A Multilayer IP Security A Multilayer IP Security Protocol for TCP Protocol for TCP

Performance in Wireless Performance in Wireless NetworksNetworks

Authors:Authors: Yongguang Zhang Yongguang ZhangSource:Source: IEEE JOURNAL ON SELECTED AREAS IN IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, VOL.22, pp. 767-776,COMMUNICATIONS, VOL.22, pp. 767-776, NO.4, MAY 2004NO.4, MAY 2004 Speaker:Speaker: Mei-Yu Lin Mei-Yu LinDate:Date: 2004/12/30 2004/12/30

OutlineOutline

1.Introduction2.Analysis of the implication of IPsec in Wireless Networks3.Principle of Multilayer Security Protection4.ML-IPsec Design Detail5.Performance Evaluation6.Conclusion7.Future Work about ML-IPsec

1.Introduction1.IntroductionA.TCP performance enhancement mechanism (TCP PEP) -TCP SpoofingB. IPsec -An standard for secure communications in the InternetC. IPsec is conflicted with TCP PEP

2.Analysis of the implication of IPsec i2.Analysis of the implication of IPsec in Wireless Networksn Wireless NetworksA.IPsec & End-to-End Security Protection Model -Two protocol ： AH & ESP -Two mode ： Transport & Tunnel -IP datagram: IP header & Upper layer protocol headers & User dataB. Conflicts between IPsec & TCP PEPC. Fundamental Limitations of End-to-End Protection -Traffic Engineering -Traffic Analysis -Application-Layer Proxies/Agent -Active Networks

2.Analysis of the implication of IPsec i2.Analysis of the implication of IPsec in Wireless Networks(con.)n Wireless Networks(con.)D. Approaches -Replacing IPsec with a transport-layer security mechanism -Tunneling one security protocol -Using a transport-friendly ESP format -Splitting IPsec into Two Segment

3.Principle of Multilayer 3.Principle of Multilayer Security ProtectionSecurity Protection

A.Divides the IP datagram into zonesB.Each zone has -it's own set of security associations -it's own set of private keys -it’s own set of access control rulesC.ML-IPsec defines a complex security relationship and selected intermediate nodes along the delivery path -example

4.ML-IPsec Design Details4.ML-IPsec Design DetailsA. ZonesB. Composite Security Association -CSA & SAC. Protocol Header -AH -ESPD. Inbound & Outbound Processing in ML-IPsec -ICV (Integrity Check Value) -Zone by Zone Encryption -Outbound Processing in ML-IPsec -Inbound Processing in ML-IPsec -Partial In-Out Processing at Intermediate Routers

5.Performance Evalution5.Performance EvalutionA.Bandwidth Overhead Analysis

Table 2 B.Implementation ComplexityTable 3C.Experimental Measurements

-CONFIG: IP, IPsec, ML-IPsec (one zone), ML-IPsec (two zone) -STATUS: the processing delay, the CPU load, the Protocol format overhead -MODE: Transport & Tunnel -PACKET SIZE: 1500bit & 284bit

6.Conclusion6.Conclusion

A.IPsec v.s TCP PEPB.ML-IPsec can be added to an existing IPsec system and it’s overhead is low.C.ML-IPsec has achieved the goal -granting trusted intermediated routers a secure, controlled, and limited access to selected portions of IP datagramesD.ML-IPsec preserving the end-to-end security protection to user data.

7.Future Work about ML-IPsec7.Future Work about ML-IPsec• A extension of IKE to support ML-IPsec• Automatic Keying• To find the efficient mechanism needed for multiparty key distributions

THE END!THANK YOU!