy mechanisms," in Proc. 11th Int. Workshop Security Protocols, Cambridge, U.K., Apr. 2003, pp. 241-251.
	10	[10] J. Ioannidis, "Why don't we still have IPsec, dammit," Invited Talk at USENIX Security Symp.'02, Aug. 2002.
	11	XiaoFeng Wang , Michael K. Reiter, Mitigating bandwidth-exhaustion attacks using congestion puzzles, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA [doi>10.1145/1030083.1030118]
	12	[12] M. Baugher, R. Canetti, L. Dondeti, and F. Lindholm, "Multicast Security (MSEC) group key management architecture," Internet Engineering Task Force, RFC 4046, Apr. 2005.
	13	[13] H. Harney, U. Meth, A. Colegrove, and G. Gross, "Group secure association key management protocol," Internet Engineering Task Force, RFC 4535, Jun. 2006.
	14	[14] C. Kaufman, "The Internet Key Exchange (IKEv2) protocol," Internet Engineering Task Force, RFC 4306, Dec. 2005.
	15	[15] W. Sommerfeld, "Requirements for an IPsec API," Internet Engineering Task Force, Internet Draft, Jun. 2003.
	16	[16] M. Litvin, R. Shamir, and T. Zegman, "A hybrid authentication mode for IKE," Internet Engineering Task Force, Internet Draft, Jun. 2001.
	17	[17] S. Beaulieu and R. Pereira, "Extended Authentication with IKE (XAUTH)," Internet Engineering Task Force, Internet Draft, Oct. 2001.
	18	William Aiello , Steven M. Bellovin , Matt Blaze , John Ioannidis , Omer Reingold , Ran Canetti , Angelos D. Keromytis, Efficient, DoS-resistant, secure key exchange for internet protocols, Proceedings of the 9th ACM conference on Computer and communications security, November 18-22, 2002, Washington, DC, USA [doi>10.1145/586110.586118]
	19	[19] D. McDonald, "A simple IP security API extension to BSD sockets," Internet Engineering Task Force, Internet Draft, Nov. 1996.
	20	[20] C. L. Wu, S. Wu, and R. Narayan, "IPSEC/PHIL (packet header information list): Design, implementation, and evaluation," in Proc. IEEE Int. Conf. Computer Communication and Networks '01, Scottsdale, AZ, Oct. 2001, pp. 206-211.
	21	[21] IPsec2k Library. [Online]. Available: http://sourceforge.net/projects/ ipsec2k
	22	[22] IP Security Policy Working Group. IETF [Online]. Available: http:// www.ietf.org/html.charters/ipsp-charter.html
	23	[23] M. Condell, C. Lynn, and J. Zao, Security policy specification language Internet Engineering Task Force, Internet Draft, Oct. 1998.
	24	Trust management for IPsec, ACM Transactions on Information and System Security (TISSEC), v.5 n.2, p.95-118, May 2002 [doi>10.1145/505586.505587]
	25	[25] Opportunistic Encryption. [Online]. Available: http://www.freeswan. org
	26	Stefan Miltchev , Sotiris Ioannidis , Angelos D. Keromytis, A Study of the Relative Costs of Network Security Protocols, Proceedings of the FREENIX Track: 2002 USENIX Annual Technical Conference, p.41-48, June 10-15, 2002
	27	[27] Stunnel-Universal ssl Wrapper. [Online]. Available: http://www. stunnel.org
	28	[28] KAME Project. [Online]. Available: http://www.kame.net.
	29	[29] PF_KEY Extensions for IPsec Policy Management in KAME Stack. [Online]. Available: http://www.kame.net/newsletter/20021210
	30	[30] C. Metz and B. Phan, "PF_KEY key management API version 2," Internet Engineering Task Force, RFC 2367, Oct. 2001.
	31	Gaurav Banga , Peter Druschel , Jeffrey C. Mogul, Resource containers: a new facility for resource management in server systems, Proceedings of the third symposium on Operating systems design and implementation, p.45-58, February 1999, New Orleans, Louisiana, United States
	32	Oliver Spatscheck , Larry L. Peterson, Defending against denial of service attacks in Scout, Proceedings of the third symposium on Operating systems design and implementation, p.59-72, February 1999, New Orleans, Louisiana, United States
	33	[33] IPsec Tools. [Online]. Available: http://ipsec-tools.sourceforge.net
	34	Stefan Saroiu , Krishna P. Gummadi , Richard J. Dunn , Steven D. Gribble , Henry M. Levy, An analysis of internet content delivery systems, Proceedings of the 5th symposium on Operating systems design and implementation Due to copyright restrictions we are not able to make the PDFs for this conference available for downloading , December 09-11, 2002, Boston, Massachusetts [doi>10.1145/1060289.1060319]