Abstract
IPSec/VPN management is a complicated challenge, since IPSec functions correctly only if its security policies satisfy all administrated requirements. Computer-generated security policies tend to conflict with each other, which would causes network congestion or creates security vulnerability. Thus conflict resolving has become an issue. In this paper, a method to automatically generate policies is proposed. Instead of performing complicated conflict-checking procedures as most existing works do, the proposed Zero-Conflict algorithm is able to predict and avoid conflict in advance by using requirement groups and cut points techniques. Since policies are established without the need to perform backward conflict check, thus yielding a significantly less time-complexity, which is O(nlogn). Experimental results show that it maintains a satisfactorily minimal numbers of generated tunnels.
This Research is supported in part by the National Science Council under the grants No. NSC NSC94-2213-E035-025, NSC95-2221-E035-071.
Chapter PDF
Similar content being viewed by others
References
Blaze, M., Keromytis, A., Richardson, M., Sanchez, L.: IP Security Policy (IPSP) Requirements, RFC 3586, IPSP Working Group (August 2003)
Chang, C.L., Chiu, Y.P., Lei, C.L.: Automatic Generation of Conflict-Free IPSec Policies. In: International Conference on Formal Techniques for Networked and Distributed Systems, pp. 233–246 (October 2005)
Conover, J.: Policy-Based Network Management. Network Computing 10(24), 44–50 (1999)
Fu, Z., Wu, S.F.: Automatic Generation of IPSec/VPN Security Policies in an Intra-Domain Environment. In: 12th International Workshop on Distributed Systems: Operations & Management (DSOM 2001), pp. 279–290 (2001)
Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution. In: IEEE Policy 2001 Workshop, pp. 39–56 (2001)
Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of IPSec and VPN security policies. In: 13th IEEE International Conference on Network Protocols (ICNP 2005), vol. 0, pp. 259–278 (November 2005)
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401, Internet Society, Network Working Group (November 1998)
Li, M.: Policy-based IPSec management. Network, IEEE 17(6), 36–43 (2003)
Moffett, J.D.: Requirements and Policies. In: Position paper for Workshop on Policies in Distributed Systems, HP- Laboratories (November 1999)
Moffett, J.D., Sloman, M.S.: Policy Hierarchies for Distributed Systems Management. IEEE Journal on Selected Areas in Communication 11(9), 1404–1414 (1993)
Sloman, M.: Policy Driven Management for Distributed Systems. Journal of Network and Systems Management 2(4), 333–360 (1994)
Yang, Y., Martel, C.U., Wu, S.F.: On Building the Minimal Number of Tunnels - An Ordered-Split approach to manage IPSec/VPN policies. In: 9th IEEE/IFIP Network Operations and Management Symposium (NOMS 2004), vol. 1, pp. 277–290 (April 2004)
Yang, Y., Fu, Z., Wu, S.F.: BANDS: An Inter-Domain Internet Security Policy Management System for IPSec/VPN. In: 8th IFIP/IEEE International Symposium on Integrated Network Management 2003, pp. 231–244 (March 2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chen, KH., Liu, YS., Liu, TJ., Dow, CR. (2006). ZERO-Conflict: A Grouping-Based Approach for Automatic Generation of IPSec/VPN Security Policies. In: State, R., van der Meer, S., O’Sullivan, D., Pfeifer, T. (eds) Large Scale Management of Distributed Systems. DSOM 2006. Lecture Notes in Computer Science, vol 4269. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11907466_17
Download citation
DOI: https://doi.org/10.1007/11907466_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-47659-7
Online ISBN: 978-3-540-47662-7
eBook Packages: Computer ScienceComputer Science (R0)