Portal de Periódicos da CAPES

Limitations of IPsec Policy Mechanisms

2005; Springer Science+Business Media; Linguagem: Inglês

10.1007/11542322_29

1611-3349

Jari Arkko, Pekka Nikander,

Advanced Authentication Protocols Security

IPsec, while widely implemented, is rarely used for end-to-end protection of application protocols. Instead, it is mainly used today as an "all or nothing" protection for VPNs. In this paper we discuss the structure and shortcomings of the IPsec security policy mechanisms as partial reasons for this situation. We describe our experiences in using IPsec in a number of situations, including IPv6 control protocols, mobility protocols, network management, and multimedia protocols. We conclude that more often than not, the existing policy mechanisms are inadequate. While IPsec is quite effective in authenticating the peer and establishing assurance about its identity, the lack of attention to authorization questions is a root cause of the existing inadequacies. We also claim that the problems are more fundamental than the lack of suitable APIs and management tools. Finally, we present some potential architectural modifications which could improve the situation, and discuss the practical challenges in achieving these modifications.