Article

IPsec Configuration Policy Information Model

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

This document presents an object-oriented information model of IP Security (IPsec) policy designed to facilitate agreement about the content and semantics of IPsec policy, and enable derivations of task-specific representations of IPsec policy such as storage schema, distribution representations, and policy specification languages used to configure IPsec-enabled endpoints. The information model described in this document models the configuration parameters defined by IPSec. The information model also covers the parameters found by the Internet Key Exchange protocol (IKE). Other key exchange protocols could easily be added to the information model by a simple extension. Further extensions can further be added easily due to the object-oriented nature of the model.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... The contributions of this paper can be summarized as follows. First, the paper presents a XML scheme for mapping the standard IPsec policy model, proposed by IETF, into XML files [10]. There is no IETF publication concerning XML mapping of policy based information (the existent publications concerns mapping policy information into LDAP schemes). ...
... To address particular areas, PCIM needs to be extended. IETF has already defined some models based on PCIM extensions, including the IPsec policy model described by the RFC 3585 [10]. The IETF IPsec model is used in the proposal described in this paper. ...
Conference Paper
This work proposes a WSDL extension for describing IPsec policies for protecting Web services communications. By using the proposed extension, a Web service (server) informs to its clients, along with the offered service descriptions, a set of IPsec policies that must be used in order to have access to its services. The proposed extension is based on the IETF policy model for describing IPsec policies. Besides the model, The work presents an approach for transforming the IPsec policies into configuration commands through XSL transformations.
... However, the IPSec does not address the issues on how the traffic should be handled at the IPSec endpoints. This problem is addressed by the IPSec policy which consists of lists of rules that designate the traffic to be protected, the type of protection, such as authentication or confidentiality, and the required protection parameters, such as the encryption algorithm [1,2]. The policy is essential for the security mechanism. ...
... Then PKI server issues IPSec certificates which include the IPSec policies. It is a standard 1) i, policy record number; 2) Si, the ith source information; procedure of certificate generation, except that X.509 extension is extended. So there is no need to change IKE negotiation process with public key authentication. ...
Conference Paper
Full-text available
IP Security (IPSec) is an important protection mechanism for securing the Internet communication. However, IPSec is a complex security protocol family, and the management issue is still a challenge for mass deployment. Many researchers have investigated the IPSec management issue with various approaches, the policy configuration and distribution issue remain to be efficiently resolved. A certificate-based scheme to manage IPSec endpoints is proposed in this paper. A Role-based Access Control (RBAC) model is introduced to simplify the process of policy configuration, and policy control mechanism is proposed to check whether new security association conforms to local security policies. The analysis of the scheme shows the flexibility and efficiency of our approach. Based on our proposed scheme, we implement a prototype system with the proof-of-concept and conduct experimental studies to demonstrate the feasibility and performance of our approach.
... Users or administrators write the security policy at each device interface to define IPSec protection operations for each specific traffic. The IPSec policy consists of lists of rules that designate the traffic to be protected, the type of protection, such as authentication or confidentiality, and the required protection parameters, such as the encryption algorithm [16]. Packets are sequentially matched against the rules until one (single-trigger) or more (multiple-trigger) matching rules are found [7,17]. ...
... The protection offered by IPSec to certain traffic is based on requirements defined by security policy rules defined and maintained by the system administrator [7,16]. In general, packets are selected for a packet protection mode based on network and transport layer header information matched against rules in the policy, i.e., transport protocol, source address and port number, and destination address and port number. ...
Conference Paper
Full-text available
IPSec has become the defacto standard protocol for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although IPSec supports a rich set of protection modes and operations, its policy configuration remains a complex and error-prone task. The complex semantics of IP Sec policies that allow for triggering multiple rule actions with different security modes/operations coordinated between different IPSec gateways in the network increases significantly the potential of policy misconfiguration and thereby insecure transmission. Successful deployment of IPSec requires thorough and automated analysis of the policy configuration consistency for IPSec devices across the entire network. In this paper, we present a generic model that captures various filtering policy semantics using Boolean expressions. We use this model to derive a canonical representation for IPSec policies using ordered binary decision diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts that could exist in a single IPSec device (intra-policy conflicts) or between different IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach.
... Security has been lectured rather implicitly in compare with outdated QoS attributes such as latency, dead line, jitter and fairness. Researchers inspected integration of security constraints into service level specification for allowing service donors to publicize security of service to their customers [7] [8]. For improving SLA based administration of quality of service with the generation of network policies, security constraints are incorporated. ...
Conference Paper
Internet security threats have been a large problem for the researchers to tackle it. Researches have made attempt to fight with issues regarding the threats with Internet Security. Recently researchers made an attempt to deal with Internet security threats. Although some of the security threats have been protected by security schemes which has a great impact on observed Quality of Services (QoS).Thus it needs of Quality of Services to ensure and integrated security requirements. In this paper, we articulate a Protection Framework which will adjust QoS and requirements via multi-attribute decision making model. We evaluate and verified our results the performance of our proposed model by studying a use-case and by computer simulations.
... Sufficient support requires design extensions in IPsec and IKE that we will explain shortly. These perspectives are important if there is to be any further progress on designing an IP Security Policy system as the IETF IPSP working group attempted [5,24]. ...
Article
Security gateways provide a practical and widelydeployed way to limit the flow of packets between administrative domains of an internetwork. Network layer gateways based on IPsec promise to provide a general foundation for this kind of control. While there has been progress on how to dynamically establish security associations between gateways, there is a need for discovery protocols that dynamically locate gateways on a communication path and generate low-level policies from high-level policies to enable secure traversal of the gateways. We look at some of the challenges to be faced in making this step. These include how to express high-level policies and use them to generate low-level policies, how to design the base protocols to enable dynamic operation, and how to express and prove expected properties. We present some ideas for progress on these challenges based on a formalism called the tunnel calculus. 1
... About access control for VPN, Jason et al. [14] presented an object-oriented information model of IPSec policy designed to facilitate agreement on the content and semantics of IPSec policy, and to control actual task. Generalized Role-Based Access Control Model (GRBAC) [15]. ...
Article
Full-text available
VPN technology continues to struggle with intruders attacks that cripple their network performance and connectivity. This compels security threats on the remote network because its firewall does not know what transfer is flowing within VPN tunnel. This paper proposes a new framework called V-Safe which provides vibrant key authentication and entities based access rule to prevent intruders. The traditional access rule models are group based and it is not an effective mechanism since it uses common identity for access control. The entities based access rule provides access permission based on various entities like requestors, resources, actions and environment that will prevent against intruders and performs deep scans to detect and block most suspicious threats and attacks. The V-Safe framework is evaluated through simulation and it shows the proposed system is more secure and efficient than the existing intrusion prevention system.
... Outra forma de implementar uma política de segurança comumé através de um acesso seletivo baseado em identidades coringa, como descrito anteriormente. Tal mecanismo foi recentemente padronizado, através de sua inclusão na especificação de um Modelo de Informação de Configuração de Políticas IPSec [Jason et al ., 2003] desenvolvido pelo IP Security Policy Working Group do IETF. ...
Article
Full-text available
Resumo Neste trabalhó e apresentada uma solução de acesso remoto VPN utilizando o software FreeS/WAN, uma imple-mentação Open Source do protocolo IPSec baseada em Linux. Tal solução visa atender a requisitos de autenticação, configuração do sistema remoto e da política de segurança, e passagem por intermediários apresentados pelos cenários comuns de acesso remoto utilizando IPSec. Devidò a expressiva parcela de mercado ocupada por produtos Microsoft, também são abordadas soluções integradas de clientes VPN baseados em Windows. Abstract This work presents a remote access VPN solution using FreeS/WAN software, an Open Source implementation of the IPSec protocol for Linux. This solution wants to address authentication, remote system and security policy configuration, and intermediary traversal requirements present in common remote access scenarios using IPSec. Due to the significant market share occupied by Microsoft products, some integrated Windows based VPN client solutions are also discussed.
... al. suggest a Quality of Security Service (QoSS) theory that handles security as a dimension of QoS. To enable service providers to advertise Security of Service (SoS) to their clients, researchers investigated the incorporation of security parameters into the Service Level Specifications (SLS) [7], [8]. The selected security parameters are integrated to enhance SLAbased management of QoS with the generation of network policies that guarantee the reservation of adequate resources for meeting both security and QoS needs. ...
Conference Paper
Full-text available
Along with recent Internet security threats, different security measures have emerged. Whilst these security schemes ensure a level of protection against such threats, they sometimes have significant impact on perceived Quality of Service (QoS). There is thus need to retrieve ways for an efficient integration of security requirements with their QoS counterparts. In this paper, we devise a Quality of Protection framework that tunes between security requirements and QoS using a multi-attribute decision making model. The performance of the proposed approach is evaluated and verified via a use case study using computer simulations.
... They consist of parameters that are used in the IPsec security association. Their objective is to map the SLS onto the IETF/DMTF IPsec Configuration Policy Information Model [14]. This SLS does not consider QoS. ...
Conference Paper
Full-text available
This paper proposes to integrate security parameters into the Service Level Specification (SLS) template proposed in the Tequila project to improve SLA-based management of QoS [8], [21]. Integrating those parameters in the QoS part of the Service Level Agreement (SLA) specification is essential in particular for secure multimedia services since the QoS is negotiated when the multimedia service is deployed. Security mechanisms need to be negotiated at deployment time when sensible multimedia information is exchanged. In this paper we show that including security parameters in the SLA specification improves the SLA-based management of QoS and therefore the negotiation, deployment and use of the secure multimedia service. The parameters this paper proposes to integrate have the advantage to be understandable by both the end-users and service providers.
... The IETF provides information models for specifying policies that are independent of any implementation or encoding. In this sense, the IPsec Configuration Policy Information Model [1] presents an object-oriented information model for IP Security (IPsec) policies and the QoS Policy Information Model (QPIM) [2] presents a similar model for QoS policies. Both information models are based on the core policy classes defined in the Policy Core Information Model (PCIM) [3] and in the Policy Core Information Model Extensions (PCIMe) [4]. ...
Conference Paper
Full-text available
Policy-based network management is intended to provide a system-wide and unified view of the network and its services and applications. This includes the combined management of network services as different as security, QoS or routing. However, while for IPsec and QoS there are clear models to define the semantics that a policy specification or language should implement, this is not equally true in the case of routing policies. This paper is intended to provide some results on the definition, modelling and deployment of routing policies using the Common Information Model (CIM). We also present the most relevant details of the implementation of our policy-driven routing management system, which has been successfully tested and used for the configuration of several relevant IPv6 IXes deployed as part of the three years Euro6IX (European IPv6 Internet Exchanges Backbone) EU IST research and deployment project.
... This functionality was achieved with the use of an additional encapsulation method and transport mode IPsec. Some aspects from the work in Xbone has been recently standardized [80] and incorporated in the new version of the [84]. These tools will be able to provide the desired functionality in the future. ...
Article
Full-text available
This research investigated key management in a Mobile Ad Hoc Network (MANET) environment. At the time this research began key management schemes provided limited functionality and low service availability in a highly partitioned ad hoc environment. The purpose of this research was to develop a framework that provides redundancy and robustness for Security Association (SA) establishment between pairs of nodes. The key contribution of this research is the Key Management System (KMS) framework and, more specifically, the unique way the various components are integrated to provide the various functionalities. The KMS overcomes the limitations of previous systems by (1) minimizing pre-configuration, (2) increasing service availability, (3) and increasing flexibility for new nodes joining the network. A behavior grading scheme provides the network with a system-wide view of the trustworthiness of nodes and enables the KMS to dynamically adjust its configuration according to its environment. The introduction of behavior grading allows nodes to be less dependent on strict identity verification. This KMS was simulated with Monte Carlo and NS2 simulations and was shown to interoperate with IP Security (IPsec) to enable the establishment of IPsec SAs. The simulations have proven the effectiveness of the system in providing service to the nodes in a highly partitioned environment. System requirements: PC, World Wide Web browser, and PDF reader. Available electronically via the Internet. Title from electronic submission form. Thesis (Ph. D.)--Virginia Polytechnic Institute and State University, 2005. Vita. Abstract. Includes bibliographical references.
... It is therefore necessary that on the one hand the UE to provide updated location information and on the other hand the access networks to provide updated load information to the PCRF. The MIH architecture ([16]) is being currently developed to provide support at least the first functional aspect. This will enable the mobile terminal to activate the wireless interfaces and attach to the available access networks in advance. ...
Conference Paper
Full-text available
The present paper describes a mechanism that enables multi-homed mobile terminals to load balance the data traffic from different applications or the media streams that belong to a multimedia session between multiple access networks. The mechanism is based on the idea of extending the UMTS-WLAN interworking architecture specified by 3GPP to enable the routing of the data traffic through multiple IPsec tunnels that span multiple IP-based access networks. The approach provides for a straightforward integration of the routing function with the IMS policing framework, whose network resource management policies may be mapped into a set of IPsec rules. The proposed mechanism enables a continuous adaptation of the data traffic routing to the momentary availability of the network resources.
... These include firewalls and IPSec devices, which are installed either at end hosts or at intermediate network nodes. The network protection offered by firewalls/IPSec is based on requirements defined by a security policy established and maintained by a user or system administrator [8]. In general, packets are selected for a packet transmission/protection mode based on network and transport layer header information matched against entries in the policy, i.e., transport protocol, source address and port number, and destination address and port number. ...
Article
Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners.
Chapter
As firewall is the main front-end defense, IPSec is the standard for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although IPSec supports a rich set of protection modes and operations, its policy configuration remains a complex and error-prone task. Unlike firewalls, IPSec exhibits more complex semantic that allows for triggering multiple rule actions of different security modes. This inherent complexity increases significantly the potential of policy misconfiguration and can violate the integrity of IPSec VPN security. Secure and safe deployment of IPSec requires thorough and automated analysis of the policy configuration consistency for firewall and IPSec devices across the entire network. In this chapter, we present a general composable model based on using Boolean expressions that can represent different ACL filtering semantics. We use this model to derive a canonical representation for firewall and IPSec policies using Ordered Binary Decision Diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts in a single firewall and IPSec device (intra-policy conflicts) or between different firewall and IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach for identifying conflicts in firewall and IPSec policies.
Chapter
Introduction Network management policies Policy-based management framework COPS protocol Policy domains Information modeling Conclusion Bibliography
Article
Full-text available
The synchronization of the security and quality of service in the network is a basic requirement, despite the existence of its mutual effect, engineers always seek to create a state close to the ideal in networks where the service and the security both are at the top level. The security does not separate works with the quality of service, in other words, it affects the quality of independent non-declared security service and vice versa. Also the security does not come for free and, in general, protection mechanisms require more processing time and causes traffic delay. Real-time applications such as video conferencing, VoIP, and real-time video need special processing to achieve their goals and to overcome the delay introduced by adding security mechanisms. In this paper we propose a new method for securing the QoS parameters using layer2 of OSI Model, and analyse the impact resulting from adding the security on QoS parameters such delay, jitter, loss and bandwidth.
Conference Paper
Internet security threats have been a large problem for the researchers to tackle it. Researches have made attempt to fight with issues regarding the threats with Internet Security. Recently researchers made an attempt to deal with Internet security threats. Although some of the security threats have been protected by security schemes which has a great impact on observed Quality of Services (QoS).Thus it needs of Quality of Services to ensure and integrated security requirements. In this paper, we articulate a Protection Framework which will adjust QoS and requirements via multi-attribute decision making model. We evaluate and verified our results the performance of our proposed model by studying a use-case and by computer simulations
Article
Different security measures have emerged to encounter various Internet security threats, ensuring a certain level of protection against them. However, this does not come without a price. Indeed, there is a general agreement that high security measures involve high amount of resources, ultimately impacting the perceived Quality of Service (QoS). The objective of this paper is to define a framework, dubbed QoS2, that provides means to find a tradeoff between security requirements and their QoS counterparts. The QoS2 framework is based on the multiattribute decision-making theory. The performance of the QoS2 framework is evaluated through computer simulations. A use-case considering worm e-mail detection is used in the performance evaluation. Copyright © 2012 John Wiley & Sons, Ltd.
Article
Packet classification is a central function in filtering systems such as firewalls or intrusion detection mechanisms. Several mechanisms for fast packet classification have been proposed. But, existing algorithms are not always scalable to large filters databases in terms of search time and memory storage requirements. In this paper, we present a novel multifields packet classification algorithm based on an existing algorithm called Pacars and we show its advantages compared to previously proposed algorithms. We give performance measurements using a publicly available benchmark developed at Washington University. We show how our algorithm offers improved search times without any limitation in terms of incremental updates.
Article
IPSec has been proposed to provide integrity, confidentiality and authentication of data communications over IP networks. However, the complex semantics of IPSec policies results in potential conflicts, such as shielding conflict, redundancy conflict and overlapping conflict, et al. The conflict should be identified and detected to avoid internet security threat. However, there has no research on identifying and defining IPSec security policy conflict formally and comprehensively. So it is necessary to give a depth analysis on policy conflict. Therefore, the paper presents a generic model that represents IPSec security policy semantics. Based on it, we classify and define conflicts formally that may exist in a single IPSec device or in some tunnels between different IPSec devices. That the conflict analysis is comprehensive is proved also. The research provides theoretical foundation for policy conflict detection and prevention in IPSec policy configuration.
Article
Full-text available
Collaborative work needs a flexible secured networking management tool, as virtual teams can be formed and disbanded rapidly. Building a multi-domains security policy is a challenge as far as each domain has to kept total control over its policy. One favorite tool to manage domains is policy based. The hierarchical organization of the policy based management fits the intra-domain one but fail when extended to the inter-domain scope. We present an inter-domain security policies based on the coalition concept and policy abstractions. Such abstractions enable policy designers to focus on communication end-points. However, devices standing on these communications have to be configured. We introduce a method that automatically computes policy required for theses intermediate devices.
Article
With the rapid development of Virtual Private Network (VPN), many companies and organizations use VPN to implement their private communication. Traditionally, VPN uses security protocols to protect the confidentiality of data, the message integrity and the endpoint authentication. One core technique of VPN is tunneling, by which clients can access the internal servers traversing VPN. However, the tunneling technique also introduces a concealed security hole. It is possible that if one vicious user can establish tunneling by the VPN server, he can compromise the internal servers behind the VPN server. So this paper presents a novel Application-layer based Centralized Information Access Control (ACIAC) for VPN to solve this problem. To implement an efficient, flexible and multi-decision access control model, we present two key techniques to ACIAC—the centralized management mechanism and the stream-based access control. Firstly, we implement the information center and the constraints/events center for ACIAC. By the two centers, we can provide an abstract access control mechanism, and the material access control can be decided dynamically by the ACIAC’s constraint/event mechanism. Then we logically classify the VPN communication traffic into the access stream and the data stream so that we can tightly couple the features of VPN communication with the access control model. We also provide the design of our ACIAC prototype in this paper.
Conference Paper
Mobile Node in Mobile IPv6 network communicating with Correspond Node could freely roam into different Access Routers. But when a Mobile Node from Previous access router roams into a New Access Router, the Fast Handover protocol will be applied. Attackers could use the combination of Denial of Service with Masquerading to compromise the network Some papers have discussed the problem and proposed two solutions to the problem. But the two sulutions may be too complicated and with too much CPU consumption This paper proposes a new solution: introduce neural cryptography into the Fast Handover protocol.
Conference Paper
Full-text available
This paper proposes to improve policy-based management by integrating security parameters into the service level specification (SLS). Integrating those parameters in the QoS part of the service level agreement (SLA) specification is of particular importance for multimedia services requiring security since QoS is negotiated when the multimedia service is deployed. Security mechanisms need to be negotiated at that time when sensible multimedia information is exchanged. In this paper we show that including security parameters in SLA specification improves the negotiation and deployment of security and QoS policies for multimedia services. The parameters this paper proposes to integrate have the advantage to be understandable by end-users and service providers.
Conference Paper
Full-text available
IPsec (IP security) will function correctly only if its security policies satisfy all the requirements. If the security policies cannot meet a set of consistent requirements, we said there are policy conflicts. In this paper, we analyze all situations which could possibly lead to a policy conflict and try to resolve all of them. We induce only two situations which could cause conflicts and also propose an algorithm to automatically generate conflict-free policies which satisfy all requirements. We also implement our algorithm and compare the results of simulation with the other approaches and show that it outperforms existing approaches in the literature.
Article
We have studied the case of deploying services in public wireless networks based on IEEE802.11 standard. Due to low cost, easy deployment, cost effectiveness and high performance, this technology appears as a very attractive solution for providing internet access and services in public places called hotspot like airports, hotels, train stations... etc Actually, there are numerous solutions that allow user management in WLAN networks. However, most of them do not support multiple service providers and provide all users with the same level of services to Internet access. In our paper, we propose a new software management architecture for hotspot networks, which is based on policy-based management principles introduced as a result of collaboration with the IETF. Our solution enables multiple service provider support and it allows user and service differentiation in hotspot networks. It provides efficient, flexible and scalable user management solution by implementing coherent combination of AAA functions, quality of service guarantee and security assurance for hotspot operators and service providers. For policy configuration, XML schemes have been defined, offering open, easy and customizable management architecture. Moreover, since our solution is layer 2 agnostic, it can be extended to different access technologies such as DSL, PLC... This management architecture has been implemented, tested and validated on the 6WINDGate" routers and it can easily be ported onto other software architectures and open standard platforms. Full Text at Springer, may require registration or fee
Conference Paper
Ensuring that IP Security (IPSec) gateway meets its performance expectations is one of the most important objectives that IPSec gateway development team must face with. Only suitable validation approach may prove that IPSec gateway throughput is correct, Security Associationspsila adding/removing time is acceptable, IPSec gateway is capable of processing huge number of flows and IPSec rekeying works with required performance level. This paper puts forward a plan for IPSec gateway performance testing. Discussion is illustrated with several examples of test cases that can be used during IPv4/IPv6 IPSec gateway validation and verification.
Conference Paper
Mobile node (MN) in MIP network engaging with correspond node (CN) can freely roam into different access routers (AR). However when MN from previous AR (PAR) roams into a new AR (NAR), the fast handover protocol will have to be engaged. Though the upper protocol such as IPSec will take care of the security handling, it is thought to be somehow insufficient and unconvincing. The upper layer protocol such as IPSec could only prevent leakage of data integrity by applying and agreeing upon certain encryption standards and could not prevent attacks such as the combination of denial of service (DoS) with Masquerading. This paper proposes two solutions to the above problem. One solution is to use the public key encryption algorithm, the other is that we introduce the Diffie-Hellman algorithm into the fast handover protocol.
Article
Security is vital to the success of e-commerce and many new valued-added IP services. As a consequence, IPsec is an especially important security mechanism in that it provides cryptographic-based protection mechanisms for IP packets. Moreover, in order for IPsec to work properly, security policies that describe how different IP packets are protected must be provisioned on all network elements that offer IPsec protection. Since IPsec policies are quite complex, manually configuring them on individual network elements is inefficient and therefore infeasible for large-scale IPsec deployment. Policy-based IPsec management strives to solve this problem: Policy-based management employs a policy server to manage a network as a whole; it translates business goals or policies into network resource configurations and automates these configurations across multiple different network elements. Policy-based IPsec management significantly simplifies the task of defining, deploying, and maintaining security policies across a network, thereby significantly simplifying large-scale IPsec deployment. This article describes the motivations, key concepts, and recent IETF developments for policy-based IPsec management. It then applies the key concepts to an example a IPsec VPN service provisioning and further describes an example of an IPsec policy server as well as experience gained from implementing such a server. Challenges facing policy-based IPsec management are also discussed.
ResearchGate has not been able to resolve any references for this publication.