14.6 IMPLEMENTATIONS
14.6
IMPLEMENTATIONS
In general, there are three possibilities to implement the IPsec architecture (with or without key management) and to place the implementation in a host or security gateway:
-
The most simple and straightforward possibility is to integrate the IPsec protocols into a native IP implementation. This is
applicable tohosts and security gateways, but requires access to the corresponding source code. -
Another possibility is provided by so-called "bump-in-the-stack" (BITS) implementations. In these implementations, IPsec is implemented underneath an existing IP stack, between the native IP implementation and the local network drivers. Source code access for the IP stack is not required in this case, making it appropriate for use with legacy systems. This approach, when it is adopted, is usually employed with hosts.
-
A somewhat
related possibility is provided by so-called "bump-in-the-wire" (BITW) implementations. Similar to BITS implementations, source code access for the IP stack is not required for BITW implementations. But in addition to BITS implementations, additional hardware in the form of outboard cryptographic processors are typically used. This is a common design feature of network security systems used by the military, and of some commercial systems as well. BITW implementations may be designed to serve both hosts and security gateways.
As of this writing, most IPsec implementations are either BITS or BITW. For example, PGPnet is a BITS implementation, whereas most firewall products that support IPsec for virtual private networking are BITW implementations. The
|
Team-Fly
|
14.7 CONCLUSIONS
The IP security architecture as discussed in this chapter is not an overall security architecture for the Internet. It addresses security only at the Internet layer, provided through the use of a suite of security protocols (i.e., the IPsec protocols and the IKE protocol) and a corresponding API (i.e., the PF_KEY key management API version 2 as specified in [37]). Related topics, such as securing the routing infrastructure, the DNS, and network management, are further addressed in [12]. Also, the current status of the IP security architecture does not even address all aspects of Internet layer security. Topics for further study include the use of Internet layer security protocols in conjunction with NAT, a more complete support for IP multicast, issues
There are advantages and disadvantages related to security protocols that
-
The main advantage is that applications must not be changed to use the IPsec protocols. Another advantage is that providing security at the Internet layer works for both TCP- and UDP-based applications. This is advantageous because a steadily increasing number of applications are based on UDP that is hard to secure at the transport layer (we will further address this point in Chapter 15).
-
The main
disadvantage is that IP stacks must either be changed or extended. Because of the inherent complexity of the IKE protocol, the changes or extensions are not at all trivial. In the longterm , high-speed networking may also provide a performance problem. As of this writing, it is not clear whether encryption rates and key agility properties of IPsecimplementations will meet the performance requirements of future high-speed networks.
Because of the disadvantages of providing security at the Internet layer, some alternative approaches have appeared in the past (as discussed in the other sections of this chapter). The current trend in industry suggests that the IPsec protocols will primarily be used for virtual private networking and connecting mobile users to corporate
|
Team-Fly
|
Similar products
Similar products
- Wireless Hacks
2.4 ghz omni antenna home made - Programming. NET Security
Codeaccesssecurityattribute - Wireless Hacks
Omni indoor antenna hack - JavaScript. The Definitive Guide
Definitive javascript ebook 5th - Play to Your Strengths(c) Managing Your Internal Labor Markets for Lasting Compe[. .. ]ntage
Play to each other s different strength