Master Thesis

IP SECURITY - SYSTEM AND NETWORK REQUIREMENTS
My master thesis (20 credits) was the final step in my university degree and the project was performed at Lund University (external link), Department of Computer Science (external link), in very close connection with Axis Communications AB (external link). The thesis work was performed during spring and summer 2002 at Axis corporate and engineering headquarters in Lund, Sweden.

The thesis report, IP Security - System and Network Requirements, the thesis definition and the executive summary are availible at this site as PDF documents.

Thesis Abstract
All communication over the Internet is made with the same language known as the Internet Protocol (IP). This protocol does not provide any security at all and information travelling on the network could be exposed for all kinds of devious tasks, such as data manipulation, eavesdropping and forgery. Many applications using the Internet require or could benefit from mechanisms that can provide strong security to the information that need to be exchanged on the network. The IP Security (IPsec) protocol suite is one such a security mechanism that provides data source authentication, data integrity and data confidentiality to any protocol that runs on top of IP, e.g. TCP, UDP and ICMP. This thesis describes, investigates and evaluates the IPsec protocol suite both theoretically and practically and brings forth advantages and disadvantages of this protocol suite in comparison to other security approaches. Security and efficient communication are unfortunately two opposing concepts. These issues have not yet been extensively addressed and available information concerning this trade off is sparse. The practical investigation was therefore designed to fill some of this gap and concerns the IPsec functionality in embedded systems together with benchmark measurements.

Some conclusions
The thesis report points out several reasons why IPsec should be highly considered when some communication security need to be utilized. IPsec has for example the widest industry support and is supported by Cisco Systems Ltd, Microsoft, Network Associates and Checkpoint Software. This industry support ensures interoperability and availability of a wide security solutions product line in years to come. This is highly important when security systems need to be augmented in the future. There are also some important characteristics of IPsec that bring the protocol suite to the front line when communication security is concerned.

Among these exist:
  • IPsec protects network traffic transparently on IP packet level, as a completely transparent operation to upper layers. This means that there is no need to do changes in applications and the user needs not to perform additional procedures to protect the network traffic. Actually, the user needs not to know that the network traffic is protected by IPsec.
  • IPsec is a native IP operation and is not limited to some specific operating systems solutions. It can therefore be utilized in any environment where IP is implemented.
  • IPsec is a mandatory part of the imminent IPv6 standard.
  • IPsec has a wide variety of strong encryption standards and can be utilized with future encryption standards, e.g. AES.
  • IPsec includes a secure key management solution, IKE, with digital certificate support. IKE also provides an overall ease of management, this in comparison to manual keying.

Main Menu