Now that the Internet has blossomed into the Information Superhighway with its traffic and drivers becoming increasingly diverse, security has emerged as a primary concern. This innovative, new book offers you a global, integrated approach to providing Internet Security at the network layer. You get a detailed presentation of the revolutionary IPsec technology used today to create Virtual Private Networks and, in the near future, to protect the infrastructure of the Internet itself. The book addresses IPsec's major aspects and components to help you evaluate and compare features of different implementations. It gives you a detailed understanding of this cutting-edge technology from the inside, which enables you to more effectively troubleshoot problems with specific products. Based on standards documents, discussion list archives, and practitioners' lore, this one-of-a-kind resource collects all the current knowledge of IPsec and describes it in a literate, clear manner.
Preface.; Introduction. - The TCP/IP Protocol Stack. Introducing IPsec. Summary. Further Reading.; The First Puzzle Piece: The Authentication Header - Protection Provided by AH. Security Associations and the Security Parameters Index. AH Format. AH Location. AH Modes. Nested Headers. Implementing IPsec Header Processing. AH Processing for Outbound Messages. AH Processing for Inbound Messages. Complications. Auditing. Threat Mitigation. Summary. Further Reading.; The Second Puzzle Piece: The Encapsulating Security Payload - Protections Provided by ESP. Security Associations and the Security Parameters Index. ESP Header Format. ESP Header Location and Modes. Nested and Adjacent Headers. ESP Header Processing for Outbound Messages. ESP Header for Inbound Messages. Complications Criticisms and Counterclaims.Threat Mitigation. Why Two Security Headers? Summary. Further Reading.; The Third Puzzle Piece: The Cryptographic Algorithms - Underlying Principles. Authentication Algorithms. The ESP Header Encryption Algorithms. Complications. Public Key Cryptography. Conclusion. Further Reading.; The Fourth Puzzle Piece: The Internet Key Exchange (IKE) - The IKE Two-Step Dance. Payloads and Exchanges. Authentication Methods. Proposals and Counterproposals. Cookies. The Security Association Payload. The Proposal Payload. The Message ID. Nonces. Identities and Identity Protection. Certificates and Certificate Requests.Keys and Diffie-Hellman Exchanges. Notifications. Lifetimes. Vendor IDs. The Phase 1 Negotiation. The Phase 2 Negotiation. New Group Mode. Informational Exchanges. The ISAKMP Header. The Generic Payload Header. The IKE State Machine. The Origins of IDE. An Example. Criticisms and Counterclaims. Threat Mitigation. Summary. Further Reading.; The Fifth Puzzle Piece: IKE and the Road Warrior - Legacy Authentication Methods. ISAKMP Configuration Method. Extended Authentication. Hybrid Authentication. Challenge-Response for Authenticated Cryptographic Keys. User-Level Authentication. Credential-Based Approaches. Complications. Threat Mitigation. Summary. Further Reading.; The Sixth Puzzle Piece: IKE Frills and Add-Ons - Renegotiation. Heartbeats. Initial Contact. Dangling SAs. Summary. Further Reading.; The Glue: PF_Key -The PF_Key Messages. A Sample PF_Key Exchange. Composition of PF Key Messages. Complications. Summary. Further Reading.; The Missing Puzzle Piece: Policy Setting and Enforcement - The Security Policy Database. The Policy Problem. Revisiting the Road Warrior. IPsec Policy Solutions. Summary. Further Reading.; The Framework: Public Key Infrastructure (PKI) - PKI Functional Components. The PKI World View. The Life Cycle of a Certificate. PKI Protocol-Related Components. Certificates and CRTs. Certificate Formats. Certificate Contents. IKE and Ipsec Considerations. Summary Further Reading.; The Unsolved Puzzle: Secure IP Multicast - Some Examples. Multicast Logistics. Functional Requirements. Security Management. Whither IP Multicast Security? Summary. Further Reading.; The Whole Puzzle: Is IPsec the Correct Solution? - Advantages of IPsec. Disadvantages of IPsec. Alternatives to IPsec. IPsec Today. The Future of IPsec. Summary. Further Reading.; List of Acronyms and Abbreviations.
-
Sheila Frankel
Sheila Frankel is a computer scientist at NIST (National Institute of Standards and Technology). She holds a B.A. in Mathematics from Yeshiva University and a M.S. in computer science from New York University.