FAST RE-ESTABILISHMENT OF IKEV2 SECURITY ASSOCIATIONS FOR RECOVERY OF IPSEC GATEWAYS IN MOBILE NETWORK

Peng Yang, Yuanchen Ma, Satoshi Yoshizawa

Abstract

IKEv2/IPsec has been widely deployed, such as in VPN and MIPv6, to support mutual authentication, access control and traffic protection in internet. IKEv2/IPsec gateways may maintain huge number of IKEv2/IPsec security associations. If gateway encounters failure or over-load, it will take a long time to re-establish security associations in another IKEv2/IPsec gateway. The major reason is that regular procedure of IKEv2 incurs long delay because of multiple signalling exchanges and complex computation especially in Diffie-Hellman exchange. In this paper, a new IKE SA re-establishment solution is proposed to reduce the overhead of computation and signalling by directly transferring IKE SA from old gateway to new gateway via independent IKE SA storage (stub bank). The most expensive Diffie-Hellman exchange and some of signalling can be avoided. Therefore, a huge amount of IKE/IPsec security associations can be re-established in a short time. The applicability of this solution in mobile network is further analyzed as well.

References

  1. Kaufman, C. “Internet Key Exchange (IKEv2) Protocol”. RFC 4306, IETF, 2005
  2. Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, IETF, December 2005.
  3. Diffie, W., and Hellman M., "New Directions in Cryptography", IEEE Transactions on Information Theory, V. IT-22, n. 6, June 1976.
  4. Arkko, J., et. al, “Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents”, RFC 3776, IETF, June 2004.
  5. Salowey, J., et.al., "Transport Layer Security (TLS) Session Resumption without Server-Side State", RFC 5077, IETF, Jan. 2008.
  6. Daniel J. Bernstein,”Curve25519: New Diffie-Hellman Speed Records”, Lecture Notes in Computer Science, Volume 3958/2006, pp 207-228, April, 2006
  7. Kivinen, T. and M. Kojo, "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key xchange (IKE)", RFC 3526, IETF,May 2003.
  8. openikev2, http://openikev2.sourceforge.net/
  9. Aboba, B., et.al, “Extensible Authentication Protocol (EAP)”, RFC 3748, June 2004.
  10. Devarapalli V., et.al, “Mobile IPv6 Operation with IKEv2 and the Revised IPsec Architecture”, RFC 4877, Apr. 2007.
Download


Paper Citation


in Harvard Style

Yang P., Ma Y. and Yoshizawa S. (2009). FAST RE-ESTABILISHMENT OF IKEV2 SECURITY ASSOCIATIONS FOR RECOVERY OF IPSEC GATEWAYS IN MOBILE NETWORK . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 111-116. DOI: 10.5220/0002223801110116


in Bibtex Style

@conference{secrypt09,
author={Peng Yang and Yuanchen Ma and Satoshi Yoshizawa},
title={FAST RE-ESTABILISHMENT OF IKEV2 SECURITY ASSOCIATIONS FOR RECOVERY OF IPSEC GATEWAYS IN MOBILE NETWORK},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={111-116},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002223801110116},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - FAST RE-ESTABILISHMENT OF IKEV2 SECURITY ASSOCIATIONS FOR RECOVERY OF IPSEC GATEWAYS IN MOBILE NETWORK
SN - 978-989-674-005-4
AU - Yang P.
AU - Ma Y.
AU - Yoshizawa S.
PY - 2009
SP - 111
EP - 116
DO - 10.5220/0002223801110116