End to End Ipsec Support across Ipv4/Ipv6 Translation Gateway

The presence of IPv4/IPv6 translation gateway provides transparent routing mechanism to IPv4-only nodes and IPv6-only nodes which trying to establish communication from disparate address realms. However, the mechanism breaks TCP/IP intrinsic functionalities that results in IPSec cannot be applied in this environment. The existing solutions to address the compatibility issues between translation gateway and IPSec are either to enhance the translation gateway operation or to modify IPSec architecture especially on IKE negotiation process. By realizing the fact that most of the intermediate networking devices such as translation gateway are beyond the end nodes administration, this paper discusses the existing solutions to improve IKE negotiation in order to ensure end to end IPSec interoperability across translation gateway. Inspired by this solution, this paper proposes new IKE authentication by using Address Based Keys with certificateless signature to alleviate the limitation of traditional pre-shared keys and Public Key Infrastructure (PKI).

[1]  Younghan Kim,et al.  IPSec Support in NAT-PT Scenario for IPv6 Transition , 2005, ISC.

[2]  Erik Nordmark,et al.  Basic Transition Mechanisms for IPv6 Hosts and Routers , 2005, RFC.

[3]  Pekka Nikander,et al.  Securing IPv6 neighbor and router discovery , 2002, WiSE '02.

[4]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[5]  Kenneth G. Paterson,et al.  Certificateless Public Key Cryptography , 2003 .

[6]  Brian E. Carpenter,et al.  Connection of IPv6 Domains via IPv4 Clouds , 2001, RFC.

[7]  George Tsirtsis,et al.  Network Address Translation - Protocol Translation (NAT-PT) , 2000, RFC.

[8]  Tanja Lange,et al.  Pairing-Based Cryptography , 2005, Handbook of Elliptic and Hyperelliptic Curve Cryptography.

[9]  Ari Huttunen,et al.  UDP Encapsulation of IPsec ESP Packets , 2005, RFC.

[10]  Michael S. Borella,et al.  RSIP Support for End-to-end IPsec , 2001, RFC.

[11]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[12]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[13]  Pil Joong Lee,et al.  Generic Construction of Certificateless Signature , 2004, ACISP.

[14]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[15]  Diana K. Smetters,et al.  Domain-Based Administration of Identity-Based Cryptosystems for Secure Email and IPSEC , 2003, USENIX Security Symposium.

[16]  Stephen T. Kent,et al.  IP Authentication Header , 1995, RFC.

[17]  Matt Holdrege,et al.  IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[18]  Bernd Freisleben,et al.  An Identity-Based Key Agreement Protocol for the Network Layer , 2008, SCN.

[19]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[20]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[21]  Donald E. Eastlake,et al.  Domain Name System Security Extensions , 1997, RFC.