DOCSLIB.ORG

SECURE NETWORKING 101 Macsec, Ipsec, and SSL Basics 2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
SECURE NETWORKING 101 Macsec, Ipsec, and SSL Basics 2 SECURE NETWORKING 101 MACsec, IPsec, and SSL Basics 2 INTRODUCTION This document is a basic introduction to the most common secure protocols in network communications. THE COMMON CONCEPTS MACSec, IPsec, and SSL/TLS protocols have similar concepts and consist of two “planes” : • The “control plane” which is a management layer used for the management of the secure protocol itself (authentication of the parties, key establishment and rotation, etc.) • The “data plane that protects the upper protocol data which conveys the useful information (payload) in a secured way. All these protocols provide secure services – in the scope of their layer: • Mutual authentication (optional). Each party securely identifies the other party (peer). a. The credentials used for authentication are quite flexible, it can be pre-shared keys, password, or PKI-based, etc. • Integrity. All information that is sent on one side is guaranteed to be delivered unmodified at the other side. • Confidentiality (optional). All payloads are encrypted so that a 3rd party with access to the network would not able to understand it. • Anti-replay. Prevents interception and modification of payload between the 3 source and destination. Ensures invalid payloads are discarded. • Non-repudiation. Ensures that a transferred message has been sent and received by the parties claiming to have sent and received it. MACSEC MACsec is a “link layer” protocol which works on a local network scale –point to point. It protects the link between network equipment, e.g. between a laptop and a switch, or between two switches. The control plane is IEEE 802.1X that is also commonly used for WiFi networks. This protocol allows the control of access to the network: only authenticated peers are able to get connectivity. The data plane is IEEE 802.1AE and is a simple protocol based on Ethernet with AES- GCM encryption of the packets. • When MACsec is in use, only authenticated peers are able to connect to the network. • All local attacks that “trick” switches and routers to redirect network traffic to attacker machines do not work if MACsec is enabled. • MACsec is the wired equivalent of WPA2 in WiFi networks. • MACsec is invisible to the application. It encrypts all traffic without the end point application being aware. A typical use case for MacSec would be to secure the connection between an IP phone in a user’s office to the corporate phone server onsite. 4 IPSEC IPsec is a “network layer” protocol, it works between any two peers participating in an IP network such as the Internet, regardless of how those peers are connected (via many routers, different types of links, etc). • The control plane is IKE or IKEv2 (Internet Key Exchange). • The data plane is IPsec. • This protocol is typically used for VPN, (peer to network, or network to network) • It is a very complex protocol with tons of variants and options. • IPsec is invisible to the application. It encrypts all traffic without the end point application being aware. A typical use case for IPsec is a VPN client on a mobile device connecting to a VPN server in the enterprise to allow employees are away from the office to connect to company resources securely and to authenticate that the users are allowed to connect. Another use case would be to connect a remote office to a common company intranet. SSL / TLS / DTLS SSL, TLS, and DTLS are “transport layer” protocols. They work between two endpoints (in general it means one application running on one host). They provide security directly to the endpoint. TLS (Transport Layer Security) is the replacement for SSL (Secure Sockets Layer), previous versions of SSL are deprecated and potentially have security issues. TLS requires a reliable transport protocol and typically runs over TCP. DTLS (Datagram Transport Layer Security) is based on TLS and adapted to run over 5 UDP (unreliable transport). Those protocols themselves contain several layers that deal with both the control plane and data plane. • SSL/TLS is typically used for application-specific security. For example using https://... The reason is that the credentials of the secure protocols can be bound to the application itself. • In terms of architecture and software implementation, these protocols do not require the user to modify the kernel to implement. However they do require integration into user application(s) as these are not implemented at the system level. • An application can specify encryption and authentication parameters for each host it needs to contact. A typical use case for SSL/TLS is using a web browser (ssl client) to connect to a secure website through https from a public network. Another use case is connecting through a web browser to a routers web based management console. A DTLS use case would be encrypting VOIP traffic, the data is sent in real time and packet loss wouldn’t invalidate the entire connection. The DTLS protocol would keep the connection open and there would be a slight degradation in the call audio corresponding to the bad data. INSIDE SECURE OFFERINGS Inside Secure offers Semiconductor IP and software stacks implementing high performance SSL, TLS, DTLS, IPsec, and MACsec. Inside Secure’s MACsec solution contains the SW stack and corresponding HWIP for both the control and data planes. The included reference data plane implementation may be replaced during integration on a customer’s platform for performance & power consumption considerations. Inside Secure’s QuickSec IPsec solution provides both control and data plane implementations as well. 6 Inside’s SW implementation is efficient for the data plane but can also integrate with accelerated hardware for high performance. Inside’s Quicksec IPsec is the clear market leader supporting a large variation of networking hardware. The software control plane can also use various HW modules for enhanced authentication including SSL. Inside Secure’s MatrixSSL implements the SSL/TLS protocol and has been integrated with our HWIP. MatrixSSL has a generic PKCS #11 interface which can be used to integrate with common hardware implementations. Inside Secure’s SafeZone FIPS library is a FIPS certified cryptography library available for use with IPsec, SSL, or for standalone secure applications. ABOUT INSIDE SECURE Inside Secure provides comprehensive embedded security solutions. World-leading companies rely on Inside Secure’s mobile security and secure transaction offerings to protect critical assets including connected devices, content, services, identity and transactions. Unmatched security expertise combined with a comprehensive range of IP, semiconductors, software and associated services gives Inside Secure customers a single source for advanced solutions and superior investment protection. Inside SECURE sells : • semiconductor hardware solutions that, in particular, integrate secure microcontrollers and electronic solutions enabling secure data storage • software, particularly embedded software providing the secure management and communication of data as well as cryptography algorithms • intellectual property blocks that its customers integrate into the semiconductor platforms of its customers These solutions rely on Inside’s know-how in terms of analog and digital semiconductor design and embedded software, as well as its expertise in the software design of security and certification applications. 7 Inside Secure is the only market player simultaneously offering hardware-only-based solutions (based on secure microcontrollers), software-only-based solutions, and a combination of both hardware and software, in addition to a broad intellectual property solutions portfolio. FOR MORE INFORMATION http://www.insidesecure.com Inside Silicon IP : http://www.insidesecure.com/Markets-solutions/Enterprise-Security-and-Secure- Access/Enterprise-Security-Solutions-for-SoC Inside Protocol Security toolkits : http://www.insidesecure.com/Products-Technologies/Protocol-Security-Toolkits Inside FIPS Certified cryptography library : http://www.insidesecure.com/Markets-solutions/Payment-and-Mobile-Banking/ SafeZone-FIPS2 8 NETWORK LAYERS Inside Secure offers hardware IP and software stacks implementing high performance SSL, TLS, DTLS, IPsec, and MACsec. 9 10.
Load more

Recommended publications
  • A Survey on Authentication Methods for the Internet of Things
    1 A survey on authentication methods for the 2 Internet of Things 1 3 Dylan Sey 1 4 School of Computing, Mathematics and Digital Technology 1 5 Manchester Metropolitan University 6 Corresponding author: 1 7 Dylan Sey 8 Email address: [email protected] 9 ABSTRACT 10 This survey focuses on authentication methods for the Internet of Things (IoT). There are many different 11 authentication methods that are used in the IT industry but not all of these can be adapted for the IoT. 12 Lightweight and mutual authentication methods will be covered in this paper, alongside two authentication 13 methods that are commonly used in other areas of the industry, rather than the IoT area, which are 14 Kerberos and Group audio-based authentication. The survey will find that Mutual authentication is vital 15 for the IoT and, due to the constraints that are apparent within the IoT devices; the lightweight option 16 is very useful when it comes to dealing with areas like low bandwidth. As a result, there will be gaps 17 that could be further investigated such as the advancement of the IoT technology so that more types 18 of authentication are feasible. A conclusion to this paper is that, by combining different methods of 19 encryption and authentication methods, there are always possibilities to make the proposed protocols 20 more lightweight and secure. 21 1 INTRODUCTION 22 This survey will discuss the different methods of the authentication within the Internet of Things (IoT) 23 and then go into one of these methods in further detail.
    [Show full text]
  • Ipv6-Ipsec And
    IPSec and SSL Virtual Private Networks ITU/APNIC/MICT IPv6 Security Workshop 23rd – 27th May 2016 Bangkok Last updated 29 June 2014 1 Acknowledgment p Content sourced from n Merike Kaeo of Double Shot Security n Contact: [email protected] Virtual Private Networks p Creates a secure tunnel over a public network p Any VPN is not automagically secure n You need to add security functionality to create secure VPNs n That means using firewalls for access control n And probably IPsec or SSL/TLS for confidentiality and data origin authentication 3 VPN Protocols p IPsec (Internet Protocol Security) n Open standard for VPN implementation n Operates on the network layer Other VPN Implementations p MPLS VPN n Used for large and small enterprises n Pseudowire, VPLS, VPRN p GRE Tunnel n Packet encapsulation protocol developed by Cisco n Not encrypted n Implemented with IPsec p L2TP IPsec n Uses L2TP protocol n Usually implemented along with IPsec n IPsec provides the secure channel, while L2TP provides the tunnel What is IPSec? Internet IPSec p IETF standard that enables encrypted communication between peers: n Consists of open standards for securing private communications n Network layer encryption ensuring data confidentiality, integrity, and authentication n Scales from small to very large networks What Does IPsec Provide ? p Confidentiality….many algorithms to choose from p Data integrity and source authentication n Data “signed” by sender and “signature” verified by the recipient n Modification of data can be detected by signature “verification”
    [Show full text]
  • Mist Teleworker ME
    MIST TELEWORKER GUIDE ​ ​ ​ ​ ​ Experience the corporate network @ home DOCUMENT OWNERS: ​ ​ ​ ​ Robert Young – [email protected] ​ Slava Dementyev – [email protected] ​ Jan Van de Laer – [email protected] ​ 1 Table of Contents Solution Overview 3 How it works 5 Configuration Steps 6 Setup Mist Edge 6 Configure and prepare the SSID 15 Enable Wired client connection via ETH1 / Module port of the AP 16 Enable Split Tunneling for the Corp SSID 17 Create a Site for Remote Office Workers 18 Claim an AP and ship it to Employee’s location 18 Troubleshooting 20 Packet Captures on the Mist Edge 23 2 Solution Overview Mist Teleworker solution leverages Mist Edge for extending a corporate network to remote office workers using an IPSEC secured L2TPv3 tunnel from a remote Mist AP. In addition, MistEdge provides an additional RadSec service to securely proxy authentication requests from remote APs to provide the same user experience as inside the office. WIth Mist Teleworker solution customers can extend their corporate WLAN to employee homes whenever they need to work remotely, providing the same level of security and access to corporate resources, while extending visibility into user network experience and streamlining IT operations even when employees are not in the office. What are the benefits of the Mist Teleworker solution with Mist Edge compared to all the other alternatives? Agility: ● Zero Touch Provisioning - no AP pre-staging required, support for flexible all home coverage with secure Mesh ● Exceptional support with minimal support - leverage Mist SLEs and Marvis Actions Security: ● Traffic Isolation - same level of traffic control as in the office.
    [Show full text]
  • Configuring Secure Shell
    Configuring Secure Shell The Secure Shell (SSH) feature is an application and a protocol that provides a secure replacement to the Berkeley r-tools. The protocol secures sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. Two versions of SSH are available: SSH Version 1 and SSH Version 2. • Finding Feature Information, page 1 • Prerequisites for Configuring Secure Shell, page 1 • Restrictions for Configuring Secure Shell, page 2 • Information about SSH, page 2 • How to Configure Secure Shell, page 5 • Configuration Examples for Secure Shell, page 16 • Additional References for Secure Shell, page 18 • Feature Information for SSH, page 18 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for Configuring Secure Shell The following are the prerequisites for configuring the switch for secure shell (SSH): • For SSH to work, the switch needs an Rivest, Shamir, and Adleman (RSA) public/private key pair. This is the same with Secure Copy Protocol (SCP), which relies on SSH for its secure transport.
    [Show full text]
  • Efficient Mutual Authentication for Multi-Domain RFID Systems Using
    Efficient Mutual Authentication for Multi-domain RFID Systems Using Distributed Signatures Michael Braun1, Ulrike Meyer2, and Susanne Wetzel3 1 University of Applied Sciences Darmstadt, Germany 2 RWTH Aachen University, Germany 3 Stevens Institute of Technology, Hoboken, NJ, US Abstract. The use of RFID technology in complex and distributed en- vironments often leads to a multi-domain RFID system in which security issues such as authentication of tags and readers, granting access to data, and revocation of readers turn into an administrative challenge. In this paper, we propose a new public-key-based mutual authentication pro- tocol that addresses the reader revocation problem while maintaining efficiency and identity privacy. In addition, our new protocol integrates fine-grained access control and key establishment with mutual authenti- cation. The core of our solution is the use of the concepts of key-splitting and distributed signatures to solve the validation and revocation prob- lem. We show that our protocols can be implemented on RFID tags using lightweight implementations of elliptic curve cryptography. Keywords: RFID Security, Elliptic Curve Cryptography, Authentica- tion, Data on Tag, Secret Sharing, Distributed Signatures, Key Splitting, Identity Privacy. 1 Introduction Radio Frequency Identification (RFID) technology has become a ubiquitous part of our daily lives. Prominent applications include logistics and electronic travel documents. While in early applications only a unique identifier was stored on an RFID tag, a more recent trend leans towards storing more information on the tag. For example, the new electronic passports include sensitive data such as fingerprints as well as the facial image of the passport holder. As a consequence, security challenges have evolved from protecting the identifier and preventing tag cloning to enabling fine-grained access control to the data stored on the tag and enabling secure data exchange between the reader and the tag.
    [Show full text]
  • The State of the Authenticated Encryption 1
    Ø Ñ ÅØÑØÐ ÈÙ ÐØÓÒ× DOI: 10.1515/tmmp-2016-0038 Tatra Mt. Math. Publ. 67 (2016), 167–190 THE STATE OF THE AUTHENTICATED ENCRYPTION Damian Vizar´ ABSTRACT. Ensuring confidentiality and integrity of communication remains among the most important goals of cryptography. The notion of authenticated encryption marries these two security goals in a single symmetric-key, crypto- graphic primitive. A lot of effort has been invested in authenticated encryption during the fifteen years of its existence. The recent Competition for Authenticated Encryption: Security, Applicability, and Robustness (CAESAR) has boosted the research activity in this area even more. As a result, the area of authenticated encryption boasts numerous results, both theoretically and practically oriented, and perhaps even greater number of constructions of authenticated encryption schemes. We explore the current landscape of results on authenticated encryption. We review the CEASAR competition and its candidates, the most popular con- struction principles, and various design goals for authenticated encryption, many of which appeared during the CAESAR competition. We also take a closer look at the candidate Offset Merkle-Damg˚ard (OMD). 1. Introduction Perhaps the two most fundamental goals of symmetric-key cryptography are providing confidentiality (privacy) and authenticity (together with integrity1) of messages that are being sent over an insecure channel. These two security properties of communication have traditionally been studied separately; they were formalized in separate notions [13], [14], and achieved by separate primitives (e.g., CBC mode for confidentiality and CBCMAC for authentication). c 2016 Mathematical Institute, Slovak Academy of Sciences. 2010 M a t h e m a t i c s Subject Classification: 94A60.
    [Show full text]
  • How Secure Is Textsecure?
    How Secure is TextSecure? Tilman Frosch∗y, Christian Mainkay, Christoph Badery, Florian Bergsmay,Jorg¨ Schwenky, Thorsten Holzy ∗G DATA Advanced Analytics GmbH firstname.lastname @gdata.de f g yHorst Gortz¨ Institute for IT-Security Ruhr University Bochum firstname.lastname @rub.de f g Abstract—Instant Messaging has gained popularity by users without providing any kind of authentication. Today, many for both private and business communication as low-cost clients implement only client-to-server encryption via TLS, short message replacement on mobile devices. However, until although security mechanisms like Off the Record (OTR) recently, most mobile messaging apps did not protect confi- communication [3] or SCIMP [4] providing end-to-end con- dentiality or integrity of the messages. fidentiality and integrity are available. Press releases about mass surveillance performed by intelli- With the advent of smartphones, low-cost short-message gence services such as NSA and GCHQ motivated many people alternatives that use the data channel to communicate, to use alternative messaging solutions to preserve the security gained popularity. However, in the context of mobile ap- and privacy of their communication on the Internet. Initially plications, the assumption of classical instant messaging, fueled by Facebook’s acquisition of the hugely popular mobile for instance, that both parties are online at the time the messaging app WHATSAPP, alternatives claiming to provide conversation takes place, is no longer necessarily valid. secure communication experienced a significant increase of new Instead, the mobile context requires solutions that allow for users. asynchronous communication, where a party may be offline A messaging app that claims to provide secure instant for a prolonged time.
    [Show full text]
  • Nist Sp 800-77 Rev. 1 Guide to Ipsec Vpns
    NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel Karen Scarfone Paul Wouters This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-77 Revision 1 Guide to IPsec VPNs Elaine Barker Quynh Dang Sheila Frankel* Computer Security Division Information Technology Laboratory Karen Scarfone Scarfone Cybersecurity Clifton, VA Paul Wouters Red Hat Toronto, ON, Canada *Former employee; all work for this publication was done while at NIST This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-77r1 June 2020 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority.
    [Show full text]
  • Network Layer Security Adaptation Profile
    Recommendation for Space Data System Standards NETWORK LAYER SECURITY ADAPTATION PROFILE RECOMMENDED STANDARD CCSDS 356.0-B-1 BLUE BOOK June 2018 Recommendation for Space Data System Standards NETWORK LAYER SECURITY ADAPTATION PROFILE RECOMMENDED STANDARD CCSDS 356.0-B-1 BLUE BOOK June 2018 RECOMMENDED STANDARD FOR NETWORK LAYER SECURITY ADAPTATION PROFILE AUTHORITY Issue: Recommended Standard, Issue 1 Date: June 2018 Location: Washington, DC, USA This document has been approved for publication by the Management Council of the Consultative Committee for Space Data Systems (CCSDS) and represents the consensus technical agreement of the participating CCSDS Member Agencies. The procedure for review and authorization of CCSDS documents is detailed in Organization and Processes for the Consultative Committee for Space Data Systems (CCSDS A02.1-Y-4), and the record of Agency participation in the authorization of this document can be obtained from the CCSDS Secretariat at the e-mail address below. This document is published and maintained by: CCSDS Secretariat National Aeronautics and Space Administration Washington, DC, USA E-mail: [email protected] CCSDS 356.0-B-1 Page i June 2018 RECOMMENDED STANDARD FOR NETWORK LAYER SECURITY ADAPTATION PROFILE STATEMENT OF INTENT The Consultative Committee for Space Data Systems (CCSDS) is an organization officially established by the management of its members. The Committee meets periodically to address data systems problems that are common to all participants, and to formulate sound technical solutions to these problems. Inasmuch as participation in the CCSDS is completely voluntary, the results of Committee actions are termed Recommended Standards and are not considered binding on any Agency.
    [Show full text]
  • Guidelines for the Secure Deployment of Ipv6
    Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks NIST Special Publication 800-119 Guidelines for the Secure Deployment of IPv6 Recommendations of the National Institute of Standards and Technology Sheila Frankel Richard Graveman John Pearce Mark Rooks C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2010 U.S. Department of Commerce Gary Locke, Secretary National Institute of Standards and Technology Dr. Patrick D. Gallagher, Director GUIDELINES FOR THE SECURE DEPLOYMENT OF IPV6 Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-119 Natl. Inst. Stand. Technol. Spec. Publ. 800-119, 188 pages (Dec. 2010) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.
    [Show full text]
  • A Technical Comparison of Ipsec and SSL
    A Technical Comparison of IPSec and SSL y Ab delNasir Alshamsi Takamichi Saito Tokyo University of Technology Abstract p osed but the most famous secure and widely de ployed are IPSec IP Security and SSL Secure So cket Layer IPSec IP Security and SSL SecureSocket Layer In this pap er we will provide a technical comparison have been the most robust and most potential tools of IPSec and SSL the similarities and the dierences available for securing communications over the Inter of the cryptographic prop erties The results of per net Both IPSec and SSL have advantages and short formance are based on comparing FreeSWAN as comings Yet no paper has been found comparing the IPSec and Stunnel as SSL two protocols in terms of characteristic and functional ity Our objective is to present an analysis of security and performancepr operties for IPSec and SSL IPSec IPSec is an IP layer proto col that enables the Intro duction sending and receiving of cryptographically protected packets of any kind TCPUDPICMPetc without any provides two kinds of crypto mo dication IPSec Securing data over the network is hard and compli graphic services Based on necessity IPSec can provide cated issue while the threat of data mo dication and condentiality and authenticity or it can provide data interruption is rising The goal of network security authenticity only is to provide condentiality integrity and authenticity Condentiality is keeping the data secret from the ESP Encapsulated SecurityPayload unintended listeners on the network Integrity is en suring
    [Show full text]
  • Man-In-The-Middle in Tunnelled Authentication Protocols
    Man-in-the-Middle in Tunnelled Authentication Protocols N. Asokan, Valtteri Niemi, Kaisa Nyberg Nokia Research Center, Finland n.asokan,valtteri.niemi,kaisa.nyberg @nokia.com f g Extended Abstract 1 Abstract Deploying a new security protocol is expensive. This encourages system designers to look for ways of re-using existing infrastructure. When security protocols and components are re-used, it is critical to re-examine the security of the resulting system as a whole. For example, it has become a common paradigm to run a legacy client authentication protocol within a server-authenticated tunnel. The commonest example of such composition is the use of HTTP authentication inside a TLS tunnel. In this paper, we describe a man-in-the-middle attack on such protocol composition. The vulnerability arises if the legacy client authentication protocol is used both in tunnelled and untunnelled forms. We propose to solve the discovered problem by using a cryptographic binding between the client authentication protocol and the protection protocol. 1 Introduction When new services and applications are developed, their security requirements and trust assumptions may necessitate designing and deploying new security protocols. Deploying a new security protocol is expensive. This encourages system designers to look for ways of re-using existing infrastructure. One form of reuse is to build on existing protocol components or frameworks so that the need to deploy new software is reduced. But the most difficult aspect of deployment is the cost of provisioning initial security associations, especially to end user devices. Consequently, there is considerable pressure to reuse security protocols and security context databases beyond their originally intended purposes and environments.
    [Show full text]