[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: revised IPsec processing model

To: Stephen Kent <kent@bbn.com>
Subject: Re: revised IPsec processing model
From: guttman@mitre.org (Joshua D. Guttman)
Date: 11 Aug 2003 21:44:20 -0400
Cc: Joe Touch <touch@ISI.EDU>, Mark Duffy <mduffy@quarrytech.com>, ipsec@lists.tislabs.com, guttman@mitre.org (Joshua D. Guttman)
In-Reply-To: <p05210604bb5dac22119b@[128.89.88.34]>
References: <5.2.0.9.0.20030724113200.01feed80@email><p05210613bb4db57e16c7@[128.89.89.75]> <3F2EC3DC.6010803@isi.edu><p05210602bb5476a89c38@[128.89.88.34]> <3F2EC97D.5050800@isi.edu><p05210605bb5490d4bea5@[128.89.88.34]> <3F2EEEB2.5030109@isi.edu><p05210603bb5563deac67@[128.89.88.34]> <3F37DB9B.5010601@isi.edu><p05210604bb5dac22119b@[128.89.88.34]>
Reply-To: guttman@mitre.org (Joshua D. Guttman disp: current)
Sender: owner-ipsec@lists.tislabs.com
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3

Stephen Kent <kent@bbn.com> writes:

>   As I revise the processing model to take into account the comments
>   I have received, I will try to reword it to be as clear as
>   possible about the security implications associated with different
>   assumptions about routing tables and the extent to which they may
>   change without secure intermediation, as the security implications
>   of such changes.

It might be useful to consider the methods described in
"Authentication and Confidentiality via IPsec" (ESORICS, 2000) by
myself, Amy Herzog, and Javier Thayer.  That way people could
establish that certain security goals depend only on specific aspects
of a network's IPsec configuration.  In this case, one knows whether
those goals could be undermined by changes in routing tables.

The paper is available at http://www.ccs.neu.edu/home/guttman, and the
abstract is below.  

More work along this line has been done, including some
implementations to analyze configurations.  Another paper will be
available shortly.

        Joshua 

The IP security protocols (\ipsec) may be used via security gateways
that apply cryptographic operations to provide security services to
datagrams, and this mode of use is supported by an increasing number
of commercial products.  In this paper, we formalize the types of
authentication and confidentiality goal that {\ipsec} is capable of
achieving, and we provide criteria that entail that a network with
particular {\ipsec} processing achieves its security goals.

This requires us to formalize the structure of networks using
{\ipsec}, and the state of packets relevant to {\ipsec} processing.
We can then prove confidentiality goals as invariants of the
formalized systems.  Authentication goals are formalized in the manner
of~\cite{Schneider96}, and a simple proof method using ``unwinding
sets'' is introduced.  We end the paper by explaining the network
threats that are prevented by correct {\ipsec} processing.   

-- 
	Joshua D. Guttman		<guttman@mitre.org>
	MITRE, Mail Stop S119		Office:	+1 781 271 2654
	202 Burlington Rd.		Fax:	+1 781 271 8953
	Bedford, MA 01730-1420 USA	Cell:	+1 781 526 5713

References:
- Re: revised IPsec processing model
  - From: Joe Touch <touch@ISI.EDU>
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>
- Re: revised IPsec processing model
  - From: Joe Touch <touch@ISI.EDU>
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>
- Re: revised IPsec processing model
  - From: Joe Touch <touch@ISI.EDU>
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>
- Re: revised IPsec processing model
  - From: Joe Touch <touch@ISI.EDU>
- Re: revised IPsec processing model
  - From: Stephen Kent <kent@bbn.com>

Prev by Date: Re: revised IPsec processing model
Next by Date: ESPv3 TFC padding
Prev by thread: Re: revised IPsec processing model
Next by thread: Re: revised IPsec processing model
Index(es):
- Date
- Thread