• Proceedings of the Korean Information Science Society Conference
• /
• 2005.07a
• /
• pp.160-162
• /
• 2005

IPsec Tunnel Mode를 이용하여 보안 네트워크를 구축 시, 네트워크 구성이 중복된 경우에는 중복되지 않도록 재구성해야 하는 문제가 있다. 본 논문에서는 IPSec Tunnel Mode 통신을 하고자 하는 두 네트워크가 중복된 경우, IPSec 네트워크 별칭 기법을 통하여, 이전 네트워크의 구성을 변경하지 않고 통신할 수 있는 방안을 제시한다.

• Journal of KIISE:Computing Practices and Letters
• /
• v.11 no.6
• /
• pp.531-537
• /
• 2005

The Tunnel Broker is to provide dedicated servers and to automatically manage tunnel requests coming from the users. This approach is useful to stimulate the growth of IPv6 interconnected hosts and to provide easy access to their IPv6 networks. However, the existing tunnel broker is vulnerable to attacks of malicious users about network resources and services. Therefore, to solve the secure problem of tunnel broker, this paper presents secure IPv6 tunnel broker based on TSP(Tunnel Setup Protocol). The clients and the tunnel broker are communicated based on SHTTP(Secure HTTP) and the XML message of plain text is converted to XML signature by encryption and decryption. finally, Clients and tunnel server use the IPsec method to protect the important information.

• Journal of KIISE:Information Networking
• /
• v.34 no.1
• /
• pp.1-15
• /
• 2007

Increase in the wireless mobile network users brings the issue of mobility management into the Virtual Private Network (VPN) services. We propose a provider edge (PE)-based provider provisioned mobile VPN mechanism, which enables efficient communication between a mobile VPN user and one or more correspondents located in different VPN sites. The proposed mechanism not only reduces the IPSec tunnel overhead at the mobile user node to the minimum, but also enables the traffic to be delivered through optimized paths among the (mobile) VPN users without incurring significant extra IPSec tunnel overhead regardless of the user's locations. The proposed architecture and protocols are based on the BGP/MPLS VPN technology that is defined in RFC24547. A service provider platform entity named PPVPN Network Server (PNS) is defined in order to extend the BGP/MPLS VPN service to the mobile users. Compared to the user- and CE-based mobile VPN mechanisms, the proposed mechanism requires less overhead with respect to the IPSec tunnel management. The simulation results also show that it outperforms the existing mobile VPN mechanisms with respect to the handoff latency and/or the end-to-end packet delay.

• Proceedings of the IEEK Conference
• /
• 2006.06a
• /
• pp.37-38
• /
• 2006

In this paper, we describe a security problem of IPsec. And we propose a solution for this problem. The problem is a fragility of IPsec Gateway which is used in tunnel mode. The role of IPsec Gateway is encrypting or decrypting IPsec packets. Because of the role of IPsec Gateway, IPsec Gateway suffers overhead for decrypting numerous packets. Adversaries can easily attack IPsec Gateway using a DDoS attack. To solve this problem, we propose the "Priority based Random Packet Drop" method. In this method, the white list which is a list of normal users is created. After that, according to the frequency of uses, the method marks priorities of random drops to the white list. If anomalous traffic appeared, this method will drop many packets which consist of anomalous traffic. In simple experiment, we show our solution is proper to defend IPsec Gateway. For this experiment, we use empirical backbone traffic which includes DoS attacks.

• Journal of the Institute of Electronics Engineers of Korea TC
• /
• v.43 no.7 s.349
• /
• pp.41-49
• /
• 2006

Wireless AD-hoc network can construct a network itself without any arbitrator. Therefore, it is difficult to make preparation for disguised assault from an illegal node, and because lots of packets from disguised assault spread over whole network, it influences the network usability and livability. This thesis proposed a safe IPv6 tunnel broker (TB) based on TSP (Tunnel Setup Protocol) to improve safety of the wireless Ad-hoc network, and to solve security problem of a tunnel broker that makes a linkage IPv4 and IPv6. To communicate between client and the tunnel broker, proposed method does not base on HTTP, but S-HTTP (Secure-HTTP) and it uses encryption/decryption to send and receive XML document. Finally, this method encrypts (decrypts) important information by applying IPSec between client and TS (Tunnel Server).

• Journal of information and communication convergence engineering
• /
• v.2 no.3
• /
• pp.182-186
• /
• 2004

When most of existing instant messengers log on server, they transmit to sever in encoding password to RC5. but RC5 don't be secured because it has been known many of password cracking tools. Also, messengers don't have any protection on the transmitted information with communicating two hosts since loging on, endangering the privacy of the user. As a counter measure, messengers need to provide security service including message encryption. In this paper, we designed a key exchange method of password representing fast, effective and high security degree, using ECC(Elliptic Curve Cryptography) that being known the very stronger than another public key cryptography with same key size. To effectively improve data transmission and its security using IPSec protocol between users, tunnel mode is introduced. Tunnel mode transmits Host-to-Host data through virtual pipelines on the Internet.

• Journal of Communications and Networks
• /
• v.13 no.6
• /
• pp.583-590
• /
• 2011

Full-mesh IPSec tunnels pass through a black ("unsecure") network (B-NET) to any red ("secure") networks (RNETs). These are needed in military environments, because they enable dynamically changing R-NETs to be reached from a BNET. A dynamically reconfiguring security policy database (SPD) is very difficult to manage, since the R-NETs are mobile. This paper proposes advertisement process technologies in association with the tunnel gateway's protocol that sends 'hello' and 'prefix advertisement (ADV)' packets periodically to a multicast IP address to solve mobility and security issues. We focus on the tunnel gateway's security policy (SP) adaptation protocol that enables R-NETs to adapt to mobile environments and allows them to renew services rapidly soon after their redeployment. The prefix ADV process enables tunnel gateways to gather information associated with the dynamic changes of prefixes and the tunnel gateway's status (that is, 'down'/restart). Finally, we observe two different types of performance results. First, we explore the effects of different levels of R-NET movements on SP adaptation latency. Next, we derive the other SP adaptation latency. This can suffer from dynamic deployments of tunnel gateways, during which the protocol data traffic associated with the prefix ADV protocol data unit is expected to be severe, especially when a certain tunnel gateway restarts.

• Journal of KIISE:Information Networking
• /
• v.34 no.5
• /
• pp.348-359
• /
• 2007

The conventional mobile VPN services assumed the mobile communications occur between the MN in foreign networks and the CN in the home network. However, if a MN wants to communicate with another MN in a foreign network, it could degrade the performance of the mobile VPN service because of the triangular routing problem. In this paper, we propose a route optimization mechanism based on the mobile VPN using an x-HA allocated by diameter MIP in order to support the efficient communication between the mobile VPN users in foreign networks. The i-HA maintains the VPN-TIA as well as the x-HoA as the CoAs to solve the security problem and to provide an efficient route optimization simultaneously. Moreover, we proposed revised IPSec tunnel configuration to reduce the IPSec tunnel overheads at a MN when the MN communicates with several MNs in the foreign networks at the same time. The VPN server, a security management entity in the home network, notifies an additional IPSec tunnel establishment between the x-HAs where the communication peers are registered. The simulation result showed that the proposed scheme decreases the end-to-end packet delay time and improves the throughput after the handoff compared to the existing mechanism.

• Journal of the Korea Society for Simulation
• /
• v.11 no.1
• /
• pp.31-44
• /
• 2002

VPN which cuts down on expense and assures security and reliance, has increased its market shares quickly because the requirement of enterprise on security has increased. But Fragmentation may raise communication failure when VPN has been implemented using IPSec. In our paper, we have given careful consideration to various reasons Preventing us from communicating stable and have presented the existing solutions about them. Also we hate provided adaptive PMTU discovery mechanism to improve: the solutions. We have proven a prowess of this mechanism through simulation

• The KIPS Transactions:PartC
• /
• v.8C no.6
• /
• pp.775-782
• /
• 2001

Recently the use of Linux OS is increasing to tremendous figures. But due to the fact that Linux is distributed on an open-source policy, the need of security is an upcoming question which leads to widespread development of security on a Linux based environment. Cryptography, however, can cause various problems because of difficulty of key management. A lot of researchers have been concentrating on the key recovery technique to eliminate the reverse effect of using these kinds of security and to promote positive aspects of using it. In this thesis I am suggesting an mechanism based on the key recovery technique, as a method to save time in recovery and resetting a disconnection between two end-users through IPSec (IP Security) protocols in a VPN (Virtual Private Network) environment. The main idea of the newly suggested mechanism, KRFSH (Key Recovery Field Storage Header), is to store the information of the session in advance for the case of losing the session information essential to establish a tunnel connection between a SG and a host in the VPN environment, and so if necessary to use the pre-stored information for recovery. This mechanism is loaded on the IPSec based FreeS/WAN program (Linux environment), and so the VPN problem mentioned above is resolved.