March 2001

AN INTRODUCTION TO IPsec (INTERNET sive scanners, and the elimination of ITL Bulletins are published by the PROTOCOL SECURITY) known security holes from operating Information Technology Laboratory systems and application programs. (ITL) of the National Institute of By Sheila Frankel, Computer Security The application-specific solutions are Standards and Technology (NIST). Division, Information Technology applied to specific applications, such Each bulletin presents an in-depth Laboratory, National Institute of Standards discussion of a single topic of significant and Technology as electronic commerce or e-mail, and are agreed upon by some segment of interest to the information systems In its early days, the Internet was the the user population. community. Bulletins are issued on domain of academics and researchers. an as-needed basis and are available Its goal was to maximize communica­ Over time, it became obvious that from ITL Publications, National tion, connectedness and collabora­ these techniques were not general Institute of Standards and Technology, tion, and to minimize barriers that enough and that security services must 100 Bureau Drive, Stop 8901, would detract from the realization of be added to the Internet Protocol (IP) Gaithersburg, MD 20899-8901, those goals. By the late 1980s, it itself. In 1992 the Internet Engineering telephone (301) 975-2832. To be became apparent that some individu­ Task Force (IETF) began such an effort placed on a mailing list to receive als were abusing the capabilities of called IPsec. What differentiates IPsec future bulletins, send your name, the Internet and were reading or from other solutions? IPsec is an organization, and business address to changing information they shouldn’t, attempt to utilize cryptographic tech­ this office. You will be placed on this and even deliberately causing some niques in a more global solution to the mailing list only. Internet services to fail. Security con­ problem of Internet security. Rather tinues to be a major concern in than requiring each e-mail program or Bulletins issued since September 1999 web browser to implement its own today’s Internet. Fundamental changes ❐ Securing Web Servers, September 1999 to improve the security of basic Inter­ security mechanisms, IPsec involves a net services have been slow in their change to the underlying networking ❐ Acquiring and Deploying Intrusion development. In the intervening time, facilities that are used by every appli­ Detection Systems, November 1999 two types of solutions have emerged cation. It also allows network manag­ ❐ Operating System Security: Adding in response to the security hazards ers to apply protection to network to the Arsenal of Security that threaten Internet traffic: localized traffic without involving the end users. Techniques, December 1999 solutions and application-specific What is IPsec used for today? Figure 1 solutions. The localized solutions are shows two typical scenarios: the “road ❐ Guideline for Implementing attempts by computer network warrior” and the Virtual Private Net­ Cryptography in the Federal administrators to isolate or fortify their work (VPN). A road warrior is a busi- Government, February 2000 particular fiefdoms, and take the form ❐ of screening routers, firewalls, defen­ Continued on page 2 Security Implications of Active Content, March 2000

Host H1 ❐ Mitigating Emerging Hacker Threats, June 2000

❐ Identifying Critical Patches with ICAT, July 2000

INTERNET ❐ Security for Private Branch Network N1 Network N2 Exchange Systems, August 2000 Host H1-2 ❐ XML Technologies, September 2000 Host H1-1 Host H2-1 Host H2-2 ❐ An Overview of the Common Criteria Evaluation and Validation Scheme, October 2000

❐ A Statistical Test Suite for Random and Pseudorandom Number Gateway Gateway Generators For Cryptographic SG1 SG2 Applications, December 2000 Host H1-3 Host H2-3 ❐ What Is This Thing Called Figure 1: IPsec Usage Scenarios Conformance? January 2001 2 March 2001 ness employee who is working at by the sender, and the receiver may without providing privacy. The Inter­ home or at another location away optionally enable its use. net Key Exchange (IKE) protocol is a from their office and needs to access mechanism that allows for secret keys ■ Confidentiality or privacy: a an office computer. IPsec can ensure and other protection-related parame­ guarantee that, even if the message that those communications are con­ ters to be exchanged prior to a com­ is “read” by an observer, the con­ ducted in a private, tamper-proof munication without the intervention tents are not understandable, manner. Another common use of of the user. The IPsec and IKE proto­ except to the authorized recipient. IPsec is the creation of a VPN. If a cols are being developed within the company needs to conduct secure ■ Traffic analysis protection: an IPsec working group under the communications among scattered assurance that an eavesdropper umbrella of the Internet Engineering locations, a private network can be cannot determine who is communi­ Task Force (IETF). constructed by leasing or stringing cating with whom or determine the private communication lines. A less frequency and volume of communi­ The Authentication Header expensive and more flexible alterna­ cations between specific entities. (AH) and the Encapsulating tive is a VPN that uses the Internet as Security Payload (ESP) the communications medium and IPsec Context and employs IPsec to ensure that these Components Header communications are indeed private. AH uses a keyed message authentica­ IPsec is a protocol that operates Although the VPN’s traffic crosses the tion algorithm (MAC) to provide con­ within the Internet Protocol (IP). IP in public Internet, IPsec protection pre­ nectionless integrity and data origin turn is one part of a layered suite of vents unauthorized outsiders from authentication protection. This protec­ communication protocols known as reading or modifying the traffic. In tion covers the packet’s data portions, TCP/IP. The upper layers, the trans­ Figure 1, the road warrior’s host, H1, as well as certain portions of the IP port and application layers, rely on provides its own IPsec protection; header: those IP header fields that the Internet layer protocol, IP, for the networks N1 and N2 obtain their cannot change in an unpredictable following: IPsec protection from the VPN con­ manner as the packet traverses the necting security gateways SG1 and ■ transmitting messages (generally Internet. The ESP header can also SG2, respectively. called packets in this context) from provide integrity and authentication one host to another protection through the use of a keyed Security Protections ■ MAC. In addition to, or in place of, Provided by IPsec routing the messages so that they arrive at the desired destination these types of protection, the ESP header can use an encryption algo­ IPsec can provide some or all of the ■ if the messages are too large to be rithm to provide confidentiality. The following types of protection. transmitted by one or more of the ESP’s protections cover the packet’s ■ Connectionless Integrity: a guar­ network links encountered along data, but not the IP header. Both AH antee that the message that is the way, breaking the messages and ESP can provide replay protec­ received is the exact one that was into smaller fragments and, at the tion. Each header identifies the types sent, and no tampering has other end, re-assembling the frag­ occurred. Why “connectionless”? ments to reconstruct the original This is because communications at message Who we are the Internet layer follow a Post IP accomplishes these tasks through The Information Technology Office model (as opposed to a the use of the IP header, which is Laboratory (ITL) is a major research Phone Company model). Messages inserted at the beginning of each mes­ component of the National Institute are sent from the sender to the sage and contains all of the informa­ of Standards and Technology (NIST) receiver, but no attempt is made to tion (source and destination of the Technology Administration, ensure that they are received in addresses, etc.) required for the mes­ U.S. Department of Commerce. We order, or that any (or all) were in sage to traverse the Internet and develop tests and measurement fact received. That task is left to arrive at its destination. methods, reference data, proof-of­ one of the upper layer protocols. The IPsec protocols are additions to concept implementations, and ■ Data Origin Authentication: a IP that enable the sending and receiv­ technical analyses that help to guarantee that the message actually ing of cryptographically protected advance the development and use was sent by the apparent originator messages. This is accomplished of new information technology. We of the message, and not by another through the use of two special IPsec seek to overcome barriers to the user masquerading as the supposed headers, inserted immediately after efficient use of information message originator. the IP header in each message. The technology, and to make systems ■ Replay Protection: assurance that Encapsulating Security Protocol (ESP) more interoperable, easily usable, the same message is not delivered Header provides privacy and protects scalable, and secure than they are multiple times and that messages are against malicious modification, and today. Our Web site is not delivered grossly out of order. the Authentication Header (AH) pro­ http://www.itl.nist.gov/. This capability must be implemented tects against malicious modification March 2001 3

through a desire not to radically alter IP AH ESP Upper Protocol Headers the IPsec protocols, which were Header Header Header and Packet Data already beginning to be implemented Authenticated Fields (AH) and used. It is possible that at some Encrypted Fields (ESP) future time it may be either eliminated Authenticated Fields (ESP) or converted into an optional compo­ nent of IPsec. Transport Mode The Cryptographic Algorithms Outer (new) AH ESP Inner (original) Upper Protocol Headers IP Header Header Header IP Header and Packet Data Since the format of Internet packets is publicly defined and well known, a packet that traverses the Internet can Authenticated Fields (AH) easily be captured and its contents Encrypted Fields (ESP) can be read and/or changed. Even the Authenticated Fields (ESP) checksums that are part of the Inter­ net packet format cannot protect a Tunnel Mode packet from unauthorized alteration. Figure 2: IPsec Header Placement These checksums were intended to guard against data corruption caused of cryptographic protection that were terms of exportability) ESP header. In by malfunctioning devices. If the data applied to the packet and includes its original form, the ESP header pro­ alteration is intentional, the checksum other information necessary for the vided only encryption; if authentica­ can simply be re-computed by the successful decoding of the protected tion was required, both headers had attacker, and the packet will appear to packet. to be applied. Since an encrypted, be perfectly intact. How, then, can unauthenticated packet is vulnerable Internet packets be protected from If AH or ESP is added to an IP packet to several types of modification attacks by cyber-menaces? The solu­ following the existing IP header, this attacks, every encrypted packet tion involves the use of secret codes. is referred to as transport mode. An should also be authenticated, which If the contents of a message are ren­ alternative, tunnel mode, requires the would have required the use of both dered unintelligible through the appli­ insertion of an additional IP header to IPsec headers for each protected cation of a secret code, then those the packet, but offers increased flexi­ packet. Therefore, in the second contents are safe from prying eyes. If bility. Transport mode IPsec is limited round of IPsec development, authen­ a message’s contents are left intact, to host-to-host communications, in tication was added to the ESP Header. but a secret code is used to compute which each host provides its own Initially, the new, improved ESP a value that uniquely characterizes IPsec capabilities. With tunnel mode, Header always provided encryption this message, then the message’s con­ a security gateway can provide IPsec and, optionally, authentication. The tents cannot be altered without alert­ protection for one or more hosts or definition of the Null ESP Encryption ing the recipient that something is networks located behind the gateway. Algorithm allowed the ESP Header to amiss. Today’s computer-assisted If tunnel mode ESP is used, traffic provide authentication without code-breakers, or cryptanalysts, are analysis protection can also be pro­ encryption, thus duplicating the vided. Tunnel mode AH and ESP pro­ Authentication Header. It is true that tect the original IP header and the the Authentication Header protects ITL Bulletins Via E-Mail packet data; tunnel mode AH also header fields that are not protected by protects portions of the new IP We now offer the option of delivering the ESP Header, in particular the header. Figure 2 shows the placement your ITL Bulletins in ASCII format source and destination addresses. of the IPsec headers within an IP directly to your e-mail address. To However, if the Internet Key packet in both transport and tunnel subscribe to this service, send an e- Exchange (IKE) is used to negotiate mode, and the portions of the packet mail message from your business e- the IPsec protections and the related that are protected by each header. mail account to [email protected] with secret keys, this serves to bind the Since ESP can provide the same pro­ participants' addresses to the keys, the message subscribe itl-bulletin, tections as AH, as well as privacy, effectively authenticating these critical and your name, e.g., John Doe. For why are two distinct security headers IP header fields. In addition, the instructions on using listproc, send a necessary? The answer lies in the dual Authentication Header processing, message to [email protected] with the realms of history and politics. A num­ faced with the necessity to distinguish message HELP. To have the bulletin ber of countries forbid the export of between mutable and non-mutable IP sent to an e-mail address other than software that enables or incorporates header fields, is more complex than the From address, contact the ITL encryption. The initial IPsec definition that required for ESP. The Authentica­ editor at 301-975-2832 or split off the undeniably exportable tion Header was left intact for the [email protected]. AH from the more problematic (in original political reasons, as well as 4 March 2001 capable of breaking extremely com­ rates within its definition a feedback from potential attackers. This means plex secret codes. Therefore, informa­ mechanism; the encryption of each that the peers’ identities are never tion that is impossible to guess, even block has, as one of its inputs, the exchanged unencrypted in the course with the aid of today’s computing cryptographically computed output of of the IKE negotiation. In the case in power, must form an integral part of the previous block. The mandatory which the identity of the SA’s owner the coded messages. This information, IPsec encryption algorithm is DES differs from the negotiator’s IP the secret key, must be known only (the Data Encryption Standard). How­ address, this results in hiding that to the communication’s participants. ever, in recent years DES has become identity from eavesdroppers on the vulnerable to attack; most IPsec Internet. Identity protection is useful A one-way hash is an algorithm that implementations include a stronger even when a system is negotiating its computes a characteristic value, or variant of DES, called Triple DES. own host-to-host SA, since an attacker hash, for a message in such a way that Other encryption algorithms that can can’t be sure whether the encrypted it is not feasible, given only the hash, be used with the ESP header include identity is the sender’s IP address or to re-construct the original message. Blowfish, CAST, IDEA, and RC5. The not. Under certain circumstances, if Computing this type of hash and trans­ Null Encryption Algorithm does not the peers possess and have previously mitting it with the original message provide encryption, enabling the use exchanged Public Key Certificates, would be sufficient to alert a recipient of ESP for authentication alone. The Aggressive Mode can also provide to transmission errors that occurred as AES (Advanced Encryption Standard), identity protection. A Phase 1 a result of equipment malfunction or NIST’s newly defined DES replace­ exchange has three goals: transmission “noise.” It does not pro­ ment, can also be used once the AES tect a message from purposeful tam­ ■ Negotiate Security Parameters: is finalized. pering, since the entity that tampers The initiator and responder must with the message can simply re­ agree on the values and settings of compute the hash so that it matches The Internet Key Exchange a number of parameters that will the newly changed message. What is (IKE) govern the format of the last two required is a keyed hash, one that per­ Before two communicating entities (encrypted) messages of Phase 1 meates every bit of the hash with infor­ can exchange secure communica­ and all of the Phase 2 messages. mation from a secret key. This type of tions, they need to agree on the They must also negotiate which hash, which is also called a Message nature of the security to be applied to method the peers will use to Authentication Code, or MAC, can only those communications: which security authenticate each other; the maxi­ be computed by an entity that pos­ headers (AH, ESP, or both) will be mum lifetime of the Phase 1 SA, sesses the secret key. If that key is applied; the cryptographic algorithms and how that lifetime will be mea­ known only to the sender and the to be used; the secret keys; the types sured; the method to be used to recipient of a message, the sender can of communications to be protected; establish the shared secret that will compute the MAC before transmitting the lifetime of the agreement; etc. A be used to calculate the Phase 1 the message, and the recipient can re­ security association, or SA, consists of keying material, and the parameters compute the MAC to verify that the all the information that is needed to used to generate the shared secret. message as received is identical to the characterize and exchange protected These values collectively make up message that was originally sent. This communications. The goal of an IKE the ISAKMP SA. also serves to provide data origin negotiation is to enable the peers to ■ Establish a shared secret: Once authentication. The mandatory IPsec dynamically agree on the IPsec pro­ the peers have agreed upon the MACs, used in both AH and ESP, are tections that will be applied to future method and parameters to be used HMAC-MD5 and HMAC-SHA-1. communications. This is accom­ to generate the Phase 1 shared The ESP Header encryption algo­ plished through a two-phase negotia­ secret, a Diffie-Hellman exchange is rithms are all block-oriented algo­ tion: Phase 1 establishes an ISAKMP conducted to establish that shared rithms. Each block of input text, or (Internet Security Association and Key secret, which will be used in the plaintext, is transformed, through the Management Protocol) SA, which is a generation of secret keys. use of the encryption algorithm in secure channel through which the ■ Authenticate identities: The peers conjunction with a secret key, into its IPsec SA negotiation can take place. authenticate each other's identities encrypted counterpart, known as Phase 2 establishes the actual IPsec based on some additional out-of­ ciphertext. If each block were SA or, more precisely, a pair of one- band information. This information encrypted separately, it would make way IPsec SAs: an inbound SA and an can be a pre-shared secret key, a an attacker’s job much easier, since outbound SA. digital signature, or encryption and the contents of some portions of an The most common Phase 1 exchanges decryption using each peer’s public- Internet packet are known. Thus, if are Main Mode and Aggressive Mode. private key pair. Peer authentica­ each block could be decrypted sepa­ A Main Mode exchange consists of six tion ensures that the SA is being rately, without reference to any other messages; an Aggressive Mode established with a provably identifi­ block, the predictable blocks could be exchange, three messages. At the cost able peer. more easily attacked. Once the key of three extra messages, Main Mode Once the ISAKMP SA is established, it was known, every block could be provides identity protection, enabling can be used to protect multiple Phase decrypted. For this reason, every the peers to hide their actual identities mandatory IPsec algorithm incorpo­ 2 exchanges until its lifetime expires March 2001 5 or some other untoward event occurs IPsec SA's key from the new shared variety of SAs for the different classes (such as a rebooting of the machine, secret, rather than using the same of secure communications, classify­ causing the current SAs to be lost). shared secret that was used to gen­ ing the traffic into different categories The most common Phase 2 exchanges erate the Phase 1 keys. PFS of iden­ according to IP address, subnet, and/ are Quick Mode Exchanges and Infor­ tities is provided by deleting the or application type. IKE can also han­ mational Exchanges. An Informational Phase 1 SA after it has been used dle peers with address-independent Exchange uses the Phase 1 SA to pro­ for a single Phase 2 Quick Mode credentials verified through the use of tect a diagnostic or informational mes­ Exchange. Public Key Certificates. For those that sage. A Quick Mode Exchange have neither a fixed address nor a ■ Exchange Identities: If the negotiates an IPsec SA. A Phase 2 Public Key Infrastructure (PKI), it is a address of the negotiating peer is Quick Mode exchange has three different situation. In particular, it is not sufficient to characterize the goals: necessary to consider the road war­ IPsec SA, the endpoint identities rior, a business employee who would ■ Negotiate Security Parameters: must be exchanged. This is neces­ like to access a network protected by The initiator and responder must sary in the following cases: a security gateway, but whose IP agree on the values and settings of ❒ The peer is negotiating an SA on address is either not known or not a number of parameters that will behalf of another entity (for exam­ trusted by the gateway. The case of govern the operation of the negoti­ ple, a gateway negotiating a tunnel- the unknown IP address occurs when ated IPsec SA. They must also mode SA for one or more clients). the road warrior dials into an Internet negotiate the maximum lifetime of Service Provider (ISP) and then con­ the SA and how that lifetime will be ❒ Multiple SAs exist between the nects to the gateway over the Inter­ measured. If perfect forward peers, each of which is used to pro­ net. Since the ISP-assigned address is secrecy is desired, they must also tect different types of traffic. variable, it cannot be known in communicate the parameters used The renegotiation of an IPsec SA is advance by the gateway. An untrusted to generate the shared secret that triggered by the end of the SA’s life­ IP address can arise when the road will be used to calculate the Phase time as measured in elapsed time or warrior uses someone else’s host, 2 keying material and establish the number of kilobytes of data protected either an Internet kiosk in an airport, shared secret itself. by the SA. Although a new SA must shopping mall or library or a host that ■ Replay Prevention: Authenticating be negotiated, including the complete is in a location that can be accessed hashes, which include freshly gen­ set of SA parameters, this process is both by trusted company employees erated random values (nonces), are often referred to as re-keying, since it and by outsiders. In this case, the IP exchanged and verified to ensure is the exposure of the secret keys that address only suffices to authenticate that this negotiation is not merely a motivates the SA renegotiation. Too the host machine. Some active user replay of a previous Phase 2 much elapsed time since the SA nego­ input is required to ensure that the Negotiation. tiation or too much data encrypted by host is being used by an authorized the encryption key can provide ■ user. Generate Keying Material: Using enough time and ammunition for a the shared secret from Phase 1 (or a variety of attacks aimed at discovering A spin-off group was formed within newly generated shared secret if the secret key. If the ISAKMP SA the IETF to handle the road warrior perfect forward secrecy is required), through which the IPsec SA was problem and other, related issues the keying material for the IPsec SA negotiated is still alive, it can again be involved in secure remote access. is produced. The Phase 2 nonces are used to negotiate the IPsec SA’s suc­ This group is called IPsra, or IP also used in this process, to ensure cessor, and only a Phase 2 negotiation Secure Remote Access. Solutions pro­ the freshness of the keying material. takes place. If the ISAKMP SA has also posed within IPsra need to follow several guidelines: In addition, two additional goals may expired, a full-blown two-phase be satisfied: negotiation must again occur. In any ■ No changes to IKE. IKE is a highly IKE exchange, one peer assumes the complex protocol, which will most ■ Provide Perfect Forward Secrecy role of initiator and the other the role likely be redesigned at some future (PFS) of Keys and/or Identities: of responder. However, in any subse­ time. However, that will be done by PFS is a guarantee that only one quent IKE exchange, the roles can be the IPsec group. Meanwhile, IPsra key has been generated from a sin­ reversed. This applies to a Phase 2 solutions must be capable of work­ gle Diffie-Hellman exchange, and negotiation that follows a Phase 1, or ing within the context of currently that key has no relationship to any to a Phase 1 exchange that renegoti­ deployed IKE implementations. other keys used between the peers. ates an about-to-expire Phase 1 SA, or This ensures that discovery of the any other IKE negotiation. ■ Facilitate the transition to full-scale key by a third party will jeopardize PKI deployment. Today’s IPsra only traffic that was protected with IKE and the Road Warrior solutions will use legacy authenti­ the single discovered key, but not cation methods, such as RADIUS, to traffic that was protected by another The original IKE standards work well generate short-term certificates or key negotiated by the peers. PFS of for peers with fixed IP addresses. For credentials. The generated certifi­ keys is provided by performing a example, a business with several cates/credentials can be used today second Diffie-Hellman exchange branch offices, suppliers, and trading to authenticate road warriors that during Phase 2 and generating the partners can use IKE to establish a lack long-term PKI certificates. As 6 March 2001

certificates and PKI are more the establishment of one or more SAs? recent conference whose sole focus widely deployed, these short-term There are also issues related to the was IPsec [IPsec2000, Paris Le solutions will become less critical to use of security gateways. How can Defense, October 2000, http:// widespread IKE deployment. peers that require IPsec protection, www.upperside.fr/baipsec2.html], a but cannot provide it themselves, panel of experts was convened to Two IPsra solutions are currently locate security gateways to accom­ answer the questions: Where are we defined: GetCert and PIC (pre-IKE plish this task? How can a host deter­ now? What are the most pressing Credential Provisioning Protocol). mine whether to negotiate policy issues? What changes can we expect Both can issue user credentials in the directly with its peer or with a secu­ to see? It was agreed that IPsec and form of a certificate; PIC’s credentials rity gateway? If the peer is protected IKE interoperate, and that it is possi­ can also take the form of a pre-shared by a gateway, how does the host ble to create a working IPsec VPN secret key. Both rely on the fact that securely ascertain its own gateway’s using the products of any two differ­ the authentication server or security location? A separate IETF group, the ent vendors. Three or more vendors gateway already has a certificate that IPsec Policy (IPSP) Working Group, in an operational (as opposed to is trusted by the road warrior. It only was established to address these experimental or research) environ­ remains to leverage the legacy issues. Its tricky mandate is to solve ment are still a tricky business. The authentication method to issue a cre­ these problems in a manner that is consensus was that the following fea­ dential, possibly a short-lived one, consistent with existing policy-related tures remain to be addressed: which can serve to authenticate the terminology, theory and solutions, road warrior to the gateway. Thus, the ■ Transparent interoperability among requiring no changes to the classic information that is exchanged for the the IPsec implementations of more IPsec protocols or IKE, but filling in purpose of user authentication, than two vendors. the blanks with approaches that are including the user’s identity, can be both generally applicable and secure. ■ Simple, failsafe configuration of secured against eavesdropping and The group is currently in the process IPsec devices. replay attacks. The proposed solu­ of defining a policy framework and tions differ in several respects: the ■ Secure, user-friendly VPN manage­ architecture, the pieces that comprise protocol used to transport the authen­ ment and administration. a policy-based solution, and their tication information (HTTP vs. EAP); interactions. ■ A non-proprietary uniform the mechanism used to secure the approach to IPsec remote access, authentication information (TLS vs. a Recommended Use of IPsec including authentication that variant of IKE); which entity generates crosses administrative boundaries. the public-private key pair (server vs. by Government Agencies client); and the certificate enrollment ■ Inter-domain and intra-domain pol­ ■ mechanism (SCEP vs. new IKE pay­ Agencies would be well advised to icy issues: non-proprietary policy loads). One of them will be selected consider IPsec to accomplish two configuration that is applicable to a as the IPsra approach of choice. How­ goals: wide range of devices (wireless ever, the scheme that is adopted may ❒ enabling road warriors and tele­ devices, palm pilots, household be revised to incorporate aspects of commuters to securely access the appliances); a secure policy distri­ the other approach as well. agency's network bution mechanism; gateway discovery. ❒ Policy Determination and establishing a VPN to connect multiple agency branches or offices ■ Facilitation of IPsec-based VPNs Enforcement managed by ISPs. Adding account­ ■ IPsec lends itself very well to incre­ ing, auditing and billing capabilities IKE negotiates IPsec SAs. On the local mental deployment. An initial pilot to IPsec devices will allow ISPs to level, these SAs control IPsec commu­ could connect two offices and/or a provide different levels of service to nications, both inbound and out­ small number of telecommuters. different customers. It will also bound, for a single host or gateway This could then be expanded in allow customers to include quality relative to its potential peers. But now stages until full deployment is of service as a criterion for satisfac­ other questions arise: How does a achieved. tory VPN management. host decide upon and configure its IPsec security policies? These policies The Future of IPsec ■ The inclusion of high-availability govern what types of traffic can be backup capability and resiliency in exchanged without IPsec protection, IPsec is currently used to establish IPsec devices. as well as the types of IPsec protec­ VPNs and to enable road warrior ■ The seamless integration of IPsec as tion to be applied to traffic that communications. Many implementa­ an integral part of the networking requires this security. How can two tions incorporate proprietary elements infrastructure. peers minimize the probability that to enable those aspects of the solu­ their IPsec policies are totally differ­ tion that are not yet completely stan­ Additional issues will doubtless crop up ent, thus maximizing the possibility dardized. It is also expected that IPsec as a result of the widespread deploy­ that an IKE negotiation between the will be used to secure other Internet ment of IPsec and the increased instal­ peers will be successful, resulting in protocols and technologies. At a lation of very high-speed networks. March 2001 7 Further Information found at http://www.ietf.org/ Portions of this security bulletin were html.charters/wg-dir.html. taken from the upcoming book, All of the Internet protocols, including Demystifying the IPsec Puzzle, by A list of each working group’s current IPsec, are defined in documents that Sheila Frankel, to be published by Internet Drafts, including a short were developed under the sponsor­ Artech House Publishers in April 2001. ship of the Internet Engineering Task description of each draft, can be Force (IETF). An Internet Draft (ID) found at http://www.ietf.org/ Disclaimer: Any mention of commercial describes a protocol that is in the 1id-abstracts.html. products or reference to commercial orga­ nizations is for information only; it does early stages of development. Once The e-mail discussion list archive of the technology reaches a certain level not imply recommendation or endorse­ each working group can be found at ment by NIST nor does it imply that the of consensus and there are multiple http://www.vpnc.org. products mentioned are necessarily the best vendor implementations of the proto­ available for the purpose. col, it is reclassified as a Request for A description of NIST’s IPsec project Comments (RFC). All current Internet can be found at http://csrc.nist.gov/ Drafts and RFCs can be found at the ipsec. This includes information about IETF’s web site, http://www.ietf.org. NIST’s IPsec reference implementa­ tion (Cerberus), NIST’s IKE reference The charter of each working group, implementation (PlutoPlus), and along with a list of the group’s current NIST’s interactive web-based interop­ Internet Drafts and RFCs, can be erability tester, IPsec-WIT. U.S. DEPARTMENT OF COMMERCE PRSRT STD National Institute of Standards and Technology POSTAGE & FEES PAID 100 Bureau Drive, Stop 8901 NIST Gaithersburg, MD 20899-8901 PERMIT NUMBER G195

Official Business Penalty for Private Use $300 Address Service Requested