Academic Commons

Articles

Implementing IPsec

Keromytis, Angelos D.; Ioannidis, John; Smith, Jonathan M.

The IP security protocols are sufficiently mature to benefit from multiple independent implementations and worldwide deployment. Towards that goal, we implemented the protocols for the BSD/OS, Linux, OpenBSD and NetBSD. While some differences in the implementations exist due to the differences in the underlying operating system structures, the design philosophy is common. A radix tree, namely the one used by the BSD code for routing purposes, is used to implement the policy engine; a transform table switch is used to make addition of security transformations an easy process; a lightweight kernel-user communication mechanism is used to pass key material and other configuration information from user space to kernel space, and to report asynchronous events such as requests for new keys from the kernel space to a user-level keying daemon; and two distinct ways of intercepting outgoing packets and applying the IPsec transformations to them are employed. The techniques used in our implementations are explained, differences in approaches are analysed, and hints are given to potential future implementers of new transforms.

Subjects

Files

Also Published In

Title
GLOBECOM 97: IEEE Global Telecommunications Conference: conference record, Phoenix, Arizona, 3-8 November 1997
DOI
https://doi.org/10.1109/GLOCOM.1997.644617

More About This Work

Academic Units
Computer Science
Publisher
Institute of Electrical and Electronics Engineers
Published Here
July 12, 2012
Academic Commons provides global access to research and scholarship produced at Columbia University, Barnard College, Teachers College, Union Theological Seminary and Jewish Theological Seminary. Academic Commons is managed by the Columbia University Libraries.