Chapter

On the Move to Meaningful Internet Systems 2006: OTM 2006 Workshops

Volume 4277 of the series Lecture Notes in Computer Science pp 392-403

Enabling Practical IPsec Authentication for the Internet

  • Pedro J. Muñoz MerinoAffiliated withDepartment of Telematics Engineering, Universidad Carlos III de Madrid
  • , Alberto García-MartínezAffiliated withDepartment of Telematics Engineering, Universidad Carlos III de Madrid
  • , Mario Muñoz OrganeroAffiliated withDepartment of Telematics Engineering, Universidad Carlos III de Madrid
  • , Carlos Delgado KloosAffiliated withDepartment of Telematics Engineering, Universidad Carlos III de Madrid

* Final gross prices may vary according to local VAT.

Get Access

Abstract

There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications. One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority. In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure. We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA. We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs.