Por favor, use este identificador para citar o enlazar este ítem:
https://doi.org/10.1016/j.comnet.2023.109905
Twittear
Título: | SDN-based automated rekey of IPsec security associations : design and practical validations |
Fecha de publicación: | sep-2023 |
Editorial: | Elsevier |
Cita bibliográfica: | Computer Networks, Volume 233, September 2023 |
ISSN: | Print: 1389-1286 |
Palabras clave: | IPsec Key Management SDN Rekey Netconf Yang |
Resumen: | The standard Request for Comments (RFC) 9061 defines a framework to autonomously manage IPsec security associations (SAs) in SDN environments. The standard describes two cases: the IKE case, in which the nodes use the Internet Key Exchange (IKEv2) protocol to negotiate IPsec SAs, and the IKE-less case, in which IKEv2 is not shipped in the network devices, and the SDN controller is in charge of distributing the IPsec SAs with all the information needed to secure the communications (cryptographic material, traffic selectors, algorithms, etc.). In both cases, for security reasons, the IPsec protocol requires the periodic renovation of the keys used by the IPsec SAs in a process named rekey. The IKE case already has an automatic rekey mechanism, the IKEv2 protocol, however the IKE-less case requires the definition of a rekey method, which is implemented by the controller. The use of the IKE-less case has been recognized useful in scenarios such as datacenters, with thousands of nodes requiring the management of SAs, or Internet of Things, with constrained devices that may not have enough resources to use IKEv2. Therefore, the definition of a suitable rekey process is a keystone for the IKE-less case. This work presents the design, implementation and validation of four different algorithms to perform a rekey process in the IKE-less case from the IPsec standard, taking to account performance, security and packet loss. We have also analyzed each algorithm’s behavior in representative network scenarios based on mesh or star topologies. |
Autor/es principal/es: | Parra-Espín, José Antonio Marín-López, Rafael López-Millán, Gabriel Pereñíguez-García, Fernando Cánovas, Óscar |
Facultad/Departamentos/Servicios: | Facultades, Departamentos, Servicios y Escuelas::Departamentos de la UMU::Ingeniería de la Información y las Comunicaciones Facultades, Departamentos, Servicios y Escuelas::Departamentos de la UMU::Ingeniería y Tecnología de Computadores |
Versión del editor: | https://www.sciencedirect.com/science/article/pii/S138912862300350X |
URI: | http://hdl.handle.net/10201/138154 |
DOI: | https://doi.org/10.1016/j.comnet.2023.109905 |
Tipo de documento: | info:eu-repo/semantics/article |
Número páginas / Extensión: | 15 |
Derechos: | info:eu-repo/semantics/openAccess |
Aparece en las colecciones: | Artículos: Ingeniería y Tecnología de Computadores |
Ficheros en este ítem:
Fichero | Descripción | Tamaño | Formato | |
---|---|---|---|---|
_Article__SDN_IPSec__rekey_performance__Preprint_.pdf | 1,96 MB | Adobe PDF | Visualizar/Abrir |
Este ítem está sujeto a una licencia Creative Commons Licencia Creative Commons