Showing papers on "IPsec published in 2009"

Integrating service insertion architecture and virtual private network

Abstract: Apparatus, methods, and other embodiments associated with providing service insertion architecture (SIA) differentiated services in a virtual private network (VPN) environment are described. Embodiments may provision an authentication, authorization, and accounting (AAA) server with user-to-SIA service-context mapping information. With the AAA server provisioned, embodiments may acquire, in an IPSec VPN hub, during IPSec tunnel user authentication, from the AAA server, the user-to-SIA service-context mapping information. With the mapping information available, embodiments may dynamically map an SIA service to an IPSec VPN tunnel user based on the service information acquired from the Service Broker or Pseudo-Service Broker. The dynamic mapping facilitates providing differentiated services in the SIA by facilitating forwarding an IPSec packet received on the IPSec VPN tunnel from the user to a service node associated with the SIA service based, at least in part, on the IPSec SADB entry modified using the service information.

IPv6 Security Challenges

Abstract: IPv6, the new version of the Internet protocol, has been developed to provide new services and to support the Internet's growth. This paper presents an overview of the key security issues, which outlines the challenges in deploying and transitioning to IPv6.

Authentication for distributed secure content management system

Abstract: Aspects of the subject matter described herein relate to authentication for a distributed secure content management system. In aspects, a request to access a resource available through the Internet is routed to a security component. The security component is one of a plurality of security components distributed throughout the Internet and responsible for authenticating entities associated with an enterprise. The security component determines an authentication protocol to use with the entity and then authenticates the entity. If the entity is authenticated, the entity is allowed to use a forward proxy.

Remote access to local network via security gateway

Abstract: Multiple protocol tunnels (e.g., IPsec tunnels) are deployed to enable an access terminal that is connected to a network to access a local network associated with a femto access point. A first protocol tunnel is established between a security gateway and the femto access point. A second protocol tunnel is then established in either of two ways. In some implementations the second protocol tunnel is established between the access terminal and the security gateway. In other implementations the second protocol tunnel is established between the access terminal and the femto access point, whereby a portion of the tunnel is routed through the first tunnel.

Quantum Key Distribution (QKD) and Commodity Security Protocols: Introduction and Integration

Abstract: We present an overview of quantum key distribution (QKD), a secure key exchange method based on the quantum laws of physics rather than computational complexity. We also provide an overview of the two most widely used commodity security protocols, IPsec and TLS. Pursuing a key exchange model, we propose how QKD could be integrated into these security applications. For such a QKD integration we propose a support layer that provides a set of common QKD services between the QKD protocol and the security applications.

Security of RFID Protocols -- A Case Study

Abstract: In the context of Dolev-Yao style analysis of security protocols, we investigate the security claims of a recently proposed RFID authentication protocol. We exhibit a flaw which has gone unnoticed in RFID protocol literature and present the resulting attacks on authentication, untraceability, and desynchronization resistance. We analyze and discuss the authors' proofs of security. References to other vulnerable protocols are given.

Remote access to local network

Abstract: Multiple protocol tunnels (e.g., IPsec tunnels) are deployed to enable an access terminal that is connected to a network to access a local network associated with a femto access point. A first protocol tunnel is established between a security gateway and the femto access point. A second protocol tunnel is then established in either of two ways. In some implementations the second protocol tunnel is established between the access terminal and the security gateway. In other implementations the second protocol tunnel is established between the access terminal and the femto access point, whereby a portion of the tunnel is routed through the first tunnel.

Selecting Concurrent Network Architectures at Runtime

Abstract: The current Internet architecture nicely structures functionality into layers of protocols. While this reduces complexity, many tweaks have emerged because of the architecture's limited flexibility. Cross Layer Functionality corrodes the layer boundaries, intermediate layers had to be introduced for protocols like MPLS and IPsec, and middleboxes - like in case of NAT - further complicate the interaction of protocols. To overcome these problems, many publications have proposed modular solutions or protocol composition, allowing software engineering ideas to improve protocol design. Other publications state that instead of choosing a single common network architecture for the Future Internet, it might be advantageous to run multiple different architectures in parallel. We combine both approaches and make it possible to rapidly create and run different network architectures in parallel. While this allows for simplified Future Internet development, it requires the network architecture to be dynamically chosen. This paper not only presents a node architecture enabling the parallel operation of different network architectures but also introduces algorithms for their selection at runtime.

Method and apparatus to perform secure registration of femto access points

Abstract: Methods, apparatus, and systems to perform secure registration of a femto access point for trusted access to an operator-controlled network element. Method steps include establishing a security association for at least one said femto access point, making a request using the security association to an operator-controlled network element, which requests a secure registration credential from an authorizing component. The operator-controlled network element constructs a secure registration credential and sends the secure registration credential to the requesting femto access point, thus authorizing trusted access by the requesting femto access point to access operator-controlled network elements. Embodiments include establishing a security association via an IPsec security association received from a security gateway which is within an operator-controlled domain and using an operator-controlled database of IPsec inner addresses. In some embodiments the femto access point conducts message exchanges using one or more IMS protocols and components, including call session control function elements, which elements in turn may authorize a femto access point within the IMS domain, may or access non-IMS network elements for authorization.

TMSP: Terminal Mobility Support Protocol

Abstract: Mobile IP enables IP mobility support for mobile node (MN), but it suffers from triangular routing, packet redirecting, increase in IP header size, and the need for new infrastructure support. This paper details an alternative to enable terminal mobility support for MN. This scheme does not suffer from triangular routing effect and does not require dedicated infrastructure support such as home agent. It also does not increase the size of the IP header and does not require redirection of packets. These benefits are enabled with a tradeoff, which requires modifications on MN and its correspondent node. It uses an innovative IP-to-IP address mapping method to provide IP address transparency for applications and taps on the pervasiveness of SIP as a location service. From our analysis, we show that TMSP is much more efficient than mobile IP in terms of the number of hops as well as overhead. Our prototype implementation also shows that TMSP provides seamless communication for both TCP and UDP connections and the computational overhead for TMSP has minimal impact on packet transmission.

Network Performance Analysis of VPN Protocols: An Empirical Comparison on Different Operating Systems

Abstract: Virtual Private Network (VPN) is commonly used in business situations to provide secure communication channels over public infrastructure such as Internet. This is because these networks can be set-up with a lower cost of ownership compared to other means of securing communications. VPN is a proven technology that does provide security strong enough for business use. However, performance of these networks is also important in that lowering network and server resources can lower costs and improve user satisfaction. In this research we evaluate performance of three operating systems (Windows Vista, Windows Server 2003 and Linux Fedora Core 6) on a test-bed set-up and observe their network performance with different VPN tunnels protocols and algorithms. It is found that the three operating systems give different performance metrics values for various combinations of the variables. Linux consumes the greatest network resources; however its VPN throughput values band together much closely than Windows environment.

Method and system for resolving conflicts between ipsec and ipv6 neighbor solicitation

Abstract: A method of enabling host devices having an IPsec policy to communicate with one another via an IPv6 communication network, which includes the following steps: extracting a Media Access Control identifier (MAC ID) for a target host from a security policy for an IPv6 address for the target host; searching for the MAC ID of the target host in an Address Resolution Protocol (ARP) table on a source host; upon locating the MAC ID of the target host, creating a temporal neighbor cache entry in a neighbor cache table for the target host; and enabling a security association between the source host and the target host based on the temporal neighbor entry in the neighbor cache table, which allows IPv6 communications to be exchanged between the target host and the source host.

Inter base station interface establishment

Abstract: A method of establishing a peer-to-peer IPSec security association between a pair of base stations located within the same or different radio access networks. The base stations communicate with a core network via the same or different security gateways of the core network using respective pre-established IPSec security associations. The method comprises exchanging peer-to-peer IKE security association initiation request and initiation response messages between the base stations using said pre-established security associations.

Speech bandwith requirements in IPsec and TLS environment

Abstract: This paper deals with impact of security on bandwith requirements of IP telephony. There are presented the results of the analyzing of voice over secure communication links based on TLS and IPsec, especially on open-source solutions OpenVPN and OpenSwan. The paper explains how the implemented security mechanisms can affect RTP flows. The presented results are based on numerous experiments which have been performed in a real IP network. An ability to determine the bandwith requirements of RTP flows is important for the proper design of VoIP communication. Key-Words: Bandwith, RTP, TLS, IPsec

The performance of opc-ua security model at field device level

Abstract: This paper discusses the performance of OPC UA security model at field device level. Process networks have traditionally been isolated networks but today there is interest to integrate process networks to manufacture and office network. Remote management of field devices via Internet is also gaining interest. This requires implementation of TCP/IP in field devices. However, this causes process networks not being isolated anymore and attention must be paid to the security of process networks. OPC UA is a specification for data transfer in automation systems that can be used to integrate information, horizontally and vertically. Security has also been considered in OPC UA but security measures implemented by OPC UA are too heavy to be uses in field devices. Thus, implementing security profile for authentication without encryption in OPC UA or running OPC UA on IPSec without its own security profile is proposed.

Hardware interface for enabling direct access and security assessment sharing

Abstract: Native IPv6 capabilities are provided to an IPv4 network node, device, or endpoint using a hardware interface that supports network communication under a Direct Access model. The Direct Access model supports IPv6 communication with IPsec and enforces Network Access Protection (“NAP”) health requirement policies for endpoints that are network clients. A Direct Access-ready server is enabled using a hardware interface that implements IPv4 to IPv6 translation and optionally IPsec termination capability. A Direct Access-ready client is enabled using a hardware interface that implements IPv4 to IPv6 translation, IPsec termination capability, and which optionally provides NAP (Network Access Protection) capabilities for Direct Access-ready clients that are configured as mobile information appliances. The hardware interface may be implemented as a network interface card (“NIC”) or as a chipset.

Simulation of IPv4-to-IPv6 Dual Stack Transition Mechanism (DSTM) between IPv4 hosts in integrated IPv6/IPv4 network

Abstract: IPv6 offers variety of enhancements including increased addressing capacity, Quality of Service (QoS) provisioning, built in security through IPSec and improved routing efficiency, over IPv4. But moving from the current version of IPv4 to the future version of IPv6 is not a straightforward process due to their incompatibility and will consume significant amount of time. So for the coming years both the protocols need to coexist. For the smooth interoperation of the two protocols, various well defined transition mechanisms have been proposed so far. In this paper a comparative study of the behavior of IPv4-only network with that of Dual Stack Transition Mechanism (DSTM) under various types of traffic patterns is carried out. In the proposed DSTM enabled network architecture, the hosts in IPv4 network initiates connection with hosts in the IPv4 network over an integrated IPv4/IPv6 network. The performance metric considered in this work is mean end-to-end delay for both the scenarios. Assessment of the mean end-to-end delay is performed on various applications like Real Audio (RA) and CBR over UDP and FTP over TCP. All the simulations are performed using Network Simulator 2 (ns-2).

Reliable IKE message negotiation method, device and system thereof

Abstract: The invention discloses a reliable IKE message negotiation method, a device and a system thereof, wherein, the method is applied to a system comprising first equipment and second equipment. The method comprises the following steps: a. the first equipment judges whether a response message from the second equipment is received within a preset cycle after the first equipment sends a last negotiation message to the second equipment; and b. if the response message from the second equipment is judged to be received within the preset cycle, the first equipment establishes a security alliance (SA) immediately. The method, the device and the system can guarantee reliable establishment of IKE SA and IPsec SA and reliable transmission of data message encrypted according to an IPsec Protocol when a network is in poor state, and the last message of message negotiation in a first stage or a second stage of the IKE misses or is delayed.

SYSTEM AND METHOD FOR IPSec LINK CONFIGURATION

Abstract: A method for configuring Internet Protocol Security (IPsec) protocol. The method includes configuring IPsec phase 1 Security Associations (SA) lifetimes and soft phase 2 SA lifetimes in a manner enabling efficient Dead Peer Detection recovery of secure communication between client and server in the event of a communication disruption and thereby preventing undesirable sustained periods of non-communication between client and server.

IPsec Channels: Connection Latching

Abstract: This document specifies, abstractly, how to interface applications and transport protocols with IPsec so as to create "channels" by "latching" "connections" (packet flows) to certain IPsec Security Association (SA) parameters for the lifetime of the connections. This can be used to protect applications against accidentally exposing live packet flows to unintended peers, whether as the result of a reconfiguration of IPsec or as the result of using weak peer identity to peer address associations. Weak association of peer ID and peer addresses is at the core of Better Than Nothing Security (BTNS), thus connection latching can add a significant measure of protection to BTNS IPsec nodes. A model of of connection latching is given.

Performance Analysis of Transmitting Voice over Communication Links Implementing IPsec

Abstract: The prevalence and ease of packet sniffing and other techniques for capturing packets on an IP based network makes encryption a necessity for VOIP(Voice Over Internet Protocol). Security in VOIP is concerned both with protecting what a person says(by Encryption) as well as to whom the person is speaking(by Authentication). IPsec can be used to achieve both of these goals as long as it is applied with ESP(Encapsulating Security Payload) using the tunnel method. This secures the identities of both the endpoints and protects the voice data from prohibited users once packets leave the corporate intranet. The incorporation of IPsec with IPv4 increase the availability of encryption, VOIPsec (VOIP using IPsec) helps reduce the threat of man in the middle attacks, packet sniffers, and many types of voice traffic analysis. Combined with the firewall implementations, IPsec makes VOIP more secure than a standard phone line, In this paper the negative effect of adding security to VoIP networks has been measured for different simulation times using OPNET(Network Simulation Tool). the results show that transmitting voice over IPsec increase the end to end delay,delay variation(jitter),packet loss and call setup time.

Route creation influence on DMVPN QoS

Abstract: Dynamic Multipoint IPsec VPNs (DMVPN) is IPsec VPN solution in Cisco IOS Software. This paper discusses QoS assurance in DMVPN spoke-to-spoke deployment, when using different routing protocols. Investigation of tunnel creation influence to multiple flow packets' delay in spoke-to-spoke connection by means of OPNET MODELER 10.5 was done here. The performance analysis made, allowed us to ascertain, which of routing protocols, used for DMVPN connection ensures the least delay value. It is determined that the least one was obtained when using RIP (Routing Information Protocol) and EIGRP (Interior Gateway Routing Protocol) were applied when establishing the route.

An Enhanced 2-Pass Optimistic Anonymous RFID Authentication Protocol with Forward Security

Abstract: Lightweight authentication protocols in the RFID system are necessary because the channel between the tag and reader is not secure and the tag has very limited computation resources, memory and power. Many researchers have proposed some lightweight authentication protocols in order to provide some security properties, such as mutual authentication, untraceability etc. In this paper, we firstly analyze two lightweight authentication protocols, YA-TRAP and a 2-Pass optimistic anonymous RFID authentication protocol, and find their security drawbacks. Afterwards, we propose an enhanced 2- Pass optimistic anonymous RFID authentication protocol with forward security and analyze its property. The result indicates this protocol does not increase the tag's cost and computation amount. Moreover, it can provide mutual authentication, untraceability, forward security and protect from replay attack and desynchronization attack.

Distributed user authentication in wireless LANs

Abstract: An increasing number of mobile devices, including smartphones, use WLAN for accessing the Internet. Existing WLAN authentication mechanisms are either disruptive, such as presenting a captive web page prompting for password, or unreliable, enabling a malicious user to attack a part of operator's infrastructure. In this paper, we present a distributed authentication architecture for WLAN users providing instant network access without manual interactions. It supports terminal mobility across WLAN access points with the Host Identity Protocol (HIP), at the same time protecting the operator's infrastructure from external attacks. User data sent over a wireless link is protected by the IPsec ESP protocol. We present our architecture design and implementation experience on two OpenWrt WLAN access points, followed by measurement results of the working prototype. The system is being deployed into pilot use in the city-wide panOULU WLAN.

Method and equipment for obtaining dynamic route

Abstract: The invention provides a dynamic route obtaining method and equipment thereof, wherein the method is applied to local terminal equipment and opposite terminal equipment which are connected by using an IPSec channel of the three-layer tunneling encryption protocol; the method comprises the following steps: after the IPSec tunnel is successfully created, the local terminal equipment generates a routing message according to the routing information of the local terminal equipment; the local terminal equipment sends the routing message to the opposite terminal equipment by the IPSec tunnel; the routing message carries the routing information of the local terminal equipment; and the local terminal equipment receives a routing message carrying the routing information of the opposite terminal equipment sent by the opposite terminal equipment through the IPSec tunnel and obtains the routing information of the opposite terminal equipment. In the invention, the routing message is used for transmitting the routing information of two ends of the IPSec tunnel, thus realizing the dynamic route alternation of the two ends of the IPSec tunnel.

An Overview of IPv4 to IPv6 Transition and Security Issues

Abstract: Sharing of information and resources among different devices require networking. As networks are expanding day by day, IPv6 is gaining more and more popularity. Different transition mechanisms have been established and yet a lot of research is to be carried out. Network security is another very important area of research and needs special attention in the era of network expansions. In this paper, we have discussed different transition mechanisms from IPv4 to IPv6, and various security issues, as well. We have presented a comprehensive review of various security measures proposed by different researchers.

End-Host Authentication and Authorization for Middleboxes Based on a Cryptographic Namespace

Abstract: Today, middleboxes such as firewalls and network address translators have advanced beyond simple packet forwarding and address mapping. They also inspect and filter traffic, detect network intrusion, control access to network resources, and enforce different levels of quality of service. The cornerstones for these security-related network services are end-host authentication and authorization. Using a cryptographic namespace for end-hosts simplifies these tasks since it gives them an explicit and verifiable identity. The Host Identity Protocol (HIP) is a key-exchange protocol that introduces such a cryptographic namespace for secure end-to-end communication. Although HIP was designed with middleboxes in mind, these cannot securely use its namespace because the on-path identity verification is susceptible to replay attacks. Moreover, the binding between HIP as an authentication protocol and IPsec as payload transport is insufficient because on-path middleboxes cannot securely map payload packets to a HIP association. In this paper, we propose to prevent replay attacks by allowing packet-forwarding middleboxes to directly interact with end-hosts. Also we propose a method for strengthening the binding between the HIP authentication process and its payload channel with hash-chain-based authorization tokens for IPsec. Our solution allows on-path middleboxes to efficiently leverage cryptographic end-host identities and integrates cleanly into existing standards.

IP security packet forwarding method and apparatus

Abstract: The invention relates to a method and an apparatus for transmitting an IP security message, which are applied in a network deployment comprising at least two apparatuses. A primary apparatus has a fixed public network IP address. An IPSec SA interface is additionally installed on each apparatus. Each IPSec SA interface is assigned with private network IP addresses in the same network segment; and each IPSec SA interface is bound with the public network interface. The IPSec peer information configured on the secondary apparatus is the public network IP address of the primary apparatus. Dynamic routing protocols are started at each IPSec SA interface; a messaged is started at the IPSec SA interface of the secondary apparatus, IPSec SA negotiation is carried out with the primary apparatus and a packet forwarding list item comprising an IPSec connection identifier and the IP address of the IPSec SA interface of an opposite terminal device is established; and the apparatus encrypts and encapsulates the message in accordance with the forwarding list item. The invention expands the application range of an IPSec tunnel.

Impact of IPsec and 6to4 on VoIP quality over IPv6

Abstract: We conduct experiments in a LAN environment to determine the impact of IPsec and 6to4 encapsulation on VoIP quality in future IPv6 networks. We measure VoIP performance in the presence of varying background traffic for each of four IPsec scenarios with IPv6 and 6to4 encapsulation, with and without NAT, and compare with IPv4. The scenarios reflect situations commonly encountered in today's VPNs including no-security (i.e., traffic bypasses IPsec), network-to-network (i.e., an IPsec VPN between corporate sites), client-to-network (i.e., remote user access to a corporate network via IPsec tunnels), and client-to-client (i.e., IPsec transport mode for secure end-to-end communication). We use the popular Openswan implementation of IPsec and focus on ESP with the authentication option. The measures used for evaluating VoIP performance are delta (packet inter-arrival time), jitter, packet loss, throughput, and MOS. Our results demonstrate that VoIP quality due to using IPsec with IPv6, 6to4, and NAT in VPNs during the IPv4/IPv6 transition is not significantly different from using IPsec with IPv4, and that there is a minimal impact on voice quality as long as the network capacity is not exceeded.

Apparatus and method to facilitate high availability in secure network transport

Abstract: Embodiments described herein are effective to detect, repair and recover automatically IPSec tunnels due to failures of transport gear (L2/L3 switches) as well as the IPsec gateway components. Load balance is also an integral part of the approach. When a failure is repaired, the architecture in various embodiments will re-establish load balance and high availability automatically at L2 and L3 and preserve security during the switch-over and recovery process.