Demystifying The Ipsec Puzzle

Overview

Now that the Internet has blossomed into the "Information Superhighway" with its traffic and drivers becoming increasingly diverse, security has emerged as a primary concern. This innovative, new book offers you a global, integrated approach to providing Internet Security at the network layer. You get a detailed presentation of the revolutionary IPsec technology used today to create Virtual Private Networks and, in the near future, to protect ...
See more details below
Hardcover
$88.20
BN.com price
(Save 16%)$105.00 List Price
Other sellers (Hardcover)
  • All (7) from $46.34   
  • New (3) from $91.66   
  • Used (4) from $46.34   
Sending request ...

Overview

Now that the Internet has blossomed into the "Information Superhighway" with its traffic and drivers becoming increasingly diverse, security has emerged as a primary concern. This innovative, new book offers you a global, integrated approach to providing Internet Security at the network layer. You get a detailed presentation of the revolutionary IPsec technology used today to create Virtual Private Networks and, in the near future, to protect the infrastructure of the Internet itself.

The book addresses IPsec's major aspects and components to help you evaluate and compare features of different implementations. It gives you a detailed understanding of this cutting-edge technology from the inside, which enables you to more effectively troubleshoot problems with specific products. Based on standards documents, discussion list archives, and practitioners' lore, this one-of-a-kind resource collects all the current knowledge of IPsec and describes it in a literate, clear manner.

...offers you a global, integrated approach to providing Internet Security at the network layer. You get a detailed presentation of the revolutionary IPsec technology used today to create Virtual Private Networks...

Read More Show Less

Editorial Reviews

Booknews
Written mainly for network administrators, this work details the major facets of Internet Protocol Security (IPsec). After an introduction to TCP/IP, Frankel (National Institute of Standards and Technology) explains such topics as the Authentication Header, the Encapsulating Security Payload, cryptographic algorithms, the Internet Key Exchange (IKE, IPsec's key negotiation protocol), PF_KEY (the protocol that enables IKE to communicate with IPsec), public key infrastructure, the extension of IPsec protection to multicast communications, and some wider-ranging IPsec policy concerns. Annotation c. Book News, Inc., Portland, OR (booknews.com)
Read More Show Less

Product Details

  • ISBN-13: 9781580530798
  • Publisher: Artech House, Incorporated
  • Publication date: 3/31/2001
  • Series: Computer Security Series
  • Edition number: 2
  • Pages: 296
  • Product dimensions: 6.14 (w) x 9.21 (h) x 0.69 (d)

Meet the Author

Sheila Frankel is a computer scientist at NIST (National Institute of Standards and Technology). She holds a B.A. in Mathematics from Yeshiva University and a M.S. in computer science from New York University. Her current responsibilities include NIST's IPsec and IKE reference implementations, Cerberus and PlutoPlus; and NIST's interactive WWW-based IPsec interoperability tester, IPsec-WIT.
Read More Show Less

Table of Contents

Preface xvii
1 Introduction 1
1.1 The TCP/IP Protocol Stack 5
1.1.1 IP Packets 7
1.1.2 IP Packetization and Fragmentation 10
1.2 Introducing IPsec 12
1.3 Summary 13
1.4 Further Reading 14
References 14
2 The First Puzzle Piece: The Authentication Header 15
2.1 Protections Provided by AH 15
2.2 Security Associations and the Security Parameters Index 16
2.3 AH Format 19
2.4 AH Location 20
2.5 AH Modes 21
2.6 Nested Headers 22
2.7 Implementing IPsec Header Processing 23
2.8 AH Processing for Outbound Messages 25
2.9 AH Processing for Inbound Messages 30
2.10 Complications 32
2.11 Auditing 35
2.12 Threat Mitigation 37
2.13 Summary 37
2.14 Further Reading 38
References 38
3 The Second Puzzle Piece: The Encapsulating Security Payload 41
3.1 Protections Provided by ESP 41
3.2 Security Associations and the Security Parameters Index 42
3.3 ESP Header Format 43
3.4 ESP Header Location and Modes 45
3.5 Nested and Adjacent Headers 46
3.6 ESP Header Processing for Outbound Messages 48
3.7 ESP Header Processing for Inbound Messages 49
3.8 Complications 52
3.9 Criticisms and Counterclaims 52
3.10 Threat Mitigation 54
3.11 Why Two Security Headers? 55
3.12 Summary 56
3.13 Further Reading 56
References 57
4 The Third Puzzle Piece: The Cryptographic Algorithms 59
4.1 Underlying Principles 60
4.2 Authentication Algorithms 62
4.2.1 The MD5 Algorithm 64
4.2.2 The SHA-1 Algorithm 65
4.2.3 The HMAC Algorithm 66
4.2.4 Other Authentication Algorithms 68
4.3 The ESP Header Encryption Algorithms 68
4.3.1 The DES Algorithm 70
4.3.2 The Triple DES Algorithm 72
4.3.3 Other Encryption Algorithms 76
4.3.4 The AES Algorithm 77
4.4 Complications 78
4.5 Public Key Cryptography 79
4.5.1 Digital Signatures 80
4.5.2 Other Public Key Operations 80
4.5.3 The Diffie-Hellman Exchange 80
4.6 Conclusion 82
4.7 Further Reading 82
References 83
5 The Fourth Puzzle Piece: The Internet Key Exchange (IKE) 87
5.1 The IKE Two-Step Dance 87
5.2 Payloads and Exchanges 88
5.3 Authentication Methods 88
5.4 Proposals and Counterproposals 90
5.5 Cookies 94
5.6 The Security Association Payload 95
5.7 The Proposal Payload 95
5.8 The Message ID 96
5.9 Nonces 96
5.10 Identities and Identity Protection 97
5.11 Certificates and Certificate Requests 98
5.12 Keys and Diffie-Hellman Exchanges 99
5.13 Notifications 100
5.14 Lifetimes 101
5.15 Vendor IDs 101
5.16 The Phase 1 Negotiation 101
5.16.1 Main Mode 102
5.16.2 Aggressive Mode 108
5.16.3 Base Mode 110
5.17 The Phase 2 Negotiation 112
5.17.1 Quick Mode 113
5.17.2 The Commit Bit 116
5.18 New Group Mode 117
5.19 Informational Exchanges 118
5.20 The ISAKMP Header 119
5.21 The Generic Payload Header 120
5.22 The IKE State Machine 121
5.23 The Origins of IKE 122
5.24 An Example 122
5.25 Criticisms and Counterclaims 123
5.26 Threat Mitigation 125
5.27 Summary 125
5.28 Further Reading 126
References 127
6 The Fifth Puzzle Piece: IKE and the Road Warrior 129
6.1 Legacy Authentication Methods 132
6.2 ISAKMP Configuration Method 134
6.3 Extended Authentication 139
6.4 Hybrid Authentication 140
6.5 Challenge-Response for Authenticated Cryptographic Keys 142
6.6 User-Level Authentication 145
6.7 Credential-Based Approaches 145
6.8 Complications 150
6.9 Threat Mitigation 151
6.10 Summary 151
6.11 Further Reading 151
References 152
7 The Sixth Puzzle Piece: IKE Frills and Add-Ons 153
7.1 Renegotiation 154
7.2 Heartbeats 157
7.3 Initial Contact 162
7.4 Dangling SAs 163
7.5 Summary 164
7.6 Further Reading 164
References 164
8 The Glue: PF_KEY 165
8.1 The PF_KEY Messages 166
8.2 A Sample PF_KEY Exchange 171
8.3 Composition of PF_KEY Messages 173
8.4 Complications 177
8.5 Summary 177
8.6 Further Reading 177
Reference 177
9 The Missing Puzzle Piece: Policy Setting and Enforcement 179
9.1 The Security Policy Database 180
9.2 The Policy Problem 187
9.2.1 Policy Configuration 187
9.2.2 Policy Servers 188
9.2.3 Gateway Discovery 188
9.2.4 Policy Discovery 189
9.2.5 Policy Exchange 190
9.2.6 Policy Resolution 191
9.2.7 Policy Decorrelation 191
9.2.8 Policy Compliance Checking 193
9.3 Revisiting the Road Warrior 193
9.4 IPsec Policy Solutions 194
9.4.1 The IPsec Configuration Policy Model 195
9.4.2 The IPsec Policy Information Base 196
9.4.3 The Security Policy Protocol 196
9.4.4 The Security Policy Specification Language 200
9.4.5 The KeyNote Trust Management System 201
9.4.6 An Overall Plan 203
9.5 Summary 204
9.6 Further Reading 204
References 204
10 The Framework: Public Key Infrastructure (PKI) 207
10.1 PKI Functional Components 208
10.2 The PKI World View 210
10.3 The Life Cycle of a Certificate 211
10.4 PKI Protocol-Related Components 212
10.5 Certificates and CRLs 215
10.6 Certificate Formats 216
10.7 Certificate Contents 218
10.8 IKE and IPsec Considerations 222
10.9 Summary 225
10.10 Further Reading 225
References 226
11 The Unsolved Puzzle: Secure IP Multicast 229
11.1 Some Examples 230
11.2 Multicast Logistics 231
11.3 Functional Requirements 232
11.4 Security Requirements 233
11.4.1 Key Management 234
11.4.2 Secrecy 236
11.4.3 Data Integrity 236
11.4.4 Source Authentication 236
11.4.5 Order of Cryptographic Operations 237
11.4.6 Membership Management 237
11.4.7 Access-Related Issues 238
11.4.8 Policy Determination 238
11.4.9 Anonymity 238
11.4.10 Nonrepudiation 239
11.4.11 Service Availability 239
11.4.12 Firewall Traversal 239
11.4.13 Piracy 239
11.5 Whither IP Multicast Security? 239
11.6 Summary 240
11.7 Further Reading 240
References 241
12 The Whole Puzzle: Is IPsec the Correct Solution? 243
12.1 Advantages of IPsec 244
12.2 Disadvantages of IPsec 245
12.3 Alternatives to IPsec 245
12.3.1 Transport Layer Security Protocol 245
12.3.2 Layer 2 Tunneling Protocol 245
12.3.3 Point-to-Point Tunneling Protocol 247
12.4 IPsec Today 247
12.5 The Future of IPsec 247
12.6 Summary 249
12.7 Further Reading 249
References 249
List of Acronyms and Abbreviations 251
About the Author 261
Index 263
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)