Abstract
We present the Plug-and-Play IP Security (PnP-IPsec) protocol. PnP-IPsec automatically establishes IPsec security associations between gateways, avoiding the need for manual administration and coordination between gateways, and the dependency on IPsec public key certificates - the two problems which are widely believed to have limited the use of IPsec mostly to intra-organization communication.
PnP-IPsec builds on Self-validated Public Data Distribution (SvPDD), a protocol that we present to establish secure connections between remote peers/networks, without depending on pre-distributed keys or certification infrastructure. Instead, SvPDD uses available anonymous communication infrastructures such as Tor, which we show to allow detection of MitM attacker interfering with communication. SvPDD may also be used in other scenarios lacking secure public key distribution, such as the initial connection to an SSH server.
We provide an open-source implementation of PnP-IPsec and SvPDD, and show that the resulting system is practical and secure.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Abramov, R., Herzberg, A.: TCP Ack Storm DoS Attacks. Computers & Security 33, 12–27 (2013)
Alicherry, M., Keromytis, A.D.: DoubleCheck: Multi-Path Verification against Man-in-the-Middle Attacks. In: ISCC, pp. 557–563. IEEE (2009)
Aura, T., Nikander, P., Leiwo, J.: DoS-Resistant Authentication with Client Puzzles. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols. LNCS, vol. 2133, pp. 170–177. Springer, Heidelberg (2001)
ComodoTM. Incident Report (March 2011), Published online http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The Second-Generation Onion Router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)
Eddy, W.: TCP SYN Flooding Attacks and Common Mitigations. RFC 4987 (Informational) (August 2007)
Gilad, Y., Herzberg, A.: LOT: A Defense Against IP Spoofing and Flooding Attacks. ACM Transactions on Information and System Security 15(2), 6:1–6:30 (2012)
Gilad, Y., Herzberg, A.: Plug-and-Play IP Security: Anonymity Infrastructure Instead of PKI. Technical report, Bar Ilan University, Dept. of Computer Science, Network Security Lab, (June 2013), Published online http://eprint.iacr.org/2013/410
Gilmore, J.: FreeS/WAN, Published online www.freeswan.org
Goldwasser, S., Micali, S.: Probabilistic Encryption. Journal of Computer and System Sciences 28(2), 270–299 (1984)
Herzberg, A., Shulman, H.: Stealth DoS Attacks on Secure Channels. In: Proceedings of Network and Distributed Systems Security (NDSS). Internet Society (February 2010)
Housley, R., Ford, W., Polk, W., Solo, D.: Internet X.509 Public Key Infrastructure Certificate and CRL Profile. RFC 2459 (Proposed Standard) (January 1999); Obsoleted by RFC 3280
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography from Anonymity. In: IEEE Symposium on Foundations of Computer Science, FOCS, pp. 239–248 (2006)
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P.: Internet Key Exchange Protocol Version 2 (IKEv2). RFC 5996 (Proposed Standard) (September 2010); Updated by RFC 5998
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (Proposed Standard) (December 2005); Updated by RFC 6040
Marlinspike, M.: Convergence (2011), Published online http://convergence.io
The Tor Project. Tor Metrics Portal (April 2013), Published online https://metrics.torproject.org/graphs.html
Richardson, M.: A Method for Storing IPsec Keying Material in DNS. RFC 4025 (Proposed Standard) (March 2005)
Richardson, M., Redelmeier, D.H.: Opportunistic Encryption using the Internet Key Exchange (IKE). RFC 4322 (Informational) (December 2005)
Sampigethaya, K., Poovendran, R.: A Survey on Mix Networks and Their Secure Applications. Proceedings of the IEEE 94(12), 2142–2181 (2006)
Schmeing, C.: FreeS/WAN Announcement (2004), Published online http://www.freeswan.org/ending_letter.html
Stevens, M., Sotirov, A., Appelbaum, J., Lenstra, A., Molnar, D., Osvik, D.A., de Weger, B.: Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)
Touch, J., Black, D., Wang, Y.: Problem and Applicability Statement for Better-Than-Nothing Security (BTNS). RFC 5387 (Informational) (November 2008)
Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: Isaacs, R., Zhou, Y. (eds.) USENIX Annual Technical Conference, pp. 321–334. USENIX Association (2008)
Williams, N., Richardson, M.: Better-Than-Nothing Security: An Unauthenticated Mode of IPsec. RFC 5386 (Proposed Standard) (November 2008)
Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard) (January 2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gilad, Y., Herzberg, A. (2013). Plug-and-Play IP Security. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)