Key Exchange in IPSec: Analysis of IKE
IEEE Internet Computing
Authentication and Confidentiality via IPSEC
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World
Revised Papers from the 9th International Workshop on Security Protocols
Security of Internet Location Management
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Verifiable Identifiers in Middleware Security
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
Analysis of a Denial of Service Attack on TCP
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Problem areas for the IP security protocols
SSYM'96 Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography - Volume 6
Enterprise Network Packet Filtering for Mobile Cryptographic Identities
International Journal of Handheld Computing Research
| Hi-index | 0.00 |
This paper recounts some lessons that we learned from the deployment of host-to-host IPsec in a large corporate network. Several security issues arise from mismatches between the different identifier spaces used by applications, by the IPsec security policy database, and by the security infrastructure (X.509 certificates or Kerberos). Mobile hosts encounter additional problems because private IP addresses are not globally unique, and because they rely on an untrusted DNS server at the visited network. We also discuss a feature interaction in an enhanced IPsec firewall mechanism. The potential solutions are to relax the transparency of IPsec protection, to put applications directly in charge of their security and, in the long term, to redesign the security protocols not to use IP addresses as host identifiers.