• Title/Summary/Keyword: IPSec tunnels

Search Result 7, Processing Time 0.019 seconds

IPSec based Network Design for the Mobile and Secure Military Communications (이동성과 보안성 만족 군용 통신을 위한 IPSec 기반 네트워크 설계)

  • Jung, Youn-Chan
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.35 no.9B
    • /
    • pp.1342-1349
    • /
    • 2010
  • Full-mesh IPSec tunnels, which constitute a black network, are required so that the dynamically changing PT (Plain Text) networks can be reachable across the black network in military environments. In the secure and mobile black networks, dynamically re-configuring IPSec tunnels and security policy database (SPD) is very difficult to manage. In this paper, for the purpose of solving mobility and security issues in military networks, we suggest the relating main technologies in association with DMIDP (Dynamic Multicast-based IPSec Discovery Protocol) based on existing IPSec ESP (Encapsulating Security Payload) tunnels and IPSec key managements. We investigate the main parameters of the proposed DMIDP techniques and their operational schemes which have effects on mobility and analyze operational effectivemess of the DMIDP with proposed parameters.

Military Group Key Management for Mobile and Secure Multicast Communications (이동성과 보안성 있는 멀티케스트 통신을 위한 군용 그룹 키 관리)

  • Jung, Youn-Chan
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.35 no.6B
    • /
    • pp.977-983
    • /
    • 2010
  • In mobile and secure military networks, full-meshed IPSec tunnels, which do correspond to not physical links but logical links between each IPSec device and its peer, are required to provide multicast communications. All IPSec devices need support in changing IPSec tunnels by a way of using a multicast group key which is updated dynamically. Tactical terminals, which often constitute a group, need also secure multicast communications in the same group members. Then, the multicast group key is required to be updated dynamically in order to support group members' mobility. This paper presents challenging issues of designing a secure and dynamic group key management of which concept is based on the Diffie-Hellman (DH) key exchange algorithm and key trees. The advantage of our dynamic tree based key management is that it enables the dynamic group members to periodically receive status information from every peer members and effectively update a group key based on dynamically changing environments.

Dynamic Key Lifetime Change Protocol for Performance Improvement of Virtual Private Networks using IPSec (IPSec을 적용한 가상사설망의 성능개선을 위한 동적 키 재생성 주기 변경 프로토콜)

  • 한종훈;이정우;박성한
    • Proceedings of the IEEK Conference
    • /
    • 2003.11c
    • /
    • pp.125-128
    • /
    • 2003
  • In this paper, we propose a dynamic key lifetime change protocol for performance enhancement of virtual private networks using IPSec. The proposed protocol changes the key lifetime according to the number of secure tunnels. The proposed protocol is implemented with Linux 2.4.18 and FreeS/WAN 1.99. The system employing our proposed protocol performs better than the original version in terms of network performance and security.

  • PDF

A Dynamic Key Lifetime Change Algorithm for Performance Improvement of Virtual Private Networks (가상사설망의 성능개선을 위한 동적 키 재생성 주기 변경 알고리즘)

  • HAN, Jong-Hoon;LEE, Jung Woo;PARK, Sung Han
    • Journal of the Institute of Electronics Engineers of Korea TC
    • /
    • v.42 no.10 s.340
    • /
    • pp.31-38
    • /
    • 2005
  • Ipsec is a security protocol suite that provides encryption and authentication services for IP messages at the network layer of the internet. Internet Key Exchange (IKE) is a protocol that is used to negotiate and provide authenticated keying materials in a protected manner for Security Associations (SAs). In this paper, we propose a dynamic key lifetime change algorithm for performance enhancement of virtual private networks using IPSec. The proposed algorithm changes the key lifetime according to the number of secure tunnels. The proposed algorithm is implemented with Linux 2.4.18 and FreeS/WAN 1.99. The system employing our proposed algorithm performs better than the original version in terms of network performance and security.

Tunnel Gateway Satisfying Mobility and Security Requirements of Mobile and IP-Based Networks

  • Jung, Youn-Chan;Peradilla, Marnel
    • Journal of Communications and Networks
    • /
    • v.13 no.6
    • /
    • pp.583-590
    • /
    • 2011
  • Full-mesh IPSec tunnels pass through a black ("unsecure") network (B-NET) to any red ("secure") networks (RNETs). These are needed in military environments, because they enable dynamically changing R-NETs to be reached from a BNET. A dynamically reconfiguring security policy database (SPD) is very difficult to manage, since the R-NETs are mobile. This paper proposes advertisement process technologies in association with the tunnel gateway's protocol that sends 'hello' and 'prefix advertisement (ADV)' packets periodically to a multicast IP address to solve mobility and security issues. We focus on the tunnel gateway's security policy (SP) adaptation protocol that enables R-NETs to adapt to mobile environments and allows them to renew services rapidly soon after their redeployment. The prefix ADV process enables tunnel gateways to gather information associated with the dynamic changes of prefixes and the tunnel gateway's status (that is, 'down'/restart). Finally, we observe two different types of performance results. First, we explore the effects of different levels of R-NET movements on SP adaptation latency. Next, we derive the other SP adaptation latency. This can suffer from dynamic deployments of tunnel gateways, during which the protocol data traffic associated with the prefix ADV protocol data unit is expected to be severe, especially when a certain tunnel gateway restarts.

Security Mechanism for Firewall Traversal in Mobile IP (안전한 방화벽 Traversal을 제공하는 Mobile IP의 보안 메커니즘)

  • Jin, Min-Jeong;Park, Jung-Min;Chae, Ki-Joon
    • The KIPS Transactions:PartC
    • /
    • v.11C no.1
    • /
    • pp.11-20
    • /
    • 2004
  • Mobile IP is designed to provide IP services to roaming nodes. Mobile users take advantage of this protocol to obtain the services as if they were connected to their home network. In many cases mobile users is connected through a wireless link and is protected by corporation's firewall in virtual Private network. In order to have a successful deployment of Mobile IP as an extension of a private network, security services should be provided as if the mobile node were attached to its home network. In this paper, we propose the security mechanism of combining Mobile IP and IPSec tunnels, which can provide secure traversal of firewall in a home network. The simulation results show that the proposed mechanism provides the secure and efficient communication.

Approach with direct tunnels between CPE VPN GWs in star VPN topology (Star VPN 구조에서 CPE VPN GW간 직접 터널을 이용한 성능 향상 방안)

  • Byun, Hae-Sun;Lee, Mee-Jeong;Ahn, Sang-Joon
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2004.05a
    • /
    • pp.1271-1274
    • /
    • 2004
  • 현재 운용중인 대부분의 VPN은 모든 CPE(Customer Premise Equipment) VPN GW(Gateway)들이 Center VPN GW에 연결되어 있는 Star 구조를 취하고 있다. 이러한 구조에서는 모든 트래픽들이 항상 Center VPN GW를 거쳐서 전송되므로 비효율적인 트래픽 전송이 이루어진다. 또한 대용량의 멀티미디어 트래픽 전송이 빈번하거나 다수의 지점을 갖고 있는 기업의 경우 Center VPN GW에서의 오버헤드가 증가하게 된다. 이러한 문제를 해결하기 위한 방법으로는 IPSec의 IKE(Internet Key Exchange) 메커니즘을 이용하여 CPE VPN GW간 직접 터널을 맺어 줄 수 있으나, 터널 설립에 앞서 원격지 CPE VPN GW의 주소, 요구되는 보안 등급 등의 터널 설정에 필요한 정보를 관리자가 직접 설정해 주어야 한다. 이는 현재 DHCP와 같은 동적 IP 환경에서 운용되는 ADSL 기반의 VPN 환경에서 관리 오버헤드를 증가시키는 요인이 된다. 이에 본 논문에서는 CPE VPN GW 간 직접 터널 연결이 필요할 시에 자동적으로 제반 기능들이 수행될 수 있게 하는 주문형 터널 생성(On-demand Tunnel Creation) 메커니즘 제안한다. 시뮬레이션을 통해 제안하는 방안에 대하여 성능을 조사하였고, 이와 함께 기존의 Star VPN 구조, Full-mesh VPN 구조와 성능을 비교하였다. 시뮬레이션 결과, 제안하는 방안이 기존의 Star VPN 구조보다 확장성과 트래픽 전송효율성, Center VPN GW의 오버헤드 측면에서 우수한 성능을 보였으며 Full-mesh 구조의 VPN과 거의 비슷한 종단간 지연시간과 처리율을 보였다.

  • PDF