Óòòòùùòò Òò Ööñññø Ëëòòò

To appear at 9th USENIX Security Symposium, Aug 2000. A Multi-Layer IPse Proto ol Yongguang Zhang Bikramjit Singh HRL Laboratories, LLC fygz,bsinghg hrl. om Abstra t IPse [KA98 ℄ is a suite of standard proto ols that provides se urity servi es for Internet ommuni ations. It prote ts the entire IP datagram in an \end-to-end" fashion; no intermediate network node in the publi Internet an a ess or modify any information above the IP layer in an IPse -prote ted pa ket. However, re ent advan es in internet te hnology introdu e a ri h new set of servi es and appli ations, like traÆ engineering, TCP performan e enhan ements, or transparent proxying and a hing, all of whi h require intermediate network nodes to a ess a ertain part of an IP datagram, usually the upper layer proto ol information, to perform ow lassi ation, onstraint-based routing, or other ustomized pro essing. This is in dire t oni t with the IPse me hanisms. In this resear h, we propose a multi-layer se urity prote tion s heme for IPse , whi h uses a ner-grain a ess ontrol to allow trusted intermediate routers to read and write sele ted portions of IP datagrams (usually the headers) in a se ure and ontrolled manner. 1 Introdu tion The Internet ommunity has developed a me hanism alled IPse for providing se ure ommuniations over the publi Internet. IPse an provide data integrity, origin authenti ation, data ondentiality, a ess ontrol, partial sequen e integrity, and limited traÆ ow on dentiality servi es for ommuni ations between any two networks or hosts [KA98 ℄. By addressing the se urity issues at the IP layer and rendering the se urity servi es in a transparent manner, IPse attempts to relieve software developers from the need to implement seurity me hanisms at di erent layers or for di erent Internet appli ations. Arguably, IPse is the best available me hanism for Virtual Private Networks (VPN) and se ure remote a esses. 1.1 The Prote tion Model in IPse The fundamental on ept behind the IPse te hnology is as follows. The path between an IP datagram's sour e and destination is divided into three segments (see Figure 1) | the prote ted and trustworthy lo al network at the sour e (e.g., a ompany's private LAN), the untrustworthy publi Internet segment, and the prote ted and trustworthy lo al network at the destination. The IPse ar hite ture pla es a se urity gateway (here G1 and G2) at ea h boundary between a trustworthy and an untrustworthy network. Initially, G1 at the sour e establishes a se urity asso iation with G2 on the destination side, whi h is a se urity relationship that involves negotiation of se urity servi es and shared se rets. Before an IP datagram (from S toD) is sent to the untrustworthy Internet, the se urity gateway (G1) en rypts and/or signs the datagram using an IPse proto ol. When it rea hes the se urity gateway at the destination side (G2), the datagram is de rypted and/or he ked for authenti ation, before it is forwarded to the destination (D). In some ases, the trustworthy lo al network on either side an be omitted, and the sour e or destination host an perform en ryption, authenti ation and other se urity-gateway fun tions itself.