Trust management for IPsec

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Trust management for IPsec
Full text	Pdf (322 KB)
Source	ACM Transactions on Information and System Security (TISSEC) archive Volume 5 , Issue 2 (May 2002) table of contents Pages: 95 - 118 Year of Publication: 2002 ISSN:1094-9224
Publisher	ACM New York, NY, USA
Bibliometrics	Downloads (6 Weeks): 15, Downloads (12 Months): 155, Citation Count: 5

Additional Information:

abstract references cited by index terms review

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/505586.505587 What is a DOI?

ABSTRACT

IPsec is the standard suite of protocols for network-layer confidentiality and authentication of Internet traffic. The IPsec protocols, however, do not address the policies for how protected traffic should be handled at security end points. This article introduces an efficient policy management scheme for IPsec, based on the principles of trust management. A compliance check is added to the IPsec architecture that tests packet filters proposed when new security associations are created for conformance with the local security policy, based on credentials presented by the peer host. Security policies and credentials can be quite sophisticated (and specified in the trust-management language), while still allowing very efficient packet-filtering for the actual IPsec traffic. We present a practical portable implementation of this design, based on the KeyNote trust-management language, that works with a variety of UNIX-based IPsec implementations. Finally, we discuss some applications of the enhanced IPsec architecture.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Alaettinoglu, C., Bates, T., Gerich, E., Karrenberg, D., Meyer, D., Terpstra, M., and Villamizer, C. 1998. Routing policy specification language (RPSL). Request for comments (proposed standard) 2280 (Jan.), Internet Engineering Task Force.
	2	Bellovin, S. M. 1999. Distributed firewalls. ;login: Magazine, special issue on security.
	3	Matt Blaze , Joan Feigenbaum , Jack Lacy, Decentralized Trust Management, Proceedings of the 1996 IEEE Symposium on Security and Privacy, p.164, May 06-08, 1996
	4	Blaze, M., Feigenbaum, J., Ioannidis, J., and Keromytis, A. D. 1999a. The KeyNote trust management system version 2. Internet RFC 2704.
	5	Matt Blaze , John Ioannidis , Angelos D. Keromytis, Trust Management and Network Layer Security Protocols, Proceedings of the 7th International Workshop on Security Protocols, p.103-118, April 19-21, 1999
	6	Blaze, M., Ioannidis, J., and Keromytis, A. D. 2001. Trust managent for IPsec. In Proceedings of the Network and Distributed System Security Symposium (NDSS) (Feb.), 139--151.
	7	Piero Bonatti , Pierangela Samarati, Regulating service access and information release on the Web, Proceedings of the 7th ACM conference on Computer and communications security, p.134-143, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.352620]
	8	Boyle, J., Cohen, R., Durham, D., Herzog, S., Rajan, R., and Sastry, A. 2000. The COPS (common open policy service) protocol. Request for comments (proposed standard) (Jan.), Internet Engineering Task Force.
	9	Braden, R., Zhang, L., Berson, S., Herzog, S., and Jamin, S. 1997. Resource reservation protocol (RSVP)---Version 1 functional specification. Internet RFC 2208.
	10	Calhoun, P., Rubens, A., Akhtar, H., and Guttman, E. 1999. DIAMETER base protocol. Internet draft (Dec.). Internet Engineering Task Force. Work in progress.
	11	CCITT. 1989. X.509: The Directory Authentication Framework. International Telecommunications Union, Geneva.
	12	Condell, M., Lynn, C., and Zao, J. 1999. Security policy specification language. Internet draft (July), Internet Engineering Task Force.
	13	Michael Donald Dahlin , David A. Patterson, Serverless network file systems, 1995
	14	Hallqvist, N. and Keromytis, A. D. 2000. Implementing Internet key exchange (IKE). In Proceedings of the Annual USENIX Technical Conference, Freenix Track (June), 201--214.
	15	Harkins, D. and Carrel, D. 1998. The Internet key exchange (IKE). Request for comments (proposed standard) 2409(Nov.), Internet Engineering Task Force.
	16	Housley, R., Ford, W., Polk, W., and Solo, D. 1999. Internet X.509 public key infrastructure certificate and CRL profile. Request for comments 2459 (Jan.), Internet Engineering Task Force.
	17	Ioannidis, J. and Blaze, M. 1993. The architecture and implementation of network-layer security under Unix. In Fourth USENIX Security Symposium Proceedings (Oct.), USENIX, Berkeley, Calif.
	18	Sotiris Ioannidis , Angelos D. Keromytis , Steve M. Bellovin , Jonathan M. Smith, Implementing a distributed firewall, Proceedings of the 7th ACM conference on Computer and communications security, p.190-199, November 01-04, 2000, Athens, Greece [doi>10.1145/352600.353052]
	19	Kent, S. and Atkinson, R. 1998a. IP encapsulating security payload (ESP). Request for comments (proposed standard) 2406 (Nov.), Internet Engineering Task Force.
	20	Kent, S. and Atkinson, R. 1998b. Security architecture for the Internet protocol. Request for comments (proposed standard) 2401 (Nov.), Internet Engineering Task Force.
	21	Angelos Dennis Keromytis , Jonathan M. Smith, Strongman: a scalable solution to trust management in networks, 2001
	22	Keromytis, A. D., Ioannidis, J., and Smith, J. M. 1997. Implementing IPsec. In Proceedings of Global Internet (GlobeCom) '97(Nov.), 1948--1952.
	23	McCanne, S. and Jacobson, V. 1993. A BSD packet filter: A new architecture for user-level packet capture. In Proceedings of the USENIX Winter Technical Conference(San Diego, Jan.), USENIX, Berkeley, Calif., 259--269.
	24	Roger M. Needham , Michael D. Schroeder, Using encryption for authentication in large networks of computers, Communications of the ACM, v.21 n.12, p.993-999, Dec. 1978 [doi>10.1145/359657.359659]
	25	Rigney, C., Rubens, A., Simpson, W., and Willens, S. 1997. Remote authentication dial in user service (RADIUS). Request for comments (proposed standard) 2138(April), Internet Engineering Task Force.
	26	Sanchez, L. and Condell, M. 1998. Security policy system. Internet draft, work in progress(Nov.), Internet Engineering Task Force.
	27	Ylonen, T., Kivinen, T., Saarinen, M., Rinne, T., and Lehtinen, S. 1999. SSH protocol architecture. Internet draft (Feb.), Internet Engineering Task Force. Work in progress.

CITED BY 5

	Patrick McDaniel, On context in authorization policy, Proceedings of the eighth ACM symposium on Access control models and technologies, June 02-03, 2003, Como, Italy
	Heng Yin , Haining Wang, Building an application-aware IPsec policy system, IEEE/ACM Transactions on Networking (TON), v.15 n.6, p.1502-1513, December 2007
	Heng Yin , Haining Wang, Building an application-aware IPsec policy system, Proceedings of the 14th conference on USENIX Security Symposium, p.21-21, July 31-August 05, 2005, Baltimore, MD
	Vittorio Cortellessa , Catia Trubiani, Towards a library of composable models to estimate the performance of security solutions, Proceedings of the 7th international workshop on Software and performance, June 23-26, 2008, Princeton, NJ, USA
	Peter C. Chapin , Christian Skalka , X. Sean Wang, Authorization in trust management: Features and foundations, ACM Computing Surveys (CSUR), v.40 n.3, p.1-48, August 2008

INDEX TERMS

Primary Classification:
C. Computer Systems Organization
C.2 COMPUTER-COMMUNICATION NETWORKS
C.2.0 General
Subjects: Security and protection (e.g., firewalls)

General Terms:
Languages, Security

Keywords:
Credentials, IPsec, KeyNote, network security, policy, trust management

REVIEW

"Robert Edward Mahan : Reviewer"

The addition of policy filters to handle traffic at security endpoints under the IP security (IPsec) protocols is described in this paper. It also introduces a policy management scheme for IPsec based on the principles of trust management. The sch more...

Adobe Acrobat

QuickTime

Windows Media Player

Real Player