John S. Baras

1999

IPSEC and the Internet

Manish Karir

Masters Dissertation, Number: CSHCN MS 1999-9, Year: 1999, Advisor: John S. Baras

Full-text article [ PDF]

Abstract

Secure and efficient communication between computers is becoming more essential as companies attempt to utilize the public network infrastructure for supporting communication between their various sites.

The IPSEC protocols have been proposed as a solution to balance the needs of security and networking between computers. The basic IPSEC protocols are based on the end-to-end security model and when used in the most secure mode do not allow any intermediate nodes in the network to access and obtain information from packet headers encrypted by the security end-points.

However, with the advent of smart applications in the middle of the network, which attempt to make it more efficient, a tradeoff is created between security and efficiency. This tradeoff is the result of the need for these intelligent applications to access packet header information which is not possible with secure IPSEC flows.

This thesis analyzes and evaluates several possible solutions to this problem and argues why they all involve an unacceptable loss in the level of security or are not practical in any real system. On the basis of these arguments it thenproposes the use of Layered IPSEC to solve the problem. Layered IPSEC adds flexibility to the current IPSEC protocols by providing the ability to use multiple encryption algorithms with separate encryption keys for different parts of a packet.

We also describe an experimental implementation of the concept and provide timing measurements from it. On the basis of our experience with the implementation and our experimental measurements we argue for the feasiblity and usefulness of this scheme.

Biography | Site Map | Contact Dr. Baras | Send Feedback | ©2005 ISR