Demystifying The Ipsec Puzzle

Add to Wishlist

Demystifying The Ipsec Puzzle

Hardcover

$105.00

Hardcover
$105.00

SHIP THIS ITEM

In stock. Ships in 1-2 days.
PICK UP IN STORE

Your local store may have stock of this item.

Available within 2 business hours

Want it Today?
Check Store Availability

Related collections and offers

Overview

Now that the Internet has blossomed into the Information Superhighway with its traffic and drivers becoming increasingly diverse, security has emerged as a primary concern. This book offers the reader a global, integrated approach to providing internet security at the network layer. The author gives a detailed presentation of the revolutionary IPsec technology used today to create Virtual Private Networks and, in the near future, to protect the infrastructure of the Internet itself.

Product Details

ISBN-13:	9781580530798
Publisher:	Artech House, Incorporated
Publication date:	03/31/2001
Series:	Computer Security Series
Pages:	296
Product dimensions:	6.14(w) x 9.21(h) x 0.69(d)

About the Author

Sheila Frankel is a computer scientist at NIST (National Institute of Standards and Technology). She holds a B.A. in Mathematics from Yeshiva University and a M.S. in computer science from New York University. Her current responsibilities include NIST's IPsec and IKE reference implementations, Cerberus and PlutoPlus; and NIST's interactive WWW-based IPsec interoperability tester, IPsec-WIT.

	Preface	xvii
1	Introduction	1
1.1	The TCP/IP Protocol Stack	5
1.1.1	IP Packets	7
1.1.2	IP Packetization and Fragmentation	10
1.2	Introducing IPsec	12
1.3	Summary	13
1.4	Further Reading	14
	References	14
2	The First Puzzle Piece: The Authentication Header	15
2.1	Protections Provided by AH	15
2.2	Security Associations and the Security Parameters Index	16
2.3	AH Format	19
2.4	AH Location	20
2.5	AH Modes	21
2.6	Nested Headers	22
2.7	Implementing IPsec Header Processing	23
2.8	AH Processing for Outbound Messages	25
2.9	AH Processing for Inbound Messages	30
2.10	Complications	32
2.11	Auditing	35
2.12	Threat Mitigation	37
2.13	Summary	37
2.14	Further Reading	38
	References	38
3	The Second Puzzle Piece: The Encapsulating Security Payload	41
3.1	Protections Provided by ESP	41
3.2	Security Associations and the Security Parameters Index	42
3.3	ESP Header Format	43
3.4	ESP Header Location and Modes	45
3.5	Nested and Adjacent Headers	46
3.6	ESP Header Processing for Outbound Messages	48
3.7	ESP Header Processing for Inbound Messages	49
3.8	Complications	52
3.9	Criticisms and Counterclaims	52
3.10	Threat Mitigation	54
3.11	Why Two Security Headers?	55
3.12	Summary	56
3.13	Further Reading	56
	References	57
4	The Third Puzzle Piece: The Cryptographic Algorithms	59
4.1	Underlying Principles	60
4.2	Authentication Algorithms	62
4.2.1	The MD5 Algorithm	64
4.2.2	The SHA-1 Algorithm	65
4.2.3	The HMAC Algorithm	66
4.2.4	Other Authentication Algorithms	68
4.3	The ESP Header Encryption Algorithms	68
4.3.1	The DES Algorithm	70
4.3.2	The Triple DES Algorithm	72
4.3.3	Other Encryption Algorithms	76
4.3.4	The AES Algorithm	77
4.4	Complications	78
4.5	Public Key Cryptography	79
4.5.1	Digital Signatures	80
4.5.2	Other Public Key Operations	80
4.5.3	The Diffie-Hellman Exchange	80
4.6	Conclusion	82
4.7	Further Reading	82
	References	83
5	The Fourth Puzzle Piece: The Internet Key Exchange (IKE)	87
5.1	The IKE Two-Step Dance	87
5.2	Payloads and Exchanges	88
5.3	Authentication Methods	88
5.4	Proposals and Counterproposals	90
5.5	Cookies	94
5.6	The Security Association Payload	95
5.7	The Proposal Payload	95
5.8	The Message ID	96
5.9	Nonces	96
5.10	Identities and Identity Protection	97
5.11	Certificates and Certificate Requests	98
5.12	Keys and Diffie-Hellman Exchanges	99
5.13	Notifications	100
5.14	Lifetimes	101
5.15	Vendor IDs	101
5.16	The Phase 1 Negotiation	101
5.16.1	Main Mode	102
5.16.2	Aggressive Mode	108
5.16.3	Base Mode	110
5.17	The Phase 2 Negotiation	112
5.17.1	Quick Mode	113
5.17.2	The Commit Bit	116
5.18	New Group Mode	117
5.19	Informational Exchanges	118
5.20	The ISAKMP Header	119
5.21	The Generic Payload Header	120
5.22	The IKE State Machine	121
5.23	The Origins of IKE	122
5.24	An Example	122
5.25	Criticisms and Counterclaims	123
5.26	Threat Mitigation	125
5.27	Summary	125
5.28	Further Reading	126
	References	127
6	The Fifth Puzzle Piece: IKE and the Road Warrior	129
6.1	Legacy Authentication Methods	132
6.2	ISAKMP Configuration Method	134
6.3	Extended Authentication	139
6.4	Hybrid Authentication	140
6.5	Challenge-Response for Authenticated Cryptographic Keys	142
6.6	User-Level Authentication	145
6.7	Credential-Based Approaches	145
6.8	Complications	150
6.9	Threat Mitigation	151
6.10	Summary	151
6.11	Further Reading	151
	References	152
7	The Sixth Puzzle Piece: IKE Frills and Add-Ons	153
7.1	Renegotiation	154
7.2	Heartbeats	157
7.3	Initial Contact	162
7.4	Dangling SAs	163
7.5	Summary	164
7.6	Further Reading	164
	References	164
8	The Glue: PF_KEY	165
8.1	The PF_KEY Messages	166
8.2	A Sample PF_KEY Exchange	171
8.3	Composition of PF_KEY Messages	173
8.4	Complications	177
8.5	Summary	177
8.6	Further Reading	177
	Reference	177
9	The Missing Puzzle Piece: Policy Setting and Enforcement	179
9.1	The Security Policy Database	180
9.2	The Policy Problem	187
9.2.1	Policy Configuration	187
9.2.2	Policy Servers	188
9.2.3	Gateway Discovery	188
9.2.4	Policy Discovery	189
9.2.5	Policy Exchange	190
9.2.6	Policy Resolution	191
9.2.7	Policy Decorrelation	191
9.2.8	Policy Compliance Checking	193
9.3	Revisiting the Road Warrior	193
9.4	IPsec Policy Solutions	194
9.4.1	The IPsec Configuration Policy Model	195
9.4.2	The IPsec Policy Information Base	196
9.4.3	The Security Policy Protocol	196
9.4.4	The Security Policy Specification Language	200
9.4.5	The KeyNote Trust Management System	201
9.4.6	An Overall Plan	203
9.5	Summary	204
9.6	Further Reading	204
	References	204
10	The Framework: Public Key Infrastructure (PKI)	207
10.1	PKI Functional Components	208
10.2	The PKI World View	210
10.3	The Life Cycle of a Certificate	211
10.4	PKI Protocol-Related Components	212
10.5	Certificates and CRLs	215
10.6	Certificate Formats	216
10.7	Certificate Contents	218
10.8	IKE and IPsec Considerations	222
10.9	Summary	225
10.10	Further Reading	225
	References	226
11	The Unsolved Puzzle: Secure IP Multicast	229
11.1	Some Examples	230
11.2	Multicast Logistics	231
11.3	Functional Requirements	232
11.4	Security Requirements	233
11.4.1	Key Management	234
11.4.2	Secrecy	236
11.4.3	Data Integrity	236
11.4.4	Source Authentication	236
11.4.5	Order of Cryptographic Operations	237
11.4.6	Membership Management	237
11.4.7	Access-Related Issues	238
11.4.8	Policy Determination	238
11.4.9	Anonymity	238
11.4.10	Nonrepudiation	239
11.4.11	Service Availability	239
11.4.12	Firewall Traversal	239
11.4.13	Piracy	239
11.5	Whither IP Multicast Security?	239
11.6	Summary	240
11.7	Further Reading	240
	References	241
12	The Whole Puzzle: Is IPsec the Correct Solution?	243
12.1	Advantages of IPsec	244
12.2	Disadvantages of IPsec	245
12.3	Alternatives to IPsec	245
12.3.1	Transport Layer Security Protocol	245
12.3.2	Layer 2 Tunneling Protocol	245
12.3.3	Point-to-Point Tunneling Protocol	247
12.4	IPsec Today	247
12.5	The Future of IPsec	247
12.6	Summary	249
12.7	Further Reading	249
	References	249
	List of Acronyms and Abbreviations	251
	About the Author	261
	Index	263

From the B&N Reads Blog

Page 1 of

Demystifying The Ipsec Puzzle

Demystifying The Ipsec Puzzle

Hardcover

Hardcover

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Customer Reviews

Related collections and offers

Overview

Product Details

About the Author

Table of Contents

Related Subjects

Customer Reviews