There is a strong consensus about the need for IPsec, although its use is not widespread for end-to-end communications. One of the main reasons for this is the difficulty for authenticating two end-hosts that do not share a secret or do not rely on a common Certification Authority. In this paper we propose a modification to IKE to use reverse DNS and DNSSEC (named DNSSEC-to-IKE) to provide end-to-end authentication to Internet hosts that do not share any secret, without requiring the deployment of a new infrastructure. We perform a comparative analysis in terms of requirements, provided security and performance with state-of-the-art IKE authentication methods and with a recent proposal for IPv6 based on CGA. We conclude that DNSSEC-to-IKE enables the use of IPsec in a broad range of scenarios in which it was not applicable, at the price of offering slightly less security and incurring in higher performance costs. © Springer-Verlag Berlin Heidelberg 2006.
CITATION STYLE
Muñoz Merino, P. J., García-Martínez, A., Organero, M. M., & Kloos, C. D. (2006). Enabling practical IPsec authentication for the internet. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4277 LNCS-I, pp. 392–403). Springer Verlag. https://doi.org/10.1007/11915034_63
Mendeley helps you to discover research relevant for your work.