Experiences with Host-to-Host IPsec

  • Tuomas Aura
  • Michael Roe
  • Anish Mohammed
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4631)


This paper recounts some lessons that we learned from the deployment of host-to-host IPsec in a large corporate network. Several security issues arise from mismatches between the different identifier spaces used by applications, by the IPsec security policy database, and by the security infrastructure (X.509 certificates or Kerberos). Mobile hosts encounter additional problems because private IP addresses are not globally unique, and because they rely on an untrusted DNS server at the visited network. We also discuss a feature interaction in an enhanced IPsec firewall mechanism. The potential solutions are to relax the transparency of IPsec protection, to put applications directly in charge of their security and, in the long term, to redesign the security protocols not to use IP addresses as host identifiers.


Security Policy Mobile Host Security Protocol Virtual Private Network Internet Engineer Task Force 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aura, T.: Cryptographically generated addresses. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 29–43. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Aura, T., Roe, M., Arkko, J.: Security of Internet location management. In: Proc. 18th Annual Computer Security Applications Conference, Las Vegas, IEEE Computer Society, Los Alamitos (2002)Google Scholar
  3. 3.
    Bellovin, S.M.: Problem areas for the IP security protocols. In: Proc. 6th Usenix Unix Security Symposium, pp. 205–214. USENIX Association, San Jose, CA, USA (1996)Google Scholar
  4. 4.
    Carpenter, B., Crowcroft, J., Rekhter, Y.: IPv4 address behaviour today. RFC 2101, IETF Network Working Group (February 1997)Google Scholar
  5. 5.
    Dolev, D., Yao, A.: On the security of public-key protocols. Communications of the ACM 29(8), 198–208 (1983)zbMATHMathSciNetGoogle Scholar
  6. 6.
    Eastlake, D.: Domain name system security extensions. RFC 2535, IETF Network Working Group (March 1999)Google Scholar
  7. 7.
    Kaufman, C. (ed.): Internet key exchange (IKEv2) protocol. Internet-Draft draft-ietf-ipsec-ikev2-17.txt, IETF IPsec Working Group, Work in progress (September 2004)Google Scholar
  8. 8.
    Ferguson, N., Schneier, B.: A cryptographic evaluation of IPsec. Technical report, Counterpane Labs (1999)Google Scholar
  9. 9.
    Guttman, J.D., Herzog, A.L., Thayer, F.J.: Authentication and confidentiality via IPsec. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 255–272. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  10. 10.
    Harkins, D., Carrel, D.: The Internet key exchange (IKE). RFC 2409, IETF Network Working Group (November 1998)Google Scholar
  11. 11.
    Kent, S., Atkinson, R.: Security architecture for the Internet Protocol. RFC 2401, IETF Network Working Group (November 1998)Google Scholar
  12. 12.
    Kent, S., Seo, K.: Security architecture for the Internet protocol. Internet-Draft draft-ietf-ipsec-rfc2401bis-03, IETF IPsec Working Group, Work in progress (September 2004)Google Scholar
  13. 13.
    Krawczyk, H.: SIGMA: The ‘SIGn-and-MAc’ approach to authenticated Diffie-Hellman and its use in the IKE-protocols. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 400–425. Springer, Heidelberg (2003)Google Scholar
  14. 14.
    Lang, U., Gollmann, D., Schreiner, R.: Verifiable identifiers in middleware security. In: Proc. 17th Annual Computer Security Applications Conference, New Orleans, LA USA, pp. 450–459. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  15. 15.
    Linn, J.: Generic security service application program interface version 2, update 1. RFC 2743, IETF (January 2000)Google Scholar
  16. 16.
    Meadows, C.: Analysis of the Internet Key Exchange protocol using the NRL protocol analyzer. In: IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  17. 17.
    Nikander, P.: Denial-of-service, address ownership, and early authentication in the IPv6 world. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols. LNCS, vol. 2467, pp. 12–21. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Nikander, P., Ylitalo, J., Wall, J.: Integrating security, mobility, and multi-homing in a HIP way. In: NDSS 2003. Proc. Network and Distributed Systems Security Symposium, San Diego, CA USA, pp. 87–99 (February 2003)Google Scholar
  19. 19.
    Perlman, R., Kaufman, C.: Key exchange in IPSec: Analysis of IKE. IEEE Internet Computing 4(6), 50–56 (2000)CrossRefGoogle Scholar
  20. 20.
    Piper, D., Swander, B.: A GSS-API authentication method for IKE. Internet-Draft draft-ietf-ipsec-isakmp-gss-auth-07, IETF, Expired (July 2001)Google Scholar
  21. 21.
    Rekhter, Y., Moskowitz, B., Karrenberg, D., De Groot, G J., Lear, E.: Address allocation for private internets. RFC 1918, IETF (February 1996)Google Scholar
  22. 22.
    Schuba, C.L., Krsul, I.V., Kuhn, M.G., Spaffold, E.H., Sundaram, A., Zamboni, D.: Analysis of a denial of service attack on TCP. In: Proc. 1997 IEEE Symposium on Security and Privacy, Oakland, CA USA, pp. 208–223. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  23. 23.
    Trostle, J., Gossman, B.: Techniques for improving the security and manageability of IPsec policy. International Journal of Information Security 4(3), 209–226 (2005)CrossRefGoogle Scholar
  24. 24.
    International Telecommunication Union. ITU-T recommendation X.509 (11/93) - The Directory: Authentication Framework (November 1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Tuomas Aura
    • 1
  • Michael Roe
    • 1
  • Anish Mohammed
    • 1
  1. 1.Microsoft Research 

Personalised recommendations