Skip to main content
SpringerLink
Log in

Enabling Practical IPsec Authentication for the Internet

  • Conference paper
On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops (OTM 2006)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 4277))

Abstract

There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications. One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority. In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure. We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA. We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs.

An erratum to this chapter can be found at http://dx.doi.org/10.1007/11915034_125.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (1998)

    Google Scholar 

  2. Kent, S., Atkinso, R.: IP Authentication Header. RFC 2402 (1998)

    Google Scholar 

  3. Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 2406 (1998)

    Google Scholar 

  4. Thayer, R., Doraswamy, N., Glenn, R.: IP Security Document Roadmap, RFC 2411 (1998)

    Google Scholar 

  5. FreeS/WAN Project, http://www.freeswan.org/

  6. Ionnadis, J.: Why don’t we still have IPsec, dammit. In: NDSS 2003 (2003)

    Google Scholar 

  7. Aura, T.: Cryptographically Generated Addresses (CGA). RFC 3972 (2005)

    Google Scholar 

  8. Maughan, D., Schertler, M., Schneider, M., Turner, J.: Internet Security Association and Key Management Protocol (ISAKMP). RFC 2408

    Google Scholar 

  9. Piper, D.: The Internet IP Security Domain of Interpretation for ISAKMP. RFC 2407 (1998)

    Google Scholar 

  10. Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (1998)

    Google Scholar 

  11. Orman, H.: The OAKLEY Key Determination Protocol. RFC 2412 (1998)

    Google Scholar 

  12. Laganier, J.: Using IKE with IPv6 Cryptographically Generated Address. Internet Draft (2003)

    Google Scholar 

  13. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions, RFC 4035 (2005)

    Google Scholar 

  14. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions. RFC 4034 (2005)

    Google Scholar 

  15. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (2005)

    Google Scholar 

  16. Richardson, M.: A Method for Storing IPsec Keying Material in DNS. RFC 4025 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Telematics Engineering, Universidad Carlos III de Madrid, Avda de la Universidad, 30, E-28911, Leganés (Madrid), Spain

    Pedro J. Muñoz Merino, Alberto García-Martínez, Mario Muñoz Organero & Carlos Delgado Kloos

Authors
  1. Pedro J. Muñoz Merino
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alberto García-Martínez
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mario Muñoz Organero
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Carlos Delgado Kloos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. STARLab, Vrije Universiteit Brussel (VUB), Bldg G/10, Pleinlaan 2, 1050, Brussels, Belgium

    Robert Meersman

  2. School of Computer Science and Information Technology, RMIT University, Bld 10.10, 376-392 Swanston Street, 3001, Melbourne, VIC, Australia

    Zahir Tari

  3. Facultad de Informática, Universidad Politécnica de Madrid, Campus de Montegancedo S/N, 28660, Boadilla del Monte, Madrid, Spain

    Pilar Herrero

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Merino, P.J.M., García-Martínez, A., Organero, M.M., Kloos, C.D. (2006). Enabling Practical IPsec Authentication for the Internet. In: Meersman, R., Tari, Z., Herrero, P. (eds) On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops. OTM 2006. Lecture Notes in Computer Science, vol 4277. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11915034_63

Download citation

  • DOI: https://doi.org/10.1007/11915034_63

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-48269-7

  • Online ISBN: 978-3-540-48272-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation