2006 Japan-China Joint Workshop on Frontier of Computer Science and Technology (2006)
Aizu-Wakamatsu, Fukushima, Japan
Nov. 17, 2006 to Nov. 18, 2006
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/FCST.2006.10
Zhitang Li , Huazhong University of Science and Technology, China
Xue Cui , Huazhong University of Science and Technology, China
Lin Chen , Huazhong University of Science and Technology, China
IPSec has been proposed to provide integrity, confidentiality and authentication of data communications over IP networks. However, the complex semantics of IPSec policies results in potential conflicts, such as shielding conflict, redundancy conflict and overlapping conflict, et al. The conflict should be identified and detected to avoid internet security threat. However, there has no research on identifying and defining IPSec security policy conflict formally and comprehensively. So it is necessary to give a depth analysis on policy conflict. Therefore, the paper presents a generic model that represents IPSec security policy semantics. Based on it, we classify and define conflicts formally that may exist in a single IPSec device or in some tunnels between different IPSec devices. That the conflict analysis is comprehensive is proved also. The research provides theoretical foundation for policy conflict detection and prevention in IPSec policy configuration.
Z. Li, L. Chen and X. Cui, "Analysis And Classification of IPSec Security Policy Conflicts," 2006 Japan-China Joint Workshop on Frontier of Computer Science and Technology(FCST), Aizu-Wakamatsu, Fukushima, Japan, 2006, pp. 83-88.