PF_KEY Key Management API, Version 2

McDonald, D.; Metz, Craig; Phan, Bao G.

doi:10.17487/rfc2367

Cited by 35 publications

(22 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…11) The smart card sends to the Linux box a security policy and some configurations for IPsec and IKE. The IPsec policy management program sets up the IP security policy onto the SPD (Security Policy Database) 17) in the Linux kernel. The preparation of the IP security policy is required to run the IPsec software and the IKE software.…”

Section: Inter-device Authentication Middleware Systemmentioning

confidence: 99%

“…After establishing the IKE-SA, the IKEv1 program establishes the IPsec-SA by executing the conventional exchange in phase 2. The IKEv1 pro-gram stores the IPsec-SA parameters onto the SAD (Security Association Database) 17) in the Linux kernel. Finally, the communication channel between the two devices will be protected by IPsec.…”

Section: Inter-device Authentication Middleware Systemmentioning

confidence: 99%

See 1 more Smart Citation

Design and Implementation of an Inter-Device Authentication Framework Guaranteeing Explicit Ownership

Hirano

Okuda

Yamaguchi

2008

ipsjdc

View full text Add to dashboard Cite

Future networks everywhere will be connected to innumerable Internet-ready home appliances. A device accepting connections over a network must be able to verify the identity of a connecting device in order to prevent device spoofing and other malicious actions. In this paper, we propose a security mechanism for an inter-device communication. We state the importance of a distingushing and binding mechanism between a device's identity and its ownership information to realize practical inter-device authentication. In many conventional authentication systems, the relationship between the device's identity and the ownership information is not considered. Therefore, we propose a novel inter-device authentication framework guaranteeing this relationship. Our prototype implementation employs a smart card to maintain the device's identity, the ownership information and the access control rules securely. Our framework efficiently achieves secure inter-device authentication based on the device's identity, and authorization based on the ownership information related to the device. We also show how to apply our smart card system for inter-device authentication to the existing standard security protocols.

show abstract

Section: Inter-device Authentication Middleware Systemmentioning

confidence: 99%

Section: Inter-device Authentication Middleware Systemmentioning

confidence: 99%

Design and Implementation of an Inter-Device Authentication Framework Guaranteeing Explicit Ownership

Hirano

Okuda

Yamaguchi

2008

ipsjdc

View full text Add to dashboard Cite

show abstract

“…The sucvP daemon communicates with the IPsec stack through the PFKEY V2 API [21]. It listens for an SADB ACQUIRE message with the unspecified address as its remote tunnel endpoint, indicating that an OEGW needs to be discovered.…”

Section: Appendix A: Implementationmentioning

confidence: 99%

Hindering Eavesdropping via IPv6 Opportunistic Encryption

Castelluccia

Montenegro²,

Laganier

et al. 2004

Computer Security – ESORICS 2004

View full text Add to dashboard Cite

Abstract. This paper presents an opportunistic encryption scheme strictly layered on top of IPv6. Assuming that a node needs to send data toward another node, our proposal enables the dynamic configuration of an encrypted tunnel between the two nodes' IPsec gateways. The main contribution of this paper is to propose a solution that is fully distributed and does not rely on any global Trusted Third Party (such as DNSSEC or a PKI). The IPsec gateways are discovered using IPv6 anycast, and they derive authorization from authorization certificates and Crypto-Based Identifiers (CBIDs). The result is a robust and easily deployable opportunistic encryption service for IPv6.

show abstract

“…The interface constructs a newly-defined zone message and sends the message to the PF KEYv2 [16] socket. PF KEYv2 is a new socket protocol family used by trusted privileged key management applications (e.g., ML-IKE, PKD and DKM) to communicate with the operating system's key management internals (i.e., FreeS/WAN's Security Association Database (SADB)).…”

Section: Methodsmentioning

confidence: 99%

Mobile multi-layered IPsec

Choi

Song

Porta

Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies.

View full text Add to dashboard Cite

To achieve high throughput in wireless networks, smart forwarding and processing of packets in access routers is critical for overcoming the effects of the wireless links. However, these services cannot be provided if data sessions are protected using end-to-end encryption as with IPsec, because the information needed by these algorithms resides inside the portion of the packet that is encrypted, and can therefore not be used by the access routers. A previously proposed protocol, called Multi-layered IPsec (ML-IPsec) modifies IPsec in a way so that certain portions of the datagram may be exposed to intermediate network elements, enabling these elements to provide performance enhancements. In this paper we extend ML-IPsec to deal with mobility and make it suitable for wireless networks. We define and implement an efficient key distribution protocol to enable fast ML-IPsec session initialization, and two mobility protocols that are compatible with Mobile IP and maintain ML-IPsec sessions. Our measurements show that, depending on the mobility protocol chosen, integrated Mobile IP/ML-IPsec handoffs result in a pause of 53-100 milliseconds, of which only 28-75 milliseconds may be attributed to ML-IPsec. Further, we provide detailed discussion and performance measurements of our MML-IPsec implementation. We find the resulting protocol, when coupled with SNOOP, greatly increases throughput over scenarios using standard TCP over IPsec (165% on average). By profiling the MML-IPsec implementation, we determine the bottleneck to be sending packets over the wireless link. In addition, we propose and implement an extension to MML-IPsec, called dynamic MML-IPsec, in which a flow may switch between plaintext, IPsec and MML-IPsec. Using dynamic MML-IPsec, we can balance the tradeoff between performance and security.

show abstract

PF_KEY Key Management API, Version 2

Cited by 35 publications

References 5 publications

Design and Implementation of an Inter-Device Authentication Framework Guaranteeing Explicit Ownership

Design and Implementation of an Inter-Device Authentication Framework Guaranteeing Explicit Ownership

Hindering Eavesdropping via IPv6 Opportunistic Encryption

Mobile multi-layered IPsec

Contact Info

Product

Resources

About