Migration of Internet security protocols to the IPSEC framework

Abstract

Nowadays it is clear that security protocols will implement a very important part of the communications accomplished through the future Internet. Efforts made by the IETF have produced the first Internet Protocol version that includes security services, this framework is called IPSEC and it is a flexible solution designed taking into account the heterogeneity of the Internet. In fact the IPSEC mechanisms supply confidentiality, integrity and authentication of IP packets (implemented by the Authentication Header -AHand the Encapsulated Security Payload -ESP). But this new framework also provides another security service that is not widely known, this is the ISAKMP protocol (Internet Security Association and Key Management Protocol) that allows negotiating security parameters over the Internet. Those security parameters include the cipher algorithm to use the cipher key, the hash function, etc. These parameters are grouped in a Security Association that will be referenced in the first step of the security protocol. The ISAKMP is used by AH and ESP to establish the security associations needed to accomplish the protocols. However ISAKMP advantages can be exploited by any other security protocol, and in this way it will be possible to avoid the duplicity of single purpose negotiations of security parameters. Current security protocols negotiate parameters by exchanging messages. SSL is an example where the first part of its message is used to negotiate the security parameters. We describe a methodology for the migration of aged security protocols to an ISAKMP negotiation. We identify the phases for the migration from the definition of a domain of interpretation to specify the parameters that must be included into the security associations.