Convergence of IPsec in presence of resets

Chin Tser Huang, M. G. Gouda, E. N. Elnozahy

    Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

    1 Scopus citations

    Abstract

    IPsec is the current security standard for the Internet Protocol IP. According to IPsec, a selected computer pair (p. q) in the Internet can be designated a "security association". This designation guarantees that all sent IP messages whose original source is computer p and whose ultimate destination is computer q cannot be replayed in the future (by an adversary between p and q) and still be received by q as fresh messages from p. This guarantee is provided by adding increasing sequence numbers to all IP messages sent from p to q. Thus, p needs to always remember the sequence number of the last sent message, and q needs to always remember the sequence number of the last received message. Unfortunately, when computer p or q is reset these sequence numbers can be forgotten, and this leads to two bad possibilities: unbounded number of fresh messages from p can be discarded by q. and unbounded number qf replayed messages can be accepted by q. In this paper, we propose two operations, "SAVE"' and "FETCH", to prevent these possibilities. The SAVE operation can be used to store the last sent sequence member in persistent memory of p once every K/sub p/ sent messages, and can be used to store the last received sequence number in persistent memory of q once every K/sub q/ received messages. The FETCH operation can be used to fetch the last stored sequence number for a computer when that computer wakes tip after a reset. We show that the following three conditions hold when SAVE and FETCH are adopted in both p and q. First, when p is reset, at most 2K/sub p/ sequence numbers will be lost but no fresh message sent from p to q will be discarded if no message reorder occurs. Second, when q is reset, the number of discarded fresh messages is bounded by 2K/sub q/, In either case, no replayed message will be accepted by q.

    Original languageEnglish (US)
    Title of host publicationProceedings - 23rd International Conference on Distributed Computing Systems Workshops, ICDCSW 2003
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages22-27
    Number of pages6
    ISBN (Electronic)0769519210, 9780769519210
    DOIs
    StatePublished - 2003
    Event23rd International Conference on Distributed Computing Systems Workshops, ICDCSW 2003 - Providence, United States
    Duration: May 19 2003May 22 2003

    Publication series

    NameProceedings - 23rd International Conference on Distributed Computing Systems Workshops, ICDCSW 2003

    Other

    Other23rd International Conference on Distributed Computing Systems Workshops, ICDCSW 2003
    CountryUnited States
    CityProvidence
    Period05/19/0305/22/03

    Keywords

    • Authentication
    • Computer security
    • Convergence
    • Cryptography
    • Internet
    • Protocols
    • Software standards
    • System software

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Hardware and Architecture
    • Signal Processing

    Fingerprint Dive into the research topics of 'Convergence of IPsec in presence of resets'. Together they form a unique fingerprint.

    Cite this