Internet & Intranet Security

14.7 CONCLUSIONS

The IP security architecture as discussed in this chapter is not an overall security architecture for the Internet. It addresses security only at the Internet layer, provided through the use of a suite of security protocols (i.e., the IPsec protocols and the IKE protocol) and a corresponding API (i.e., the PF_KEY key management API version 2 as specified in [37]). Related topics, such as securing the routing infrastructure, the DNS, and network management, are further addressed in [12]. Also, the current status of the IP security architecture does not even address all aspects of Internet layer security. Topics for further study include the use of Internet layer security protocols in conjunction with NAT, a more complete support for IP multicast, issues related to interoperability and benchmark testing. Note that the evolving nature of the IP architecture and the corresponding suite of security protocols make true interoperability hard to achieve.

There are advantages and disadvantages related to security protocols that operate at the Internet layer in general, and the IPsec protocols in particular:

• The main advantage is that applications must not be changed to use the IPsec protocols. Another advantage is that providing security at the Internet layer works for both TCP- and UDP-based applications. This is advantageous because a steadily increasing number of applications are based on UDP that is hard to secure at the transport layer (we will further address this point in Chapter 15).

• The main disadvantage is that IP stacks must either be changed or extended. Because of the inherent complexity of the IKE protocol, the changes or extensions are not at all trivial. In the long term, high-speed networking may also provide a performance problem. As of this writing, it is not clear whether encryption rates and key agility properties of IPsec implementations will meet the performance requirements of future high-speed networks.

Because of the disadvantages of providing security at the Internet layer, some alternative approaches have appeared in the past (as discussed in the other sections of this chapter). The current trend in industry suggests that the IPsec protocols will primarily be used for virtual private networking and connecting mobile users to corporate intranets. As mentioned in Chapter 13, the combination of L2TP and IPsec is a particularly interesting technology for virtual private networking today.