IMPLEMENTING AND DEPLOYING IPSEC

IP-layer security protects IP datagrams. It does not necessarily have to involve the user or any applications. This means users may be merrily using all of their appli- cations without ever being aware that all their datagrams are being encrypted or authenticated before being sent out to the Internet (of course, that situation will only occur as long as all the encrypted datagrams are properly decrypted by hosts at the other end).

As a result, one question that comes up is how to implement IPsec. RFC 2401 suggests several strategies for implementing IPsec in a host or in conjunction with a router or fi rewall.

Integrated implementation Integrate IPsec into the native IP implemen- tation. This approach is probably the best, but also the most diffi cult, as it requires rewriting the native IP implementation to include support for IPsec. Integrating IPsec into the IP stack adds security natively and makes it an inte- gral part of any IP implementation. However, it also requires that the entire stack be updated to refl ect the changes.

“ Bump-in-the-stack ” (BITS) Implement IPsec “ beneath ” the IP stack and above the local network drivers. The IPsec implementation monitors IP traffi c as it is sent or received over the local link, and IPsec functions are performed on the packets before passing them up or down the stack. This works reason- ably well for individual hosts doing IPsec.

This approach inserts special IPsec code into the network stack just below the existing IP network software and just above the local link software. In other words, this approach implements security through a piece of software that inter- cepts datagrams being passed from the existing IP stack to the local link layer interface. This software then does the necessary security processing for those datagrams and hands them off to the link layer. This approach can be used to upgrade systems to IPsec support without requiring that their IP stack software be rewritten.

“ Bump-in-the-wire ” (BITW) Implement IPsec in a hardware cryptographic processor. The crypto processor gets its own IP address; when used for indi- vidual hosts, the bump-in-the-wire acts much like a BITS implementation, but when the same processor provides IPsec services to a router or fi rewall, it must behave as a security gateway—meaning that it must do IPsec secu- rity protocols in tunnel mode.

CH06-P374463.indd 172

173

This approach uses external cryptographic hardware to perform the security pro- cessing. The device is usually an IP device that acts as a sort of a router or, more accurately, security gateway for all IP datagrams from any system that sits behind it. When such a device is used for a single host, it works very much like the BITS approach, but implementation can be more complex when a single BITW device is used to screen more than one system.

These options differ more in terms of where they are appropriate than in subjective terms. Applications that require high levels of security may be better served with a hardware implementation. Applications that run on systems for which new IPsec-compliant network stacks are not available may be better served by the BITS approach.

6.7 CONCLUSION

Network security is probably the subject of as many books and chapters within technical books as IP. This chapter provides a concise introduction to IP secu- rity issues and security goals, starting with the defi nition of the challenges facing security managers and the tools at their disposal. IPsec provides authentication services through the use of public key encryption, digital signature, and secure hashing tools; it provides privacy services through the use of public and secret key encryption as well.

On top of these cryptographic tools, however, IPsec requires additional proto- cols to handle the secure and verifi able distribution and management of encryp- tion keys. IPsec combines these cryptographic and security protocols with IP, using security associations to link packets with hosts and a pair of optional IP security headers (ESP and AH) to transmit IP packets securely.

IPsec is often linked to IPv6 because while IPsec support in IPv4 is optional, it is mandatory for all IPv6-capable hosts. Although some cite “ security ” as a reason to prefer IPv6 over IPv4, to a great degree the same level of security is possible if IPsec were mandatory for all IPv4 nodes.

6.7 Conclusion

CH06-P374463.indd 173

175

7.1 INTRODUCTION

Although radio has existed for almost 100 years, most of the population uses wireline phones. Only over the last 30 years have large numbers of people used wireless or cordless phones. With this exposure, users of wireless phones and the news media have challenged two bedrocks of the telecommunications industry: privacy of conversation and billing accuracy.

The current concepts of privacy of communications and accuracy of billing are based on the telephone company’s ability to route an individual pair of wires to each residence and offi ce. Thus, when a call is placed on a pair of wires, the telephone company can correctly associate the call on a wire with the correct billing account [1–4] . Similarly, since there is a pair of wires from a home to the telephone company central offi ce, no one can easily listen to the call. For most people, a wiretap is an abstract concept that only concerns someone who is involved in illegal activities.

Communications on shared media can be intercepted by any user of the media. When the media are shared, anyone with access to the media can listen to or transmit on the media. Thus, communications are no longer private. In shared media, the presence of a communication request does not uniquely identify the originator, as it does in a single pair of wires per subscriber. In addition, all users of the network can overhear any information that an originator sends to the network and can resend the information to place a fraudulent call. The participants of the

phone call may not know that their privacy is compromised (see Figure 7.1 ).

When the media are shared, privacy and authentication are lost unless some method is established to regain it. Cryptography provides the means to regain control over privacy and authentication [5] .

In the past, there have been attempts to control privacy and authentication through noncryptographic means. These have failed thus far. The designers of the original cellular service in the United States implemented authentication of the mobile telephone using a number assignment module (NAM) and an electronic serial number (ESN). The NAM would be implemented in a programmable read only memory (PROM) for easy replacement when the phone number changed.