short-paper

CGA integration into IPsec/IKEv2 authentication

Authors:

Ahmad Alsa'deh,

Christoph Meinel,

Florian Westphal,

Björn GronebergAuthors Info & Claims

SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Pages 326 - 330

https://doi.org/10.1145/2523514.2527097

Published: 26 November 2013 Publication History

Abstract

In IPv6 networks, two security mechanisms are available at the network-layer; SEcure Neighbor Discovery (SEND) and IP security (IPsec). Although both provide authentication, neither subsumes the other; both SEND and IPsec mechanisms should be deployed together to protect IPv6 networks. However, when a node uses both SEND and IPsec, the authentication has to be done twice, which increases the burden on the node and decreases its performance. In this paper, we propose an approach to enable them to work together under the mediation of an Authentication Management Block, where IPsec uses the public-private keys obtained by SEND rather than negotiating its own authentication credentials in order to save the time and facilitate the IPsec authentication deployment. We implement and evaluate our approach using ipsec-tools and DoCoMo SEND implementations. Our proof-of-concept experiment shows a considerable speedup of IPsec authentication time.

References

[1]

B. Aboba, J. Tseng, J. Walker, V. Rangan, and F. Travostino. Securing block storage protocols over ip. RFC 3723, April 2004.

Digital Library

[2]

J. Arkko. Effects of icmpv6 on ike, March 2003. Expired.

[3]

J. Arkko, J. Kempf, B. Zill, and P. Nikander. Secure neighbor discovery (send). RFC3971, March 2005. Updated by: 6494, 6495.

[4]

J. Arkko and P. Nikander. Limitations of ipsec policy mechanisms. In Proceedings of the 11th international conference on Security Protocols, pages 241--251, Berlin, Heidelberg, 2005. Springer-Verlag.

Digital Library

[5]

T. Aura. Cryptographically generated addresses (cga). RFC3972, March 2005. Updated by: 4581, 4982.

[6]

C. Castelluccia, G. Montenegro, J. Laganier, and C. Neumann. Hindering eavesdropping via ipv6 opportunistic encryption. In P. S. et al., editor, The European Symposium on Research in Computer Security (ESORICS 2004), volume 3193, pages 309--321. Springer-Verlag, 2004.

[7]

J.-M. Combes, A. Wailly, and M. Laurent. Cga as alternative security credentials with ikev2: implementation and analysis. In SAR-SSI 2012, 7th Conference on Network Architectures and Information Systems Security, Cabourg, France, May 2012 2012.

[8]

E. Jankiewicz, J. Loughney, and T. Narten. Ipv6 node requirements. RFC 6434, December 2011.

[9]

C. Kaufman, P. Hoffman, Y. Nir, and P. Eronen. Internet key exchange protocol version 2 (ikev2). RFC5996, September 2010. Updated by: 5998.

[10]

S. Kent. Ip authentication header. RFC 4302, December 2005.

[11]

S. Kent. Ip encapsulating security payload (esp). RFC 4303, December 2005.

[12]

S. Kent and K. Seo. Security architecture for the internet protocol. RFC 4301, December 2005. Updated by: 6040.

[13]

T. Kim, I. Kim, Z. Zhen, J. H. Kim, G. Gyeong, and Y. I. Eom. A cooperative authentication of ipsec and send mechanisms in ipv6 environments. In Proceedings of the 2008 International Conference on Advanced Language Processing and Web Information Technology, ALPIT '08, pages 418--423, Washington, DC, USA, 2008. IEEE Computer Society.

Digital Library

[14]

J. Laganier, G. Montenegro, and A. Kukec. Using ike with ipv6 cryptographically generated addresses. draft-laganier-ike-ipv6-cga-02, July 2007.

[15]

C. Lynn, S. Kent, and K. Seo. X.509 extensions for ip addresses and as identifiers. RFC3779, June 2004. Updated by: 5998.

[16]

W. A. S. Thomas Narten, Erik Nordmark and H. Soliman. Neighbor discovery for ip version 6 (ipv6). RFC 4861, September 2007. Updated by: 5942.

[17]

S. Thomson, T. Narten, and T. Jinmei. Ipv6 stateless address autoconfiguration. RFC 4862, September 2007.

Cited By

Cheng QLu SMa J(2016)Analysis and improvement of the Internet‐Draft IKEv3 protocolInternational Journal of Communication Systems10.1002/dac.319430:9Online publication date: 21-Sep-2016
https://doi.org/10.1002/dac.3194
Xu JLiu YWang JDeng WErnst T(2015)VIKEWireless Networks10.1007/s11276-014-0856-121:4(1343-1362)Online publication date: 1-May-2015
https://dl.acm.org/doi/10.1007/s11276-014-0856-1

Index Terms

CGA integration into IPsec/IKEv2 authentication
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

November 2013

483 pages

ISBN:9781450324984

DOI:10.1145/2523514

General Chairs:
Atilla Elçi
Aksaray University, Turkey
,
Manoj Singh Gaur
Malaviya National Institute of Technology, India
,
Mehmet A. Orgun
Macquarie University, Australia
,
Oleg B. Makarevich
Southern Federal University, Russia

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Macquarie U., Austarlia
MNIT: Malaviya National Institute of Technology
Aksaray Univ.: Aksaray University
SFedU: Southern Federal University

In-Cooperation

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Conference

SIN '13

Sponsor:

MNIT
Aksaray Univ.
SFedU

SIN '13: The 6th International Conference on Security of Information and Networks

November 26 - 28, 2013

Aksaray, Turkey

Acceptance Rates

Overall Acceptance Rate 102 of 289 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
118
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cheng QLu SMa J(2016)Analysis and improvement of the Internet‐Draft IKEv3 protocolInternational Journal of Communication Systems10.1002/dac.319430:9Online publication date: 21-Sep-2016
https://doi.org/10.1002/dac.3194
Xu JLiu YWang JDeng WErnst T(2015)VIKEWireless Networks10.1007/s11276-014-0856-121:4(1343-1362)Online publication date: 1-May-2015
https://dl.acm.org/doi/10.1007/s11276-014-0856-1

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten