CGA Integration into IPsec/IKEv2 Authentication (original) (raw)
Related papers
CGA as alternative security credentials with IKEv2: implementation and analysis
Internet Protocol security (IPsec) is a protocol suite enabling secure IP communications by authentication and/or encryption. Internet Key Exchange version 2 (IKEv2) mechanism is recommended to configure dynamically IPsec between IP nodes and the authentication of each peer is usually based on either pre-shared keys, X.509 certificates or Extensible Authentication Protocol (EAP). However, these methods may have drawbacks. On the other hand, Cryptographically Generated Addresses (CGA), IPv6 addresses with specific security properties, are the main component of the mechanism to secure the IPv6 Neighbor Discovery protocol but these security properties are only used in a local scope. An interesting solution could be the use of CGA as alternative security material for IKEv2. In this paper, we analyze advantages and drawbacks of CGA use compared to classical IKEv2 security materials, decide design choices regarding modifications of IKEv2 to integrate CGA, and finally, describe the resulting implementation.
Enabling Practical IPsec Authentication for the Internet
Lecture Notes in Computer Science, 2006
There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications. One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority. In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure. We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA. We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs.
Securing IPv6’s Neighbour Discovery, using Locally Authentication Process 1
2014
Internet Engineering Task Force (IETF), in IPv6, allowed nodes to Autoconfigure using neighbour discovery protocol. Neighbour Discovery (ND) and Address auto- configuration mechanisms may be protected with IPSec Authentication Header (AH). Protecting all traffic will include Address Resolution Protocol. To protect this, IPSec will need agreed Key. For Key setup, UDP packet is sent, which requires IPSec for secure communication. So IPSec requires Agreed Key and for Key setup IPSec is needed, this creates a loop. To solve this problem Locally Authentication Process is presented in this paper. This process will provide a certificate of ownership of IP address on network Interface card and Public key to provide authorization. On the other hand, it will also reduce the network load.
Securing IPv6's Neighbour and Router Discovery, using Locally Authentication Process
Internet Protocol version six (IPv6), the next generation Internet Protocol (IP), exists sparsely in today 's world.Internet Engineering Task Force (IETF), in IPv6, allowed nodes to Auto configure using neighbour discovery protocol. Neighbour Discovery (ND) and Address auto-configuration mechanisms may be protected with IPSec Authentication Header (AH). However, as it gains popularity now a day, it will grow into a vital role of the Internet and communications technology in general. IPv6, the latest revision of the Internet Protocol (IP), is intended to replace IPv4, which still carries the vast majority of Internet traffic as of 2014. Protecting all traffic will include Address Resolution Protocol. To protect this, IPSec will need agreed Key. For
2005
IPv6 is a IETF standard that allows the Internet to expand it's address space, provide better IP mobility, and enhance security. Predominantly, discussions around IPv6 security have centered on IPsec. This paper focuses on the security aspects of IPv6 related with IPSec and also discusses some of the challenges involved in deploying IPv6 IPsec.
Automatic IPSec Security Association Negotiation in Mobile-Oriented IPv6 Networks
2005 Symposium on Applications and the Internet Workshops (SAINT 2005 Workshops), 2005
Integrated mobility and security support is one of the most desirable feature for a network. Although IPv6 offers protocol which satisfies both these requirements, practical issues still exist which do not allow for a really integrated environment. Our contribution towards such integration is the development of a solution to automate the task of setting up the appropriate IPSec Security Associations each time a node connects to an IPv6 subnet. The result is mipsd, a user-space daemon which interacts with the IKE daemon running at the mobile host to allow the completely automated setup of SA towards the corresponding Security Gateway.
Easy SEND A Didactic Implementation of the Secure Neighbor Discovery Protocol for IPv6
2009 International Conference on Computer Science and Applications (CCSA’09), 2009
IPv6 adds many improvements to IPv4 in areas such as address space, built-in security, quality of service, routing and network auto-configuration. IPv6 nodes use the Neighbor Discovery (ND) protocol to discover other nodes on the link, to determine their link-layer addresses, to find routers, to detect duplicate address, and to maintain reachability information about the paths to active neighbors. ND is vulnerable to various attacks when it is not secured. The original specifications of ND called for the use of IPsec as a security mechanism to protect ND messages. However, its use is impractical due to the very large number of manually configured security associations needed for protecting ND. For this reason, the Secure Neighbor Discovery Protocol (SEND) was proposed. In this paper, we present Easy-SEND, an open source implementation of SEND that can be used in production environment or as a didactic application for the teaching and learning of the SEND protocol. Easy-SEND is easy to install and use, and it has an event logger that can help network administrators to troubleshoot problems or students in their studies. It also includes a tool to generate and verify Cryptographically Generated Addresses (CGA) that are used with SEND.
IPSec over Heterogeneous IPv4 and IPv6 Networks: ISSUES AND IMPLEMENTATION
ABSTRACT In the face of looming IPv4 address exhaustion and the slow pace of IPv4 to IPv6 migration, this work deploys the IPv4/IPv6 translation gateway as a mechanism to ensure most of IPv6 mission critical applications to continuously interoperate with legacy IPv4 nodes. However, the existence of translation gateway between two IPSec nodes from disparate address realms imposes some incompatibility issues due to the violation of TCP/UDP and IPSec intrinsic functionalities by the gateway.
IPSec: Performance Analysis in IPv4 and IPv6
Journal of ICT Standardization
Internet Protocol security (IPSec) is an end-to-end security scheme to provide security at the IP network layer, but this comes with performance implications leading to throughput reduction and resource consumption. In this paper we present a throughput performance analysis of IPSec protocol, for both IPv4 and IPv6, using various cryptographic algorithms as recommended in the standards [13]. In this study we have considered only throughput performance for authenticated encryption algorithms AES-GCM and AES-CCM, encryption algorithms AES-CBC, AES-CTR, and 3DES, and authentication algorithms SHA1, SHA2 and XCBC. The result shows that AES-GCM provides better performance compared to the other recommended algorithms.
Analytical Analysis of the Performance Overheads of IPsec in MIPv6 Scenarios
Lecture Notes Electrical Engineering, 2008
The next generation network (NGN) connects different access networks, such as xDSL, 3G, WiFi, and WiMAX to an IPv6-based core network. One of the requirements of NGN is to support the mobility of services, users, and terminal equipments . The mobile IPv6 protocol (MIPv6) and its extensions, such as hierarchical MIPv6 [20], fast handovers for MIPv6 , and network mobility protocol [4], provides one major possible mobility service solution. Other solutions also exist, and a discussion and comparison of the main mobility protocols can be found in .