Abstract - Security Symposium - 2000
A Multi-Layer IPsec Protocol
Yongguang Zhang and Bikramjit Singh, HRL Laboratories, LLC
IPsec is a suite of standard protocols
that provides security services for Internet communications.
It protects the entire IP datagram in an "end-to-end" fashion;
no intermediate network node in the public Internet
can access or modify any information above the IP layer
in an IPsec-protected packet.
However, recent advances in internet technology introduce
a rich new set of services and applications,
like traffic engineering, TCP performance enhancements,
or transparent proxying and caching,
all of which require intermediate network nodes
to access a certain part of an IP datagram,
usually the upper layer protocol information,
to perform flow classification, constraint-based routing,
or other customized processing.
This is in direct conflict with the IPsec mechanisms.
In this research,
we propose a multi-layer security protection scheme for IPsec,
which uses a finer-grain access control
to allow trusted intermediate routers to read and write
selected portions of IP datagrams (usually the headers)
in a secure and controlled manner.