Limitations of IPsec policy mechanisms

Jari Arkko; Pekka Nikander

doi:10.1007/11542322_29

Limitations of IPsec policy mechanisms

Jari Arkko^*, Pekka Nikander

^*Corresponding author for this work

Not published at Aalto University

Ericsson Research

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

6 Citations (Scopus)

Abstract

IPsec, while widely implemented, is rarely used for end-to-end protection of application protocols. Instead, it is mainly used today as an "all or nothing" protection for VPNs. In this paper we discuss the structure and shortcomings of the IPsec security policy mechanisms as partial reasons for this situation. We describe our experiences in using IPsec in a number of situations, including IPv6 control protocols, mobility protocols, network management, and multimedia protocols. We conclude that more often than not, the existing policy mechanisms are inadequate. While IPsec is quite effective in authenticating the peer and establishing assurance about its identity, the lack of attention to authorization questions is a root cause of the existing inadequacies. We also claim that the problems are more fundamental than the lack of suitable APIs and management tools. Finally, we present some potential architectural modifications which could improve the situation, and discuss the practical challenges in achieving these modifications.

Original language	English
Title of host publication	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Publisher	Springer
Pages	241-251
Number of pages	11
ISBN (Print)	3540283897, 9783540283898
DOIs	https://doi.org/10.1007/11542322_29
Publication status	Published - 1 Dec 2005
MoE publication type	A4 Conference publication
Event	International Workshop on Security Protocols - Cambridge, United Kingdom Duration: 2 Apr 2003 → 4 Apr 2003 Conference number: 11

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	3364 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Workshop

Workshop	International Workshop on Security Protocols
Country/Territory	United Kingdom
City	Cambridge
Period	02/04/2003 → 04/04/2003

Access to Document

10.1007/11542322_29

Cite this

Arkko, J., & Nikander, P. (2005). Limitations of IPsec policy mechanisms. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (pp. 241-251). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3364 LNCS). Springer. https://doi.org/10.1007/11542322_29

Arkko, Jari ; Nikander, Pekka. / Limitations of IPsec policy mechanisms. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Springer, 2005. pp. 241-251 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{11161c4096e24f5e8e4edf886729e478,

title = "Limitations of IPsec policy mechanisms",

abstract = "IPsec, while widely implemented, is rarely used for end-to-end protection of application protocols. Instead, it is mainly used today as an {"}all or nothing{"} protection for VPNs. In this paper we discuss the structure and shortcomings of the IPsec security policy mechanisms as partial reasons for this situation. We describe our experiences in using IPsec in a number of situations, including IPv6 control protocols, mobility protocols, network management, and multimedia protocols. We conclude that more often than not, the existing policy mechanisms are inadequate. While IPsec is quite effective in authenticating the peer and establishing assurance about its identity, the lack of attention to authorization questions is a root cause of the existing inadequacies. We also claim that the problems are more fundamental than the lack of suitable APIs and management tools. Finally, we present some potential architectural modifications which could improve the situation, and discuss the practical challenges in achieving these modifications.",

author = "Jari Arkko and Pekka Nikander",

year = "2005",

month = dec,

day = "1",

doi = "10.1007/11542322_29",

language = "English",

isbn = "3540283897",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "241--251",

booktitle = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

address = "Germany",

note = "International Workshop on Security Protocols ; Conference date: 02-04-2003 Through 04-04-2003",

}

Arkko, J & Nikander, P 2005, Limitations of IPsec policy mechanisms. in Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3364 LNCS, Springer, pp. 241-251, International Workshop on Security Protocols, Cambridge, United Kingdom, 02/04/2003. https://doi.org/10.1007/11542322_29

Limitations of IPsec policy mechanisms. / Arkko, Jari; Nikander, Pekka.
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Springer, 2005. p. 241-251 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3364 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference article in proceedings › Scientific › peer-review

TY - GEN

T1 - Limitations of IPsec policy mechanisms

AU - Arkko, Jari

AU - Nikander, Pekka

N1 - Conference code: 11

PY - 2005/12/1

Y1 - 2005/12/1

N2 - IPsec, while widely implemented, is rarely used for end-to-end protection of application protocols. Instead, it is mainly used today as an "all or nothing" protection for VPNs. In this paper we discuss the structure and shortcomings of the IPsec security policy mechanisms as partial reasons for this situation. We describe our experiences in using IPsec in a number of situations, including IPv6 control protocols, mobility protocols, network management, and multimedia protocols. We conclude that more often than not, the existing policy mechanisms are inadequate. While IPsec is quite effective in authenticating the peer and establishing assurance about its identity, the lack of attention to authorization questions is a root cause of the existing inadequacies. We also claim that the problems are more fundamental than the lack of suitable APIs and management tools. Finally, we present some potential architectural modifications which could improve the situation, and discuss the practical challenges in achieving these modifications.

AB - IPsec, while widely implemented, is rarely used for end-to-end protection of application protocols. Instead, it is mainly used today as an "all or nothing" protection for VPNs. In this paper we discuss the structure and shortcomings of the IPsec security policy mechanisms as partial reasons for this situation. We describe our experiences in using IPsec in a number of situations, including IPv6 control protocols, mobility protocols, network management, and multimedia protocols. We conclude that more often than not, the existing policy mechanisms are inadequate. While IPsec is quite effective in authenticating the peer and establishing assurance about its identity, the lack of attention to authorization questions is a root cause of the existing inadequacies. We also claim that the problems are more fundamental than the lack of suitable APIs and management tools. Finally, we present some potential architectural modifications which could improve the situation, and discuss the practical challenges in achieving these modifications.

UR - http://www.scopus.com/inward/record.url?scp=33645678103&partnerID=8YFLogxK

U2 - 10.1007/11542322_29

DO - 10.1007/11542322_29

M3 - Conference article in proceedings

AN - SCOPUS:33645678103

SN - 3540283897

SN - 9783540283898

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 241

EP - 251

BT - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

PB - Springer

T2 - International Workshop on Security Protocols

Y2 - 2 April 2003 through 4 April 2003

ER -

Arkko J, Nikander P. Limitations of IPsec policy mechanisms. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). Springer. 2005. p. 241-251. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/11542322_29

Limitations of IPsec policy mechanisms

Abstract

Publication series

Workshop

Access to Document

Other files and links

Fingerprint

Cite this