Showing papers on "IPsec published in 2018"

6LowPSec: An end-to-end security protocol for 6LoWPAN

Abstract: 6LoWPAN has radically changed the IoT (Internet of Things) landscape by seeking to extend the use of IPv6 to smart and tiny objects. Enabling efficient IPv6 communication over IEEE 802.15.4 LoWPAN radio links requires high end-to-end security rules. The IEEE 802.15.4 MAC layer implements several security features offering hardware hop-by-hop protection for exchanged frames. In order to provide end-to-end security, researchers focus on lightweighting variants of existing security solutions such as IPSec that operates on the network layer. In this paper, we introduce a new security protocol referred to as “6LowPSec”, providing a propitious end-to-end security solution but functioning at the adaptation layer. 6LowPSec employs existing hardware security features specified by the MAC security sublayer. A detailed campaign is presented that evaluates the performances of 6LowPSec compared with the lightweight IPSec. Results prove the feasibility of an end-to-end hardware security solution for IoT, that operates at the adaptation layer, without incurring much overhead.

3GPP LTE-WLAN Aggregation Technologies: Functionalities and Performance Comparison

Abstract: The use of license-exempt bands offers a promising opportunity to additionally enhance operator networks to meet the future traffic demand. The recent specification efforts in 3GPP have resulted in two major aggregation features that enable LTE networks to benefit from unlicensed spectrum via WLAN. In this article, we provide a thorough overview of these features known as, LTE-WLAN aggregation (LWA) and LTE-WLAN radio level integration with IP security tunnel (LWIP). The article presents and motivates the design choices of protocol architectures, procedures, mobility, and security. It also proposes flow control algorithms suitable for both technologies, which aim at the best usage of licensed and unlicensed spectrum. Simulation results show the performance unveiling the potential gains of these features in different load conditions, also in a comparative manner, showing that LWA substantially outperforms LWIP.

Provably secure biometric based authentication and key agreement protocol for wireless sensor networks

Abstract: Wireless sensor networks (WSNs) comprise of distributed sensors. The collected information available at the sensor is provided to the users who are permitted to get access. The information is transmitted in internet of things (IOT) environment, which can be eavesdrop. Thus, it is essential to ensure that only authorized shareholders can access the transmitted information. Authentication and key agreement protocols are developed to ensure confidentiality and security in IOT. We design a biometric based authentication and key agreement protocol for WSNs. To analyze the security of the proposed protocol, we use formal security proof, which shows that an attacker has a negligible probability of breaking the protocol security. We also use the BAN logic technique to show the correctness of mutual authentication. Additionally, we adopt an informal analysis to discuss the resistance of proposed scheme against various possible attacks on authentication protocols. Additionally, through the comparison of computational efficiency and security attributes with recent results, proposed protocol seems to be more appropriate for WSNs.

A Cryptographic Analysis of the WireGuard Protocol

Abstract: WireGuard (Donenfeld, NDSS 2017) is a recently proposed secure network tunnel operating at layer 3. WireGuard aims to replace existing tunnelling solutions like IPsec and OpenVPN, while requiring less code, being more secure, more performant, and easier to use. The cryptographic design of WireGuard is based on the Noise framework. It makes use of a key exchange component which combines long-term and ephemeral Diffie-Hellman values (along with optional preshared keys). This is followed by the use of the established keys in an AEAD construction to encapsulate IP packets in UDP. To date, WireGuard has received no rigorous security analysis. In this paper, we, rectify this. We first observe that, in order to prevent Key Compromise Impersonation (KCI) attacks, any analysis of WireGuard’s key exchange component must take into account the first AEAD ciphertext from initiator to responder. This message effectively acts as a key confirmation and makes the key exchange component of WireGuard a 1.5 RTT protocol. However, the fact that this ciphertext is computed using the established session key rules out a proof of session key indistinguishability for WireGuard’s key exchange component, limiting the degree of modularity that is achievable when analysing the protocol’s security. To overcome this proof barrier, and as an alternative to performing a monolithic analysis of the entire WireGuard protocol, we add an extra message to the protocol. This is done in a minimally invasive way that does not increase the number of round trips needed by the overall WireGuard protocol. This change enables us to prove strong authentication and key indistinguishability properties for the key exchange component of WireGuard under standard cryptographic assumptions.

Virtual network function deployment and service automation to provide end-to-end quantum encryption

Abstract: The nature of network services has drastically changed in recent years. New demands require new capabilities, forcing the infrastructure to dynamically adapt to new scenarios. Novel network paradigms, such as softwaredefined networking (SDN) and network functions virtualization, have appeared to provide flexibility for network management and services. The reliance on software and commoditized hardware of these new paradigms introduces new security threats and, consequently, one of the most desired capabilities is a strengthened security layer when connecting remote premises. On the other hand, traditional cryptographic protocols are based on computational complexity assumptions. They rely on certain mathematical problems (e.g., integer factorization, discrete logarithms, or elliptic curves) that cannot be efficiently solved using conventional computing. This general assumption is being revisited because of quantum computing. The creation of a quantum computer would put these protocols at risk and force a general overhaul of network security. Quantum key distribution (QKD) is a novel technique for providing synchronized sources of symmetric keys between two separated domains. Its security is based on the fundamental laws of quantum physics, which makes it impossible to copy the quantum states exchanged between both endpoints. Therefore, if implemented properly, QKD generates highly secure keys, immune to any algorithmic cryptanalysis. This work proposes a node design to provide QKD-enhanced security in end-to-end services and analyze the control plane requirements for service provisioning in transport networks. We define and demonstrate the necessary workflows and protocol extensions in different SDN scenarios, integrating the proposed solution into a virtual router providing QKD-enhanced IPsec sessions.

The Dangers of Key Reuse: Practical Attacks on IPsec IKE.

Abstract: IPsec enables cryptographic protection of IP packets. It is commonly used to build VPNs (Virtual Private Networks). For key establishment, the IKE (Internet Key Exchange) protocol is used. IKE exists in two versions, each with different modes, different phases, several authentication methods, and configuration options. In this paper, we show that reusing a key pair across different versions and modes of IKE can lead to crossprotocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication. Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature based authentication in both IKEv1 and IKEv2. Additionally, we describe an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE. We found Bleichenbacher oracles in the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129). All vendors published fixes or removed the particular authentication method from their devices’ firmwares in response to our reports.

Resilient End-to-End Message Protection for Cyber-Physical System Communications

Abstract: Cyber-physical system (CPS) communications for safely and effectively operating a mission-critical infrastructure must be securely protected to prevent the infrastructure from becoming vulnerable. The protection scheme used must be resilient and light-weighted for CPS field devices having constrained computing and communicating resources, and also scalable for control servers associating with a large number of the field devices. In addition, CPS applications such as smart metering require end-to-end privacy protection. However, as shown in this paper, none of conventional security schemes comprehensively meets the above requirements; group security schemes scale well for a massive number of devices but are weak in terms of privacy protection and resilience; point-to-point security schemes such as IPsec inherently have resilience but are limited to address scalability and thinness requirements. Motivated by the limitations of conventional security schemes, we design new group security scheme, resilient end-to-end message protection (REMP), exploiting the following notions: long-term keys per-node that are given by REMP authentication server, encryption keys per message sent that are probabilistically derived from a long-term key, and end-to-end authenticators per message sent that consist of a message sender’s identity and a message authentication code. Compared with conventional group security schemes, we improve end-to-end security strength in terms of confidentiality, integrity, message source authentication, and key exposure resilience, while preserving scalability and extensibility.

Fingerprinting encrypted network traffic types using machine learning

Abstract: Internet applications rely on strong encryption techniques to protect the content of all communications between client and server. These encryption algorithms ensure that third parties are unable to obtain the plain text data but also make it hard for the network administrator to enforce restrictions on the types of traffic that are allowed. In this paper we show that we can train accurate machine learning models which can predict the type of traffic going through an IPsec or TOR tunnel based on features extracted from the encrypted streams. We use small, fast to execute machine learning models that work on small windows of data. This makes it possible to use our approach in real-time, for example as part of a Quality of Service (QoS) system.

Partitioned security processor architecture on FPGA platform

Abstract: Internet protocol security (IPSec), secure sockets layer (SSL)/transport layer security (TLS) and other security protocols necessitate high throughput hardware implementation of cryptographic functions. In recent literature, cryptographic functions implemented in software, application specific integrated circuit (ASIC) and field programmable gate array (FPGA). They are not necessarily optimized for throughput. Due to the various side-channel based attacks on cache and memory, and various malware based exfiltration of security keys and other sensitive information, cryptographic enclave processors are implemented which isolates the cryptographically sensitive information like keys. We propose a partitioned enclave architecture targeting IPSec, TLS and SSL where the partitioned area ensures that the processor data-path is completely isolated from the secret-key memory. The security processor consists of a Trivium random number generator, Rivest–Shamir–Adleman (RSA), advanced encryption standard (AES) and KECCAK cryptos. We implement three different optimized KECCAK architectures. The processing element (PE) handles all communication interfaces, data paths, and control hazards of network security processor. The memory of KECCAK and AES communication is done via a direct memory access controller to reduce the PE overhead. The whole system is demonstrated by FPGA implementation using Vivado 2015.2 on Artix-7 (XC7A100T, CSG324). The performances of the implemented KECCAKs are better in terms of security, throughput and resource than the existing literature.

Imperfect forward secrecy: how Diffie-Hellman fails in practice

Abstract: We investigate the security of Diffie-Hellman key exchange as used in popular Internet protocols and find it to be less secure than widely believed. First, we present Logjam, a novel flaw in TLS that lets a man-in-the-middle downgrade connections to "export-grade" Diffie-Hellman. To carry out this attack, we implement the number field sieve discrete logarithm algorithm. After a week-long precomputation for a specified 512-bit group, we can compute arbitrary discrete logarithms in that group in about a minute. We find that 82% of vulnerable servers use a single 512-bit group, and that 8.4% of Alexa Top Million HTTPS sites are vulnerable to the attack. In response, major browsers have changed to reject short groups.We go on to consider Diffie-Hellman with 768- and 1024-bit groups. We estimate that even in the 1024-bit case, the computations are plausible given nation-state resources. A small number of fixed or standardized groups are used by millions of servers; performing precomputation for a single 1024-bit group would allow passive eavesdropping on 18% of popular HTTPS sites, and a second group would allow decryption of traffic to 66% of IPsec VPNs and 26% of SSH servers. A close reading of published NSA leaks shows that the agency's attacks on VPNs are consistent with having achieved such a break. We conclude that moving to stronger key exchange methods should be a priority for the Internet community.

VPN: a Boon or Trap? : A Comparative Study of MPLS, IPSec, and SSL Virtual Private Networks

Abstract: In today's world, the security and privacy of data that travels through the cyberspace have become an essential concern for the individual users and the organizations. Apart from this, the government of many countries has also imposed many censorship rules on the way their citizens should use the Internet. All this has resulted in VPNs (Virtual Private Network) becoming very popular as it allows the users and organizations to secure and circumvent their Internet connection to a great extent. In this paper, we mainly study three types of most common VPNs and present a comparative study of their features, performance, security and a few other aspects. We hope that our research will offer a clear understanding of the users and will help them make their decision on choosing the correct VPN based on their need and priority regarding security, speed, and cost.

The Dark Side of Operational Wi-Fi Calling Services

Abstract: All of four major U.S. operators have rolled out nationwide Wi-Fi calling services. They are projected to surpass VoLTE (Voice over LTE) and other VoIP services in terms of mobile IP voice usage minutes in 2018. They enable mobile users to place cellular calls over Wi-Fi networks based on the 3GPP IMS (IP Multimedia Subsystem) technology. Compared with conventional cellular voice solutions, the major difference lies in that their traffic traverses untrustful Wi-Fi networks and the Internet. This exposure to insecure networks may cause the Wi-Fi calling users to suffer from security threats. Its security mechanisms are similar to the VoLTE, because both of them are supported by the IMS. They include SIM-based security, 3GPP AKA (Authentication and Key Agreement), IPSec (Internet Protocol Security), etc. However, are they sufficient to secure Wi–Fi calling services? Unfortunately, our study yields a negative answer. In this work, we explore security issues of the operational Wi-Fi calling services in three major U.S. operators’ networks using commodity devices. We disclose that current Wi-Fi calling security is not bullet-proof. We uncover four vulnerabilities which stem from improper standard designs, device implementation issues and network operation slips. By exploiting them, we devise two proof-of-concept attacks: user privacy leakage and telephony harassment or denial of voice service (THDoS); they can bypass the security defenses deployed on both mobile devices and network infrastructure. We have confirmed their feasibility and simplicity using real-world experiments, as well as assessed their potential damages and proposed recommended solutions.

Formally Reasoning about the Cost and Efficacy of Securing the Email Infrastructure

Abstract: Security in the Internet has historically been added post-hoc, leaving services like email, which, after all, is used by 3.7 billion users, vulnerable to large-scale surveillance. For email alone, there is a multitude of proposals to mitigate known vulnerabilities, ranging from the introduction of completely new protocols to modifications of the communication paths used by big providers. Deciding which measures to deploy requires a deep understanding of the induced benefits, the cost and the resulting effects. This paper proposes the first automated methodology for making formal deployment assessments. Our planning algorithm analyses the impact and cost-efficiency of different known mitigation strategies against an attacker in a formal threat model. This novel formalisation of an infrastructure attacker includes routing, name resolution and application level weaknesses. We apply the methodology to a large-scale scan of the Internet, and assess how protocols like IPsec, DNSSEC, DANE, SMTP STS, SMTP over TLS and other mitigation techniques like server relocation can be combined to improve the confidentiality of email users in 45 combinations of attacker and defender countries and nine cost scenarios. This is the first deployment analysis for mitigation techniques at this scale.

IPv6 Security Issues—A Systematic Review

Abstract: IPv4 has been used over 30 years. It proved robust, interoperable, and easy implementation. The number of users is raising dramatically, the growth and development of IPv6 are vital. This protocol provides many new features like larger address space, auto-configuration, QoS, IPsec, easier TCP/IP administration, mobility, etc. In addition to these features, IPv6 development brings new security issues; however, many attacks were inherited from IPv4, which harm IPv6 networks. Those attacks affect both IPv4 and IPv6 networks. This paper explains and analysis the common threats in IPv4 and IPv6, security threats which introduced by new features of IPv6, and transition threats.

Trust-based Performance Evaluation of Routing Protocol Design with Security and QoS over MANET

Abstract: Nowadays, The incorporation of different function of the network, as well as routing, administration, and security, is basic to the effective operation of a mobile circumstantial network these days, in MANET thought researchers manages the problems of QoS and security severally. Currently, each the aspects of security and QoS influence negatively on the general performance of the network once thought-about in isolation. In fact, it will influence the exceptionally operating of QoS and security algorithms and should influence the important and essential services needed within the MANET. Our paper outlines 2 accomplishments via; the accomplishment of security and accomplishment of quality. The direction towards achieving these accomplishments is to style and implement a protocol to suite answer for policy-based network administration, and methodologies for key administration and causing of IPsec in a very MANET.

T-IP: A self-trustworthy and secure Internet protocol

Abstract: IPsec has become an important supplement of IP to provide security protection. However, the heavyweight IPsec has a high transmission overhead and latency, and it cannot provide the address accountability. We propose the self-trustworthy and secure Internet protocol (T-IP) for authenticated and encrypted network layer communications. T-IP has the following advantages: (1) Self-Trustworthy IP address. (2) Low connection latency and transmission overhead. (3) Reserving the important merit of IP to be stateless. (4) Compatible with the existing TCP/IP architecture. We theoretically prove the security of our shared secret key in T-IP and the resistance to the known session key attack of our security-enhanced shared secret key calculation. Moreover, we analyse the possibility of the application of T-IP, including its resilience against the man-in-the-middle attack and DoS attack. The evaluation shows that T-IP has a much lower transmission overhead and connection latency compared with IPsec.

Encryption method for power distribution automatic system and related device

Abstract: The invention discloses an encryption method for a power distribution automatic system. An IPSec (Internet Protocol Security) tunnel with a very high security coefficient is established between a security gateway and a terminal, so data transmission security of the power distribution automatic system in a network layer is kept; on the basis, bidirectional authentication is carried out between a master station and the terminal through adoption of an asymmetrical key, so security of bidirectional identity authentication is improved; and encryption transmission is employed after the verificationis successful, so the data transmission security of the power distribution automatic system in an application layer is kept, double-data encryption of the power distribution automatic system in the network layer and the application layer is realized, a data security protection level of the power distribution automatic system is improved, and possibility that data is maliciously attacked is reduced. The invention also discloses an encryption device for the power distribution automatic system, a server and a computer readable memory medium which have the beneficial effects.

Wi Not Calling: Practical Privacy and Availability Attacks in Wi-Fi Calling

Abstract: Wi-Fi Calling, which is used to make and receive calls over the Wi-Fi network, has been widely adopted and deployed to extend the coverage and increase the capacity in weak signal areas by moving traffic from LTE to Wi-Fi networks. However, the security of Wi-Fi Calling mechanism has not been fully analyzed, and Wi-Fi Calling may inherently have greater security risks than conventional LTE calling. To provide secure connections with confidentiality and integrity, Wi-Fi Calling leverages the IETF protocols IKEv2 and IPSec. In this paper, we analyze the security of Wi-Fi Calling specifications and discover several vulnerabilities that allow an adversary to track the location of users and perform DoS attacks. By setting up a rogue access point in live testbed environment, we observe that user devices can leak the International Mobile Subscriber Identity (IMSI), despite it being encrypted. The leaked information can be further exploited for tracking user locations. We also discuss how these protocols are vulnerable to several denial of service attacks. To protect user privacy and services against these attacks, we propose practical countermeasures. We also present trade-off considerations that pose challenges for us to apply countermeasures to mitigate the existing vulnerabilities. Additionally, we propose to introduce corresponding amendments for future specifications of protocols to address these trade-offs.

Formally Reasoning about the Cost and Efficacy of Securing the Email Infrastructure (full version)

Abstract: Security in the Internet has historically been added post-hoc, leaving services like email, which, after all, is used by 3.7 billion users, vulnerable to large-scale surveillance. For email alone, there is a multitude of proposals to mitigate known vulnerabilities, ranging from the introduction of completely new protocols to modifications of the communication paths used by big providers. Deciding which measures to deploy requires a deep understanding of the induced benefits, the cost and the resulting effects. This paper proposes the first automated methodology for making formal deployment assessments. Our planning algorithm analyses the impact and cost-efficiency of different known mitigation strategies against an attacker in a formal threat model. This novel formalisation of an infrastructure attacker includes routing, name resolution and application level weaknesses. We apply the methodology to a large-scale scan of the Internet, and assess how protocols like IPsec, DNSSEC, DANE, SMTP over TLS and other mitigation techniques like server relocation can be combined to improve the confidentiality of email users in 45 combinations of attacker and defender countries and nine cost scenarios. This is the first deployment analysis for mitigation techniques at this scale.

Design and Implementation of a Secured Enterprise Network using Dynamic Multipoint VPN with HSRP Protocol

Abstract: The Purpose of this work is to improve the availability and remote access for secure enterprise network infrastructure by using dual hub dual DMVPN (Dynamic Multipoint VPN). Using multipoint GRE (mgre) over IPsec data transmission in the enterprise network is highly reliable secured. DMVPN is a technology that can be associated with different protocols concept such as IPsec encryption, next hop resolution protocol (NHRP), generic routing encapsulation (GRE) and it provides dynamic and static IPsec tunnel between spoke to the hub, spoke to spoke communication. In this paper, we implement the DMVPN technique to constructs a secure enterprise network for an organization and employing hot standby routing protocol (HSRP) to overcome the unavailability and failure of a certain network. The simulation was done by GNS3 and packets were captured by Wireshark software. It was revealed by the test that, DMVPN technology with HSRP protocols completely fulfills the demand of availability that is vital for any enterprises. It offers a faster mode, highly efficient and practically valued venture and also provides accessibility by keeping the network always in upstate thereby facilities for building a safer and highly dependable network infrastructure.

Feasibility of FPGA Accelerated IPsec on Cloud

Abstract: Line-rate speed requirements for performance hungry network applications like IPsec are getting problematic due to the virtualization trend. A single virtual network application hardly can provide 40 Gbps operation. This research considers the IPsec packet processing without IKE to be offloaded on an FPGA in a network. We propose an IPsec accelerator in an FPGA and explain the details that need to be considered for a production ready design. Based on our evaluation, Intel Arria 10 FPGA can provide 10 Gbps line-rate operation for the IPsec accelerator and to be responsible for 1000 IPsec tunnels. The research points out that for future data centers it is beneficial to rely on HW acceleration in terms of speed and energy efficiency for applications like IPsec.

Performance enhancement of encryption and authentication IP cores for IPSec based on multiple-core architecture and dynamic partial reconfiguration on FPGA

Abstract: In this paper, we propose a Multiple Core architecture and an DMA bus connectivity to increase the processing speed of encryption and authentication cores in high speed IPSec security systems. Dynamic partial reconfiguration technology (DPR) is used to reduce FPGA resources and power consumption on chips. This paper proposes a model for high-speed Multiple-IPSec security systems that meet real-time applications. The system throughput, power consumption, and resources used when applying Multiple-Core and DPR architectures are also calculated.

ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control

Abstract: The Authentication and Authorization for Constrained Environments (ACE) framework provides fine-grained access control in the Internet of Things, where devices are resource-constrained and with limited connectivity. The ACE framework defines separate profiles to specify how exactly entities interact and what security and communication protocols to use. This paper presents the novel ACE IPsec profile, which specifies how a client establishes a secure IPsec channel with a resource server, contextually using the ACE framework to enforce authorized access to remote resources. The profile makes it possible to establish IPsec Security Associations, either through their direct provisioning or through the standard IKEv2 protocol. We provide the first Open Source implementation of the ACE IPsec profile for the Contiki OS and test it on the resource-constrained Zolertia Firefly platform. Our experimental performance evaluation confirms that the IPsec profile and its operating modes are affordable and deployable also on constrained IoT platforms.

An ECC-Based Algorithm to Handle Secure Communication Between Heterogeneous IoT Devices

Abstract: Internet of Things (IoT) is an interconnection of tiny real-world objects using sensor, actuators, and software’s designed for exchanging data and controlling them. It invades business landscape on massive scale integrating heterogeneous devices. Some of the application includes media, environmental monitoring, infrastructure and energy management, medical, healthcare system, and transportation. Earlier, in these applications, the primary issue is handling efficient communication among the interconnected devices to have an extended network lifetime. Nowadays, as data grows rapidly in the IoT, security and privacy is also a major issue to be concentrated in these applications to reduce vulnerabilities. Recent studies show that the existing IP security protocols and algorithm have technical limitation in applying it to the context Internet of Things. In particular, when a new device enters to an existing secured network, the network should ensure that the new device is authenticated and authorized properly with respect to the properties of existing network. Otherwise, similar to other network, IoT network also will be subjected to various attacks such as physical attacks, service disruption attacks, data attacks, and denial-of-service attacks. Hence, in this work, an algorithm to authenticate and authorize when a new device gets added to the existing network is proposed. The algorithm is tested for various attacks and the results are proven to be efficient and secure.

ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control

Abstract: The Authentication and Authorization for Constrained Environments (ACE) framework provides fine-grained access control in the Internet of Things, where devices are resource-constrained and with limited connectivity. The ACE framework defines separate profiles to specify how exactly entities interact and what security and communication protocols to use. This paper presents the novel ACE IPsec profile, which specifies how a client establishes a secure IPsec channel with a resource server, contextually using the ACE framework to enforce authorized access to remote resources. The profile makes it possible to establish IPsec Security Associations, either through their direct provisioning or through the standard IKEv2 protocol. We provide the first Open Source implementation of the ACE IPsec profile for the Contiki OS and test it on the resource-constrained Zolertia Firefly platform. Our experimental performance evaluation confirms that the IPsec profile and its operating modes are affordable and deployable also on constrained IoT platforms.

User plane model for non-3gpp access to fifth generation core network

Abstract: Systems and methods relating to establishment of a Packet Data Unit, PDU, session over a Non 3GPP Access to a 3GPP network and transmitting IP data and non-IP data are provided. A method of operation of a wireless device is provided and comprises sending to an AMF over an N3IWF a PDU session request to establish a PDU session to transport one of IP data or non-IP data over an established first IPsec, Security Association, SA, establishing an IPSec Child SA, for the PDU session and associating the IPSec Child SA to a PDU session then encapsulating the data using ESP encapsulation or GRE encapsulation associated with the IPSec Child SA and indicating the type of data that is being transmitted (e.g., non-IP data that comprises raw application data). In this manner, an loT device is able to securely transmit to the 3GPP network IP data/non-IP data/raw application data over an unsecure non 3GPP access network such as Wireless Local Area Network. Methods and apparatus describing the NAS signalling and the PDU session as each using their respective IPSec SA are provided. Similarly, methods and apparatus describing the NAS signalling and the PDU sessions sharing a common IPSec SA are provided. GRE encapsulation of the data within the ESP frame is described for both NAS signalling and PDU session in the case of multiple IPSec/Child SAs or common IPSec SA. Similarly, methods and apparatus are provided for the N3IWF which provides for the UE secure access to the network.

Device and method of reporting a WLAN connection status

Abstract: A communication device for reporting a wireless local area network (WLAN) connection status in a wireless communication system comprises a storage device for storing instructions and a processing circuit coupled to the storage device The processing circuit is configured to execute the instructions stored in the storage device The instructions comprise establishing a cellular connection to a base station (BS) of a cellular network via a cell of the BS; receiving a first Cellular-WLAN Radio Level Integration with Internet Protocol Security (IPsec) Tunnel (CWIP) configuration configuring a first IP address, a first Internet Key Exchange (IKE) identity and a first counter value for establishing a first IPsec tunnel over a WLAN, on the cellular connection from the BS; and transmitting a first WLANConnectionStatusReport message on the cellular connection to the BS, when the communication device has a WLAN connection with the WLAN, wherein the first WLANConnectionStatusReport message indicates “successfulAssociation”

A Content Auditing Method of IPsec VPN

Abstract: As one of the most commonly used protocols in VPN technology, IPsec has many advantages. However, certain difficulties are posed to the audit work by the protection of in-formation. In this paper, we propose an audit method via man-in-the-middle mechanism, and design a prototype system with DPDK technology. Experiments are implemented in an IPv4 network environment, using default configuration of IPsec VPN configured with known PSK, on operating systems such as windows 7, windows 10, Android and iOS. Experimental results show that the prototype system can obtain the effect of content auditing well without affecting the normal communication between IPsec VPN users.

IPsec/Firewall Security Policy Analysis: A Survey

Abstract: As the technology reliance increases, computer networks are getting bigger and larger and so are threats and attacks. Therefore Network security becomes a major concern during this last decade. Network Security requires a combination of hardware devices and software applications. Namely, Firewalls and IPsec gateways are two technologies that provide network security protection and repose on security policies which are maintained to ensure traffic control and network safety. Nevertheless, security policy misconfigurations and inconsistency between the policy’s rules produce errors and conflicts, which are often very hard to detect and consequently cause security holes and compromise the entire system functionality. In This paper, we review the related approaches which have been proposed for security policy management along with surveying the literature for conflicts detection and resolution techniques. This work highlights the advantages and limitations of the proposed solutions for security policy verification in IPsec and Firewalls and gives an overall comparison and classification of the existing approaches.