Patent Application
20050066159
1. Field of the Invention
The invention relates to communications technology. In particular, the invention relates to a novel and improved method and system for remotely and transparently managing security associations of Internet Protocol Security.
2. Description of the Related Art
Internet Protocol Security, also referred to as IPSec or IPsec, is a framework for providing security in IP networks at network layer. IPSec is developed by The Internet Engineering Task Force (IETF). RFC documents (Request for Comments, RFC) 2401 to 2409 by IETF describe IPSec.
IPSec provides confidentiality services and authentication services to IP traffic. These services are provided by protocols called Authentication Header (AH, described in RFC 2402), which essentially allows authentication of the sender of data, and Encapsulating Security Payload (ESP, described in RFC 2406), which supports both authentication of the sender and encryption of data.
Authentication Header and Encapsulating Security Payload require session keys in order to operate. The session keys are typically generated via key management protocols, such as Internet Key Exchange (IKE, described in RFC 2409). A key management protocol called Authentication and Key Agreement (AKA) may also be used, particularly in communication networks based on 3GPP (3rd Generation Partnership Project) systems. Additionally, there are other key management protocols that may be used.
In addition to the protocols mentioned above, IPSec uses security associations to provide its services. An IPSec security association comprises such information as traffic selectors, cryptographic transforms, session keys and session key lifetimes. A key management application is responsible for negotiating the creation and deletion of an IPSec security association.
Typically IPSec services and key management protocols may be found e.g. in dedicated security gateways, servers, desktop computers and handheld terminals. In prior art, whatever the target device, the IPSec services and key management protocols are tied together in the sense that they are co-located in the same device. So it also follows that the communication mechanism between IPSec services and an associated key management protocol is local.
In a distributed computing environment, however, network element functionality benefits from an architecture in which various applications are located in dedicated devices. For example, applications requiring cryptographic operations are typically located in a special purpose device containing suitable hardware and software for the task. Other applications may require more CPU processing power and may therefore be located in a different type of special purpose device. Further, in a distributed computing environment, applications typically require services from each other in order to provide the network element functionality.
In the case of network layer security, IPSec and its associated key management protocols are examples of applications requiring services from each other. It would be beneficial to arrange IPSec service on a device capable of high-speed symmetric cryptography, and to arrange its associated key management protocol in another device with high CPU power and/or asymmetric cryptography acceleration. Yet, as mentioned above, in prior art IPSec service and the key management protocol used by it are located in the same computing device. There are many key management protocols, each with different characteristics. If, as is the case with prior art, all these various key management protocols have to be located in the same device as the IPSec service, network element design, implementation and deployment become inefficient and sometimes even impossible.
Thus there is an obvious need for a more sophisticated approach allowing IPSec service and its associated key management protocols to be arranged on different devices, particularly in distributed computing environments. Further, it would be beneficial to be able to transparently do this distribution of IPSec and its associated key management.
The present invention concerns a method and a system for remotely and transparently managing security associations of Internet Protocol Security.
The system comprises one or more application devices. Each application device comprises at least one management client for issuing security association management requests.
The system further comprises a service device. The service device comprises an Internet Protocol Security service means for providing one or more Internet Protocol Security services. The service device further comprises a management server for receiving the issued requests and for responding, in connection with the Internet Protocol Security service means, to the received requests.
The system further comprises a communication network for connecting the application devices to the service device.
In an embodiment of the invention at least one application device further comprises an interface means for providing an interface via which the at least one management client associated with the application device and the management server communicate with each other. Thus, the interface means according to the present invention and the management server according to the present invention allow such distribution of IPSec and its associated key management that is transparent to the management client and to the Internet Protocol Security service means. In other words, present management clients do not need to be modified for them to be able use services provided by the Internet Protocol Security service means even though said Internet Protocol Security service means may be located on another device than said management client.
In an embodiment of the invention the security association management requests include requests for adding security associations, requests for deleting security associations, and/or requests for querying about security associations.
In an embodiment of the invention the interface means includes data structures used in communication between the management client and the management server, and the interface means are implemented as a software library linked dynamically or statistically into a corresponding management client.
In an embodiment of the invention the interface means are arranged to use sockets for communication with the management server.
In an embodiment of the invention the Internet Protocol Security service means and the management server are arranged to use a local communication channel for communication with each other.
In an embodiment of the invention at least one application device comprises two or more management clients, at least two of which management clients utilize session key management protocols different from each other.
In an embodiment of the invention said communication network is a Local Area Network.
The invention makes it possible to remotely manage IPSec security associations. IPSec and its associated key management can be transparently distributed to separate computing devices. Thus each computing device can be optimized to run a specific application. This in turn increases performance and flexibility.
Yet, the invention does not preclude utilizing standard prior art solutions when beneficial. E.g. in smaller configurations the IPSec and its associated key management may still be co-located in the same device. This may be accomplished by switching a remote communication channel to a local one. The switch is transparent to the applications, thus minimizing development effort, and increasing flexibility.
The accompanying drawings, which are included to provide a further understanding of the invention and constitute a part of this specification, illustrate embodiments of the invention and together with the description help to explain the principles of the invention. In the drawings:
Reference will now be made in detail to the embodiments of the invention, examples of which are illustrated in the accompanying drawings.
Internet Protocol Security is typically utilized for example by IP Multimedia Subsystem (IMS) of a 3GPP system based telecommunication network. In such a case, a user equipment (not illustrated) may communicate with the application device APP_DEV_1 or APP_DEV_2 by using a key management protocol, and the end result of this communication is then forwarded to the service device SRV_DEV by the application device APP_DEV_1 or APP_DEV_2. Thus, in this case, the application device APP_DEV_1 or APP_DEV_2 may be running a server portion of the key management protocol, whereas the user equipment may be running a client portion of the key management protocol. The user equipment may use its own local mechanism to communicate the end result to its own IPSec service.
In the exemplary embodiment of the invention illustrated in
In the exemplary embodiment of the invention illustrated in
Further in the exemplary embodiment of the invention illustrated in
Further, as illustrated in
One or more Internet Protocol Security services are provided in a service device, phase 20. Security association management requests are issued from one or more application devices, phase 21. The application devices have been securely connected to the service device by a communication network.
The issued requests are received in the service device, phase 22. The received requests are responded to in the service device in connection with the provided Internet Protocol Security services, phase 23.
In the exemplary embodiment of the invention illustrated in
It is obvious to a person skilled in the art that with the advancement of technology, the basic idea of the invention may be implemented in various ways. The invention and its embodiments are thus not limited to the examples described above, instead they may vary within the scope of the claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 20031361 | Sep 2003 | FI | national |
