Enabling Practical IPsec Authentication for the Internet

  • Pedro J. Muñoz Merino
  • Alberto García-Martínez
  • Mario Muñoz Organero
  • Carlos Delgado Kloos
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4277)


There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications. One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority. In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure. We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA. We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs.


Certificate Authority Correspondent Node Authentication Mechanism Authentication Method IPv6 Address 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (1998)Google Scholar
  2. 2.
    Kent, S., Atkinso, R.: IP Authentication Header. RFC 2402 (1998)Google Scholar
  3. 3.
    Kent, S., Atkinson, R.: IP Encapsulating Security Payload (ESP). RFC 2406 (1998)Google Scholar
  4. 4.
    Thayer, R., Doraswamy, N., Glenn, R.: IP Security Document Roadmap, RFC 2411 (1998)Google Scholar
  5. 5.
    FreeS/WAN Project,
  6. 6.
    Ionnadis, J.: Why don’t we still have IPsec, dammit. In: NDSS 2003 (2003)Google Scholar
  7. 7.
    Aura, T.: Cryptographically Generated Addresses (CGA). RFC 3972 (2005)Google Scholar
  8. 8.
    Maughan, D., Schertler, M., Schneider, M., Turner, J.: Internet Security Association and Key Management Protocol (ISAKMP). RFC 2408Google Scholar
  9. 9.
    Piper, D.: The Internet IP Security Domain of Interpretation for ISAKMP. RFC 2407 (1998)Google Scholar
  10. 10.
    Harkins, D., Carrel, D.: The Internet Key Exchange (IKE). RFC 2409 (1998)Google Scholar
  11. 11.
    Orman, H.: The OAKLEY Key Determination Protocol. RFC 2412 (1998)Google Scholar
  12. 12.
    Laganier, J.: Using IKE with IPv6 Cryptographically Generated Address. Internet Draft (2003)Google Scholar
  13. 13.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Protocol Modifications for the DNS Security Extensions, RFC 4035 (2005)Google Scholar
  14. 14.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: Resource Records for the DNS Security Extensions. RFC 4034 (2005)Google Scholar
  15. 15.
    Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: DNS Security Introduction and Requirements. RFC 4033 (2005)Google Scholar
  16. 16.
    Richardson, M.: A Method for Storing IPsec Keying Material in DNS. RFC 4025 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Pedro J. Muñoz Merino
    • 1
  • Alberto García-Martínez
    • 1
  • Mario Muñoz Organero
    • 1
  • Carlos Delgado Kloos
    • 1
  1. 1.Department of Telematics EngineeringUniversidad Carlos III de MadridLeganés (Madrid)Spain

Personalised recommendations