Title :
Security investigation and enhancement of IKEV2 protocol
Author :
Zhou, Ping ; Qin, Yajuan ; Xu, Changqiao ; Guan, Jianfeng ; Zhang, Hongke
Author_Institution :
Nat. Eng. Lab. for Next Generation Internet Interconnection Devices, Beijing Jiaotong Univ., Beijing, China
Abstract :
IPsec has become a very popular Internet security infrastructure today. As a new key exchange protocol of IPsec, to some extent, IKEv2 can use cookie negotiation mechanism to detect and resist memory-based denial-of-service (DoS) attack in the application layer. However, IKEv2 still cannot avoid IP fragment-based DoS attacks since the IKEv2 messages transmission runs over UDP and there are large IKE messages needed to be fragmented during the exchange process between two IKE peers. In this paper we first investigate some typical methods and give the analysis of their inability against the IP fragmentation DoS attack. To overcome this problem, we design a new IKEv2 header format called M-ISAKMP, and add a new type of Notification Payload and other related strategies. With the novel application-based fragmentation mechanism, our proposed enhanced IKEv2 protocol achieves defending against DoS attack successfully and efficiently.
Keywords :
IP networks; Internet; computer network security; cryptographic protocols; message authentication; IKEV2 protocol; IKEv2 messages transmission; IP fragment-based DoS attacks; Internet security infrastructure; M-ISAKMP; UDP; application-based fragmentation mechanism; cookie negotiation mechanism; key exchange protocol; memory-based denial-of-service attack; notification payload; security enhancement; security investigation; Cryptography; Fires; IP networks; Intelligent systems; Logic gates; Payloads; Protocols; DoS attack; IKEv2; IPsec; VPN; fragmentation;
Conference_Titel :
Broadband Network and Multimedia Technology (IC-BNMT), 2010 3rd IEEE International Conference on
Conference_Location :
Beijing
Print_ISBN :
978-1-4244-6769-3
DOI :
10.1109/ICBNMT.2010.5704870
