Enabling practical IPsec authentication for the internet

Authors:
Pedro J. Muñoz Merino;Alberto García-Martínez;Mario Muñoz Organero;Carlos Delgado Kloos
Affiliations:
Department of Telematics Engineering, Universidad Carlos III de Madrid, Leganés (Madrid), Spain;Department of Telematics Engineering, Universidad Carlos III de Madrid, Leganés (Madrid), Spain;Department of Telematics Engineering, Universidad Carlos III de Madrid, Leganés (Madrid), Spain;Department of Telematics Engineering, Universidad Carlos III de Madrid, Leganés (Madrid), Spain
Venue:
OTM'06 Proceedings of the 2006 international conference on On the Move to Meaningful Internet Systems: AWeSOMe, CAMS, COMINF, IS, KSinBIT, MIOS-CIAO, MONET - Volume Part I
Year:
2006

Citing 0
Cited 1

A survey on automatic configuration of virtual private networks

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs.