NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 1 IP security Madalina Baltatu Antonio Lioy Dip. Automatica e Informatica Politecnico di Torino Torino, Italy Abstract—This paper presents the network level security services currently available for the Internet infrastructure. Since IPsec is likely to become the largely accepted standard as far as IP level security is concerned, the paper describes the IPsec architecture including its defined security formats and the related key management procedures. Finally, com- mon IPsec applications are presented and the future direc- tions are outlined. Keywords— network level security, authentication, in- tegrity, confidentiality, anti-replay I. INTRODUCTION TCP/IP networks are plagued with security problems because they have been designed to work in a friendly environment, with physically secure connections. When these assumptions are no more valid - as it is nowadays - the many security weaknesses of TCP/IP become manifest and can be easily exploited. In general, IP communications are exposed to several types of attack: • packet sniffing: due to network topology, IP packets sent from a source to a specific destination can also be read by other nodes that can then get hold of the payload, which may contain passwords or other private information; • IP spoofing: IP addresses can be very easily spoofed both to attack those services whose authentication is based on the sender’s address (as the rlogin service or several WWW servers) and to supply wrong information to sub- vert the logical organization of the network (for example, by forging false ICMP messages of the type ”destination unreachable” or ”redirect”); • connection hijacking: whole IP packets can be forged to appear as legal packets coming from one of the two com- municating parties, the goal of the attack being to insert wrong data in an existing channel. Effective solutions to these and other attacks are not al- ways available. When countermeasures do exist, they are usually placed at the application level. As a consequence, solutions are not always interoperable. Moreover, several functions are duplicated inside different applications. The IP Security architecture (IPsec) [1] defines basic se- curity mechanisms at the network level, so that they can be available to all the layered applications. The security tech- niques adopted in IPsec have been designed to be easily inserted in both IPv4 and IPv6, as detailed in [1]. Somebody can question if it is right to locate the secu- rity functions at the network level. Quite obviously there is not a definitive answer, because in general the security of a system is not based on a single element, rather it is the result of a combination of several ones. The IP level is surely the right one to block many low-level attacks, as those mentioned at the beginning of this section, that ac- count for a large percentage of all the network attacks due to their simple implementation. On the other hand, IPsec is not a complete solution when the applications to be pro- tected are user-oriented (as in the case of electronic mail) rather than network-oriented. II. IPSEC FEATURES IPsec security services are offered by means of two ded- icated extension headers, the Authentication Header (AH) [2] and the Encapsulating Security Payload (ESP) [3], and through the use of cryptographic key management proce- dures and protocols. The AH header was designed to ensure authenticity and integrity of the IP packet. It also provides an optional anti- replay service. Its presence guards against illegal modifi- cation of the IP fixed fields, packet spoofing and, option- ally, against replayed packets. On the other hand, the ESP header provides data encapsulation with encryption to en- sure that only the destination node can read the payload conveyed by the IP packet. ESP may also provide packet integrity and authenticity, and an anti-reply service. The two headers can be used separately or they can be com- bined to provide the desired security features for IP traffic. Each header can be used in one of the two defined modalities: transport mode and tunnel mode. While in transport mode the security headers provide protection pri- marily for upper layer protocols, in tunnel mode the head- ers are applied to tunneled IP packets, thus providing pro- tection to all fields of the original IP header. Both AH and ESP exploit the concept of ”security asso- ciation” (SA) to agree upon the security algorithms, trans- forms and parameters shared by the sender and the receiver of a protected traffic flow. Each IP node manages a set of NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 2 TRANSPORT-MODE AH IP header (end-to-end) AH TCP/UDP header + data TUNNEL-MODE AH IP header (tunnel) AH IP header (end-to-end) TCP/UDP header + data Figure 1. Examples of use of the AH header. SAs, at least one SA for each secure communication. The SAs currently active are stored inside a database, known as the Security Association Database (SAD). An entry in the SAD (i.e., a security association) is uniquely identified by a triple consisting of a Security Parameter Index (SPI), an IP Destination Address, and a security protocol (AH or ESP) identifier. The Security Parameter Index (SPI) is transmitted inside both the AH and ESP headers, since it used to choose the right SA to be applied for decrypting and/or authenticating the packet. In unicast transmissions, the SPI is normally chosen by the destination node and sent back to the sender when the communication is set up. In multicast transmissions, the SPI must be common to all the members of the multicast group. Each node must be able to correctly identify the right SA by combining the SPI with the multicast address. The negotiation of a SA (and the related SPI) is an integral part of the protocol for the exchange of security keys. Specific security requirements are defined at each node usually by means of an ordered list of admission rules (or policies), which form the node’s Security Policy Database (SPD) [1]. The protection provided to each incom- ing/outgoing traffic flow is verified/decided by consulting the SPD. In general, packets are selected for one of three processing modes based on IP and transport layer header information matched against entries in SPD. Each packet is either afforded IPsec security services, discarded, or al- lowed to bypass IPsec, based on the applicable policies found in the database. A. Authentication The IP Authentication Header [2] is identified by the value 51 in the Protocol field of the IP header. Normally, it is inserted between the IP header and the upper level payload, as shown in Figure 1. The format of the AH header (depicted in Figure 2) is very simple as it is composed of a 96-bit fixed part fol- lowed by a variable number of 32-bit blocks. The fixed part contains: • the value of the next type of payload (8 bits); Next Header Length reserved Security Parameters Index (SPI) Sequence Number Integrity Check Value (ICV) Figure 2. Structure of the AH header. • the Payload Length, which is the total length of the au- thentication data expressed as a multiple of 32-bit words (8 bits); • a reserved field (16 bits); • the SPI used by this header (32 bits); • the sequence number for this header, contains a mono- tonically increasing counter value (32 bits). The variable part of the AH header is composed of a variable number of 32-bit blocks, containing the actual au- thentication data. Since the Payload Length is expressed as an 8-bit number, a maximum of 255 32-bit blocks can be used, that is 1020 bytes. As a consequence, the exact length of this header depends on the authentication algo- rithm selected. The source node of a particular AH SA computes the authentication data (ICV) over: • all the IP header fields that are either immutable in transit or predictable in value upon arrival at the other end-point of the SA; • the AH header: Next Header, Payload Length, Re- served, SPI, Sequence Number, and the Authentication Data (which is set to zero for this computation); • the upper level protocol data, which is assumed to be immutable in transit. When the destination node receives a packet with an AH header, the packet’s authenticity and integrity can be checked by using the procedure detailed in Figure 3. As a preliminary step, care should be taken in normalizing the received packet, to eliminate all the variable parts and cor- rectly compute the authentication value only on the fixed ones. B. Authentication techniques Data integrity in telecommunication systems is nor- mally ensured by computing and checking the value of a suitable cryptographic function of the data, often called Message Digest (MD). Among the most frequently used algorithms are CRC-16 and CRC-32 (see [4]). These func- tions effectively perform their task when data modifica- tions are due to random errors, but they are completely inadequate to protect the packets against deliberate modifi- NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 3 Figure 3. Procedure to verify the authenticity of a packet protected by the AH header. cations. In this case, a reasonable degree of protection can be ensured only by better digest algorithms, such as MD5 [5] or SHA [6]. It is important to note that data integrity without origin authentication is completely useless. There- fore, digest algorithms are normally applied in a way to in- clude some parameters useful to simultaneously provide a proof of the sender’s identity. Quite often this is achieved by using public-key encryption algorithms. Unfortunately, they are computationally much heavier than digest algo- rithms. Since speed is a premium in computer networks, the default authentication techniques chosen for IPsec are keyed authentication algorithms. They are based on the use of the HMAC authentication algorithm in conjunction with the hash function corresponding to a message digest algorithm, such as MD5 or SHA-1. HMAC [7] is a mecha- nism for message authentication which uses cryptographic hash functions. Any iterative cryptographic hash function can be used in combination with a shared secret key. It is important to mention that the cryptographic strength of HMAC depends on the properties of the underlying hash function. The SHA [6] message digest algorithm exhibits better security properties than MD5 because it produces a 160-bit digest rather than a 128-bit one. For use with ei- ther AH or ESP, a truncated value using the first 96 bits is supplied. HMAC-MD5-96 [8] and HMAC-SHA-1-96 [9] must be supported by all IPsec-compliant implementa- tions. C. Encapsulating Security Payload The Encapsulating Security Payload [3] is identified by the value 52 in the Protocol field of the IP header. When used, this block must always be the last header because it completely hides both the upper level payload and all the next headers (see Figure 4). The ESP header itself is only partly in clear (see Fig- ure 5): it consists of an integer number of 32-bit blocks, with the first one containing the SPI to select the SA to be NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 4 TRANSPORT-MODE ESP IP header (end-to-end) ESP header TCP/UDP header + data ESP trailer . . . . . . . .encrypted portion . . . . . . . . . TUNNEL-MODE ESP IP header (end-to-end) ESP header IP header (tunnel) TCP/UDP header + data ESP trailer . . . . . . . . . . . . encrypted portion . . . . . . . . . . . . . . . . . . . Figure 4. Examples of the use of ESP. used in decrypting all other blocks in the packet, and the second one containing the sequence number. The exact format of the encrypted part depends upon the encryption algorithm used. The default encryption tech- nique is DES-CBC [10], that is the DES algorithm applied in CBC (Cipher Block Chaining) mode. DES is a private key encryption algorithm which is normally applied to 64- bit data blocks with a 56-bit key (extended to 64 bits by adding one parity bit for each 7 bits of the key). Various techniques have been proposed to apply the DES trans- formation to blocks bigger than 64 bits. The CBC mode divides the data stream into a sequence of 64-bit blocks and each block is EX-ORed with the result of the previous encryption before being encrypted itself. Let E(d,k) be the encryption operation applied to the data block d with key k; then the CBC mode may be described by the following transform to generate the i-th encrypted block: c i = E(d i ⊕ c i−1 , k) Obviously, the encryption of the first data block d 1 requires an initial value c 0 commonly called Initialization Vector (IV). The initialization vector must not be null and must be carefully chosen to insert a random factor in the encryp- tion process. This is needed to avoid those cryptographic attacks based on partial knowledge of the data being en- crypted, such as the known-plaintext attacks that can be led against the fixed header of some common files (e.g., the data files of various office automation tools). Normally the IV value is either a 64-bit number generated by a pseudo- Security Parameters Index (SPI) Sequence Number encrypted data . Figure 5. Structure of ESP. random number generator, or it is a 32-bit number gener- ated in a similar way which is then extended to 64 bits by concatenating it to its complement. In the DES-CBC mode, the encrypted portion of the ESP header (Figure 6) begins with an initialization vec- tor composed of an integer number of 32-bit words. The IV is followed by the encrypted payload which is padded with blocks to ensure that the total dimension of the ESP header be a multiple of 64 bits. The byte before the last one in the ESP header contains the padding length (ex- pressed in bytes) while the last byte contains the payload type. The minimum length of the padding varies between 0 and 7 bytes, but it is legal to use a longer padding (up to 255 bytes) to hide the real length of the encrypted data. The DES-CBC algorithm must be supported by all IPsec standard implementations. Since the DES algorithm can be regarded at best as a moderately difficult algorithm to be broken, it is very likely that in the near future other algo- rithms be standardized for use in IPsec. For example, the 3DES-CBC algorithm was proposed in [11] and is already provided in many IPsec distributions. This technique is based on the repeated application of the DES transforma- tion to the same data block with three different keys, and it is cryptographically stronger than plain DES because it is equivalent to an encryption algorithm which uses a 112-bit key (rather than the 56-bit key used by DES). The authen- tication data (see Figure 6) included in the ESP payload is a variable-length field containing an ICV computed over the ESP packet minus the authentication data field itself. The length of the field is specified by the authentication function selected. This field is optional, and is included only if the authentication service has been selected for the ESP SA in question. III. KEY MANAGEMENT Correct application of both AH and ESP requires that all the communicating parties agree on a common key to be used in computing and checking the security head- NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 5 Security Parameters Index (SPI) Sequence Number Initialization Vector (IV) Payload Padding Padding Length Payload Type Integrity Check Value (ICV) Figure 6. Structure of ESP with DES-CBC. ers. IPsec allows for key management to occur either out- of-band or with specifically crafted protocols. There are several groups within the Internet community which have proposed different key management mechanisms, all of them stressing different requirements, such as: fast key ex- change, strong authentication, lightweight protocols, and others. Even if no general agreement has yet been reached, the current work in this area is likely to converge toward the Internet Key Exchange (IKE), which is a combination of the following protocols: the Internet Security Associ- ation and Key Management Protocol (ISAKMP), and the key exchange protocols Oakley and SKEME. A. Manual key management IPsec requires every implementation to allow for man- ual setting of the security keys, in case no in-line key man- agement technique is adopted or human-based security is desired. Obviously manual keying is possible only if the security operators have separately agreed out-of-band on the keys to be used, for example at a reserved meeting. This solution exhibits high personnel costs and does not scale well, because it requires personal action of an op- erator on each network device taking part to the secure channel. Additionally, it can generate a false sense of se- curity: it is worthwhile reminding the reader that human intervention does not automatically ensure a higher level of security, due to untrusted operators and residual prob- lems related to hardware and software integrity of the de- vice where the key is set. However, in spite of these dis- advantages, manual key management finds application in restricted environments, with a small number of devices physically secured that, according to the security policy, can operate only when explicitly enabled by human inter- vention. B. Automated key management An automated key management mechanism is required to allow the widespread deployment of IPsec. Such sup- port is essential for the use of the anti-replay features of AH and ESP, and to accommodate on-demand creation of SAs (e.g., for user and session-oriented keying). The de- fault automated key management protocol selected for use with IPsec is IKE [12] under the IPsec Domain of Interpre- tation (IPsec DOI) [13]. Other automated key management protocols are also permitted. IKE is a hybrid protocol which uses part of Oakley [14] and part of SKEME [15] in combination with ISAKMP [16] to provide authenticated keys for use with ISAKMP itself, AH and ESP. ISAKMP defines a generic architec- ture for authenticated SA set-up and key exchange, with- out specifying the actual algorithms to be used. There- fore, ISAKMP can support a large variety of key exchange techniques. Oakley is a key-exchange protocol based on a modified version of the Diffie-Hellman algorithm. Ba- sically, Oakley describes a set of key exchange methods, and the security services provided by each method (i.e., perfect forward secrecy for keys, identity protection for the negotiating parties, and authentication). Oakley is one of the natural partners for ISAKMP. IKE is also using parts of the flexible key exchange technique described by SKEME, which provides valuable security features, such as: anonymity, non-repudiation, and quick key refresh- ment. ISAKMP operates at the application layer, and is inde- pendent of the lower layer protocols. Moreover, ISAKMP is not bound to a particular security protocol. It is meant as a generic SA and key management protocol for the Internet community. As such, it can negotiate authenticated keying material for any security protocol (AH, ESP, TLS, OSPFv2 NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 6 Figure 7. Key management API: PF KEY. and any application layer security protocol). A generic key management API (PF KEY) [19] that can be used by any of the mentioned security protocols has already been standardized (RFC 2367) and is freely distributed with the most recent BSD and Linux OSs. PF KEY is a new socket protocol family used by privileged key management ap- plications to communicate with an operating system’s SA databases. The conceptual model is presented in Figure 7. IKE instantiates ISAKMP for use with IPsec protocols, i.e., under the specific IPsec DOI. A DOI defines the spe- cific protocols, cryptographic algorithms and transforms identifiers, the SA attributes to be negotiated, specific ISAKMP payload contents, and (if needed) additional key exchange types. ISAKMP [16] defines two ”phases” of negotiation. In the first phase, two entities (key management servers) agree on how to protect further negotiation traffic between themselves. The result of this phase is the establishment of an ISAKMP SA. This security association is then used to protect the negotiation for the required security protocol SA (for the IPsec DOI, an AH or an ESP SA). ISAKMP also defines several types of payloads, which are used to transfer security association and key exchange data in formats that are defined by the specific DOI. The number, the types and the ordering of these payloads dur- ing a particular ISAKMP negotiation is specified by the ISAKMP exchange type. Currently, there are seven types of exchanges defined, each of which is designed to provide a particular set of security services. IKE defines two basic methods for generating authen- ticated keys: main mode and aggressive mode. The for- mer is mandatory for a compliant IPsec-IKE implementa- tion. In addition, the quick mode has to be implemented is mandatory as a mechanism to negotiate non-ISAKMP SAs and to generate fresh keying material. Basically, IKE defines four methods for the phase 1 au- thentication: • pre-shared keys • digital signatures • public key encryption • revised public key encryption. The selection of a particular authentication method de- pends on the security requirements of the specific appli- cation using IPsec with IKE as the key management pro- tocol. Authentication via pre-shared keys is mandatory for any implementation. As far as the public key cryptography is concerned, IKE imposes neither the use of a particular digital signa- ture algorithm, nor a particular key distribution method. ISAKMP, which defines a certificate payload as a means to transport certificates via ISAKMP, mandates support for the following standards: • PKCS #7 wrapped X.509 certificate • PGP certificate • DNS signed key • X.509 certificate (both for signature and key exchange) • Kerberos Tokens • SPKI certificate • X.509 attribute certificate. In addition to IKE, several different solutions are be- ing proposed. Currently, the major competitor is SKIP (Simple Key-management for Internet Protocols) [17] which bases its operations on the Diffie-Hellman algo- rithm. SKIP is simple and addresses several problems of NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 7 Figure 8. Tunnel between two firewalls. key management in high-speed networks, such as zero- message key set-up and update which permit fast dynamic re-keying (i.e. frequent in-line change of the security keys to avoid analytic attacks based on accumulation of cypher- text encrypted with the same key). IV. APPLICATION OF IP SECURITY FEATURES The AH and ESP headers can be used in different ways to protect IP communications. This section briefly reviews some of the most interesting applications, with reference to the corresponding weaknesses in IP. A. Virtual Private Networks Nowadays, technical and economical reasons are push- ing implementation of corporate wide-area networks to migrate from dedicated links and proprietary network technologies to solutions based on public shared links and open network architectures. This achieves several advan- tages but currently exhibits a serious drawback: there is a drastic reduction in intrinsic system security, due to the use of shared channels and devices. To regain the same previous level of network security while maintaining the economical advantages offered by public networks, one has to succeed in separating and protecting his own data packets within the crowd of packets travelling across the public links. Usually, this is achieved by establishing a Virtual Private Network (VPN). This is commonly done by the IP tunneling technique: IP packets to be protected are wrapped in a security envelope and encapsulated inside normal IP packets that are used just to transport the orig- inal packets across the public network to their final des- tination. Often, the endpoints of an IP tunnel are not the hosts wishing to exchange the data, rather two firewalls which protect the LANs from external attacks. This set-up is shown in Figure 8. VPNs can be created either by using one of the AH and ESP headers, or both. As an example, with reference to Figure 8, let us suppose that a TCP channel between a host H1 in the network N1 and a host H2 in the network N2 has to be protected only against data manipulation and origin falsification, while data privacy is not required. In this case the AH header can be used in the following way. Firewall FW1 gets the original packet and modifies it by adding the authentication header before sending it to the other end- point of the secure channel (FW2), as shown in Figure 8. When this packet reaches FW2, the firewall checks it for integrity and origin authentication using the data in the AH header. If the check is successful, then the IP header and the AH one are removed and the remaining data (i.e. the original packet) is sent to the final destination. The differ- ent formats the IP packet has while travelling from H1 to H2 is shown in Figure 9. If the VPN is implemented only wth the AH header, then the attackers can neither alter the transmitted packets nor insert forged packets in the channel. However they can still read the content of the packets. To prevent disclosure of the payload, the ESP header has to be used too. Sim- ple use of AH and ESP does not completely protect the traffic: packets can be deleted by intermediate nodes or recorded and later replayed. These attacks cannot be eas- ily hindered at the IP level: appropriate defenses (such as the use of unique packet identifiers and the generation of heartbeat packets) are usually placed at some upper level in the network stack. A partial solution at the IP level is offered by using the optional anti-replay service provided by both AH and ESP. The sequence number generated by NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 8 IP PACKET FROM H1 TO FW1 IP header (src=H1,dst=H2,Protocol=TCP) TCP payload AH-PROTECTED IP PACKET FROM FW1 TO FW2 IP tunnel header (src=FW1, dst=FW2, Protocol=AH) AH header (Next header=IP) IP header (src=H1,dst=H2,Protocol=TCP) TCP payload IP PACKET FROM FW2 TO H2 IP header (src=H1,dst=H2,Protocol=TCP) TCP payload Figure 9. Format of IP packet travelling from H1 to H2. the sender has to be carefully checked by the receiver. This method of creating VPNs, like any other tech- nique based on IP encapsulation, brings some fragmenta- tion problems. If the packet to be transmitted already has the maximum dimension allowed for an IP packet, then it will not be possible to encapsulate it inside another IP packet: fragmentation and reassembling will necessarily take place at the two endpoints of the tunnel. As a conse- quence, the performance of the virtual channel can degrade down to 50% of the normal throughput. The worst case takes place for larger packets, which are typically used in transferring large data sets that - by contrast - would need no fragmentation to achieve maximum speed. On the con- trary, the best case occurs for small packets, such as those used in interactive applications which - ironically - would better accept even a larger performance penalty, as long as the total throughput remains compatible with the reaction time of the human operator. Last but not least, it is interesting to realize that this VPN technique can be adopted even between a firewall and a single external host (Figure 10). This case is of partic- ular relevance to guarantee security when a mobile host is used outside the protected network perimeter. The fire- wall would act as home agent for HM in the procedure of neighbour discovery. HM will be assigned two different IP addresses, one when it is connected inside the security perimeter, and the other when it is outside of it. In this last case, the firewall would also act as a relay, by redirect- ing the packets coming from inside the corporate network to the external address, after adding the required headers (AH only, or AH plus ESP). B. Application level security Networked applications executing on top of an IP stack including IPsec may require usage of a communication channel with specific features. In order to avoid dupli- cation of functionality (and hence performance degrada- tion), it is useful to be able to specify at the transport layer the security attributes of the channel being created. In the first BSD-UNIX implementations of IPsec, this effect can be obtained by properly using the setsocketoption() system call. Anyway, this is not a complete solution for application-level security because only a partial protection is obtained: AH provides host-based authentication only, while applications usually require user-based authentica- tion. Moreover, AH and ESP protect the data only during their transmission along the channel. Once the data have been received, they are no longer protected in any way. This fact may not be relevant if the receiving host is a se- cure one, but there is the additional implication that ori- gin authentication and data integrity properties are lost as well, so that formal non-repudiation cannot occur after the data have been extracted from the secure channel. We can therefore draw the conclusion that the security features of IPsec do not eliminate the need for other security mecha- nisms, that will probably be better placed at the application level. C. Routing security With the increasing use of Internet for commercial ap- plications, the need for a reliable and secure network in- frastructure has become higher than ever. Since IPsec offers different network level security services through a proper combination of AH and ESP headers, it is highly desirable that they be applied to the messages exchanged by routers. IPsec protection for routing protocols prevents attacks aiming to subvert the logical architecture of the net- work. As an example, in IPv6 intra-domain routing proto- cols rely on the security provided by the default AH and ESP support of IPv6 routers. The following types of mes- sages are protected: • router advertisements, to ensure that they are originated by an authorized router; • neighbour advertisements, to ensure that they come from authorized hosts and to avoid the risk of somebody attach- ing a new host to the network without proper authorization. The ICMP messages related to an unreachable host or net- work (”destination unreachable”) or the one that indicates a better route (”redirect”) should also be at least authen- ticated to ensure that these messages come from hosts or routers that were on the original path of the packets. NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 9 Figure 10. Tunnel between a firewall and a mobile host. Securing these types of messages is surely not trivial. For example, the routing advertisements are sent to a mul- ticast group and therefore all the routers in the group must know the (common) secret key to be used to verify and/or decrypt the messages; but in turn this fact implies they can forge messages and impersonate any router in the group! These and more others are common aspects that a reliable security mechanism for the routing infrastructure has to address. Protection of the neighbor advertisements poses a serious problem: these messages can be protected only after a SA has been created between the host and the ad- dress distribution center. On the other hand, this SA can be created only after an address has been assigned to the host, so we conclude that this is the typical chicken-and- egg problem which has no correct way to be solved. To break the loop, partial solutions are possible: for example, priority can be given to the address assignment phase and SA setup can be permitted only subsequently, but in this way the address assignment phase is not protected. Al- ternatively, public-key authentication can be used: host is assigned a key pair (private and public key) and has to be pre-configured with the public key of the authority which signs the certificates of the routers and the address distribu- tion centers. The last alternative is to configure routers so that they do not advertise local prefixes; by this way, each host is forced to contact a router first. Protection against false ICMP messages requires that they use the authenti- cation header, but it has the drawback to require the estab- lishment of a SA with each router and host on the path be- tween the source and the destination of the packets. With respect to the security of the messages used by the vari- ous routing protocols, they should always be exchanged only within the frame of a SA and be protected by AH. For sake of generality, this solution is highly preferable to using authentication mechanisms specific for each routing protocol. V. FUTURE DIRECTIONS Security is one of the fastest moving areas in com- puter networks, as it is vital to protect data and computer resources and to enable economical exploitation through electronic commerce. IP security is not the exception to the rule: new extensions to IKE and ISAKMP authenti- cation modes have recently been defined, addressing the secure remote access problem and trying to introduce in IPsec some user level authentication techniques [18], [20]. At the same time, IPsec is moving toward the integration with policy-based networks. A conceptual model for a se- curity policy-based networking environment is being de- fined for IPsec [21], together with a protocol [22] which aims to provide policy discovery and policy resolution to IPsec nodes. Till now, IPsec has found applicability in static network configurations and, in general, networks that are under a common administration (VPNs and in- tranets). The new mechanisms addressing policy man- agement issues make IPsec scalable in general cases and could contribute to the widespread deployment of this se- curity technology in Internet. The net benefit will be that more security will be already available at the network level and hence applications will be able to concentrate on dif- ferent security aspects, such as authorizations and non- repudiation. NATO workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 10 REFERENCES [1] S. Kent, R. Atkinson, Security Architecture for the Internet Pro- tocol, RFC 2401, November 1998 [2] S. Kent, R. Atkinson, IP Authentication Header, RFC 2402, November 1998 [3] S. Kent, R. Atkinson, IP Encapsulating Security Payload (ESP), RFC 2406, November 1998 [4] B. Schneier, Applied Cryptography, John Wiley & Sons, New York, 1996. [5] R. Rivest, The MD5 Message-Digest Algorithm, RFC 1321, April 1992 [6] National Institute of Standards and Technology, U.S. Department of Commerce, Secure Hash Standard, document FIPS-180-1, April 1995 [7] H. Krawczyk, M. Bellare, R. Canetti HMAC: Keyed-Hashing for Message Authentication, RFC 2104,February 1997 [8] C. Madson, R. Glenn, The Use of HMAC-MD5-96 within ESP and AH, RFC 2403, November 1998 [9] C. Madson, R. Glenn, The Use of HMAC-SHA-1-96 within ESP and AH, RFC 2404, November 1998. [10] C. Madson, N. Doraswamy, The ESP DES-CBC Cipher Algo- rithm with Explicit IV, RFC 2405, November 1998 [11] P. Karn, P. Metzger, W. Simpson, The ESP Triple DES Transform, RFC 1851, September 1995 [12] D. Harkins, D. Carrel, The Internet Key Exchange, RFC 2409, November 1998 [13] D. Piper, The Internet IP Security Domain of Interpretation for ISAKMP, RFC 2407 November 1998 [14] H. Orman, The Oakley Key Determination Protocol, RFC 2412, November 1998 [15] H. Krawczyk, SKEME: A Versatile Secure Key Exchange Mech- anism for Internet, from IEEE Proceedings of the 1996 Sympo- sium on Network and Distributed Systems Security [16] D. Maughan, M. Schertler, M. Schneider, J. Turner, Internet Secu- rity Association and Key Management Protocol (ISAKMP), RFC 2408, November 1998 [17] A. Aziz, T. Markson, H. Prafullchandra, Simple Key-Management for Internet Protocols (SKIP), Internet Draft (draft-aziz-skip- *.txt) [18] Y. Dayan, S. Bitan, IKE Base Mode, Internet Draft, October 1999 [19] D. McDonald, C. Metz, B. Phan, PF KEY Key Management API, Version 2, RFC 2367, July 1998 [20] R. Pereira, The ISAKMP Configuration Method, Internet Draft, 1999 [21] L.A. Sanchez, M.N. Condell, Security Policy System, Internet Draft, November 1998 [22] L.A. Sanchez, M.N. Condell, Security Policy Protocol, Internet Draft, July 1999 [23] Niels Ferguson, Bruce Schneier, A Cryptographic Evalu- ation of IPsec Counterpane Internet Security, Inc., 2000, http://www.counterpane.com BIOGRAPHIES Madalina Baltatu holds a Dr. Electronic Engineering from Politehnica University of Bucharest (Romania). She is currently a Ph.D. candidate in the field of network secu- rity at Politecnico di Torino. Dr. Baltatu can be reached as baltatu@athena.polito.it Antonio Lioy holds a “laurea” in Electronic Engineering and a Ph.D. in Computer Engineering. He is currently a Professor of Distributed Computing Systems at Politec- nico di Torino, where he leads a research group active in computer and network security. Prof. Lioy can be reached as lioy@polito.it . workshop on Advanced Security Technologies in Networking (Portoroz, May 29 - June 2, 2000) 1 IP security Madalina Baltatu Antonio Lioy Dip. Automatica e Informatica Politecnico. the layered applications. The security tech- niques adopted in IPsec have been designed to be easily inserted in both IPv4 and IPv6, as detailed in [1]. Somebody