Date of Award
Master of Science
Department of Electrical and Computer Engineering
Richard A. Raines, PhD
As the Internet Protocol version 6 (IPv6) implementation becomes more widespread, the IP Security (IPSec) features embedded into the next-generation protocol will become more accessible than ever. Though the network-layer encryption provided by IPSec is a boon to data security, its use renders standard network intrusion detection systems (NIDS) useless. The problem of performing intrusion detection on encrypted traffic has been addressed by differing means with each technique requiring one or more static secret keys to be shared with the NIDS beforehand. The problem with this approach is static keying is much less secure than dynamic key generation through the Internet Key Exchange (IKE) protocol. This research creates and evaluates a secret-key sharing framework which allows both the added security of dynamic IPSec key generation through IKE, and intrusion detection capability for a NIDS on the network. Analysis shows that network traffic related to secret-key sharing with the proposed framework can account for up to 58.6% of total traffic in the worst case scenario, though workloads which are arguably more average decrease that traffic to 10-15%. Additionally, actions associated with IKE and secret-key sharing increase CPU utilization on the NIDS up to 20.7%. Results show, at least in limited implementations, a secret-key sharing framework provides robust coverage and is a viable intrusion detection option.
DTIC Accession Number
Sweeney, Patrick J., "Enabling Intrusion Detection in IPSEC Protected IPV6 Networks through Secret-Key Sharing" (2005). Theses and Dissertations. 3841.