End-Host Authentication and Authorization for Middleboxes Based on a Cryptographic Namespace

T. Heer, R. Hummen, M. Komu, S. Gotz, K. Wehrle
2009 2009 IEEE International Conference on Communications  
Today, middleboxes such as firewalls and network address translators have advanced beyond simple packet forwarding and address mapping. They also inspect and filter traffic, detect network intrusion, control access to network resources, and enforce different levels of quality of service. The cornerstones for these security-related network services are endhost authentication and authorization. Using a cryptographic namespace for end-hosts simplifies these tasks since it gives them an explicit
more » ... verifiable identity. The Host Identity Protocol (HIP) is a key-exchange protocol that introduces such a cryptographic namespace for secure end-to-end communication. Although HIP was designed with middleboxes in mind, these cannot securely use its namespace because the on-path identity verification is susceptible to replay attacks. Moreover, the binding between HIP as an authentication protocol and IPsec as payload transport is insufficient because on-path middleboxes cannot securely map payload packets to a HIP association. In this paper, we propose to prevent replay attacks by allowing packetforwarding middleboxes to directly interact with end-hosts. Also we propose a method for strengthening the binding between the HIP authentication process and its payload channel with hashchain-based authorization tokens for IPsec. Our solution allows on-path middleboxes to efficiently leverage cryptographic endhost identities and integrates cleanly into existing standards.
doi:10.1109/icc.2009.5198984 dblp:conf/icc/HeerHKGW09 fatcat:lhg73omeyjhy3gggs7k5khfzey