This presentation examines the protocols that make up IPsec, the IETF standard for IP layer security, from the perspective of the author of the core standards. We begin by analyzing the tradeoffs associated with offering security at the network, Internet, session, and application layers, to better understand why IPsec was developed. We then examine scenarios for end-to-end, end-to-perimeter, and perimeter-to-perimeter security associations, as a segue into the subtle differences between IPsec transport vs. tunnel modes. Next the syntax of the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols are examined in detail. We will explain why the processing order for encryption and authentication/integrity in ESP is the opposite from that of protocols like SSL/TLS. The rationale behind the (often overlooked or misunderstood) access control features of IPsec will be described, as will the tortuous process by which the current set of features were defined, and the story behind the NULL encryption and authentication algorithms will be told. Sample data flows through an IPsec implementation illustrate the challenges of developing very high speed implementations of IPsec. The presentation provides a brief overview of the Internet Key Exchange protocol (IKE) and describes how this NSA-developed protocol beat out two other contenders in the prolonged battle for a key management standard. The presentation concludes with a review of gaps in the IPsec standards suite, and the IETF working groups that are addressing some of these gaps.
Dr. Stephen Kent is BBN's Chief Scientist in for information security. He works with government and commercial programs and consults on system design issues. He has acted as system architect in the design and development of several network security systems for the Department of Defense and served as principal investigator on a number of network security research and development projects. His current focus is the design and development of X.509-based public-key certification infrastructures and security of Internet routing infrastructure. Dr. Kent served as a member of the Internet Architecture Board (1983-1994), and chaired the Privacy and Security Research Group of the Internet Research Task Force (1985-1999), both under the auspices of the Internet Society. He now co-chairs the Public Key infrastructure (PKIX) working group of the IETF, and is the author of the three IPsec standards that define transit traffic processing. Dr. Kent served on the Presidential SKIPJACK Review Panel (1993-1994) and on several National Research Council Study Committees, the most recent of which produced the report, Trust in Cyberspace. He served on the board of directors of the International Association for Cryptologic Research (1982-1989) and is a member of the editorial board for the Journal of Computer Security. Since 1977, Dr. Kent has lectured extensively in the United States, Europe and Australia on the topic of security in computer communication networks. He is a Fellow of the ACM, and a Pioneer member of the Internet Society.
Back to main conference schedule
I would like to discuss issues in the design and implementation of end-system TCP/IP protocol stacks. Much of the attention in networking is focused on routing elements, switch fabrics, and other network infrastructure technology. Yet the design space facing the end system is also quite interesting. How does one terminate connections running at extremely high data rates? How does one move data through a system which employs memory protection? What issues face a designer working in a general purpose operating system which would not be of concern in a closed box environment?
I will also examine trends in the growth of the Internet which will have an impact on the design of the end systems. The rise of the http protocol, with its frequent and short-lived connections, placed distinctly different demands on the end station than what had come before. What sorts of changes can we see coming in the future, and how will they impact the design of the end systems?
Denton Gentry is a Senior Staff Engineer at Sun Microsystems Inc. In his eight years at Sun, Denton has been involved in the implementation of ATM, fast and gigabit Ethernet, Packet over SONET, and several other technologies he might prefer to forget. Denton holds a Master degree in Computer Science from Stanford University, and a Bachelor of Engineering in Electrical Engineering from the University of Michigan.