In the realm of network security, the implementation of robust security measures is crucial to safeguard sensitive data and ensure the integrity of communication channels. To this end, the IPsec protocol enables the secure communication at network level. Initially reliant on manual configuration, IPsec evolved with the introduction of the Internet Key Exchange (IKE) protocol, which streamlines the establishment of Security Associations between network endpoints. However, the overhead associated with IKE can be impractical for resource-constrained IoT devices. Consequently, the IETF introduced the concept of IKE-less IPsec. This strategy aims to move the IKE logic from the network nodes to a centralized control point. Therefore, the network device is only required to support IPsec. This paper delves into the potential of the IKE-less approach to enhance security within Software Defined Networks, particularly in IoT scenarios. We analyse in detail the features of IKE-less IPsec and compare it with the traditional IKE approach. Then, we discuss our designed solution to protect the control infrastructure. The proposal leverages established solutions, such as Trusted Execution Environment and Hardware Security Modules, to protect this kind of setup.
IKE-less IPsec for Centralized Management of Network Security / Ciravegna, Flavio; Bruno, Giacomo; Lioy, Antonio. - ELETTRONICO. - 3731:(2024), pp. 1-13. (Intervento presentato al convegno ITASEC-2024: The Italian Conference on CyberSecurity tenutosi a Salerno (Italy) nel April 8-12, 2024).
IKE-less IPsec for Centralized Management of Network Security
Ciravegna, Flavio;Bruno, Giacomo;Lioy, Antonio
2024
Abstract
In the realm of network security, the implementation of robust security measures is crucial to safeguard sensitive data and ensure the integrity of communication channels. To this end, the IPsec protocol enables the secure communication at network level. Initially reliant on manual configuration, IPsec evolved with the introduction of the Internet Key Exchange (IKE) protocol, which streamlines the establishment of Security Associations between network endpoints. However, the overhead associated with IKE can be impractical for resource-constrained IoT devices. Consequently, the IETF introduced the concept of IKE-less IPsec. This strategy aims to move the IKE logic from the network nodes to a centralized control point. Therefore, the network device is only required to support IPsec. This paper delves into the potential of the IKE-less approach to enhance security within Software Defined Networks, particularly in IoT scenarios. We analyse in detail the features of IKE-less IPsec and compare it with the traditional IKE approach. Then, we discuss our designed solution to protect the control infrastructure. The proposal leverages established solutions, such as Trusted Execution Environment and Hardware Security Modules, to protect this kind of setup.File | Dimensione | Formato | |
---|---|---|---|
paper87.pdf
accesso aperto
Tipologia:
2. Post-print / Author's Accepted Manuscript
Licenza:
Creative commons
Dimensione
236.19 kB
Formato
Adobe PDF
|
236.19 kB | Adobe PDF | Visualizza/Apri |
paper35.pdf
accesso aperto
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Creative commons
Dimensione
312.76 kB
Formato
Adobe PDF
|
312.76 kB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/2988318