Browsing by Subject "IPsec"
Now showing 1 - 2 of 2
Results Per Page
Sort Options
- PublicationRestrictedEstablishment of IPsec security associations with Diffie–Hellman following a SDN-based framework: analysis and practical validation(Elsevier, 2024-08-17) Parra Espín, José Antonio; Marín López, Rafael; López Millán, Gabriel; Ingeniería de la Información y las Comunicaciones; Facultades de la UMU::Facultad de InformáticaThe centralized management of IPsec Security Associations (SAs) by using Software Defined Network (SDN) paradigm has been already explored and standardized. Datacenters are some of the scenarios where the dynamic establishment of IPsec security associations among network nodes has been deemed relevant. In these scenarios, where nodes do not support protocols like IKEv2, applying solutions where the generation and distribution of keys for IPsec are delegated to the SDN controller. However, these scenarios have the issue that the controller itself generates the IPsec keys for the nodes, posing a higher risk to the system’s security in case the controller is compromised. For these scenarios, it would be necessary to define solutions that allow the distribution of this cryptographic material securely, while maintaining the capacity restrictions established by the nodes. To solve this risk, we propose the generation of the IPsec keys using key distribution through the Diffie–Hellman algorithm in such a manner, that the controller will never have access to the IPsec SAs session keys used by the network nodes, mitigating the aforementioned problem. In concrete, our approach makes the nodes responsible for generating their own Diffie–Hellman public and private keypair, while the controller is only in charge of distributing the public keys to the rest of nodes, as well as other parameters needed to install the IPsec SAs. As we will analyze, the distribution of the public keys will be enough to allow the network nodes to generate the session keys. This work presents the design, implementation and validation of this IPsec management solution based on Diffie–Hellman in SDN environments using asymmetric key distribution for negotiating encryption and integrity keys, focusing on the performance in key generation and installation of IPsec SAs.
- PublicationRestrictedSDN-based automated rekey of IPsec security associations : design and practical validations(Elsevier, 2023-09) Parra-Espín, José Antonio; Marín-López, Rafael; Cánovas, Óscar; López Millán, Gabriel; Pereñíguez García, Fernando; Ingeniería y Tecnología de ComputadoresThe standard Request for Comments (RFC) 9061 defines a framework to autonomously manage IPsec security associations (SAs) in SDN environments. The standard describes two cases: the IKE case, in which the nodes use the Internet Key Exchange (IKEv2) protocol to negotiate IPsec SAs, and the IKE-less case, in which IKEv2 is not shipped in the network devices, and the SDN controller is in charge of distributing the IPsec SAs with all the information needed to secure the communications (cryptographic material, traffic selectors, algorithms, etc.). In both cases, for security reasons, the IPsec protocol requires the periodic renovation of the keys used by the IPsec SAs in a process named rekey. The IKE case already has an automatic rekey mechanism, the IKEv2 protocol, however the IKE-less case requires the definition of a rekey method, which is implemented by the controller. The use of the IKE-less case has been recognized useful in scenarios such as datacenters, with thousands of nodes requiring the management of SAs, or Internet of Things, with constrained devices that may not have enough resources to use IKEv2. Therefore, the definition of a suitable rekey process is a keystone for the IKE-less case. This work presents the design, implementation and validation of four different algorithms to perform a rekey process in the IKE-less case from the IPsec standard, taking to account performance, security and packet loss. We have also analyzed each algorithm’s behavior in representative network scenarios based on mesh or star topologies.