IPsec/VPN security policy correctness and assuranc

The Internet has become increasingly much more dynamic in many aspects. With the capability of variouswireless network technologies, users and even sub-networks can be mobile. Mobility implies potential changes inthe policies or the inter-relations among distributed policies. Adaptive security is another cause of policy changes.It will be common in the near future for a security management system to react to a newly detected intrusion,by on-the-fly determining to strengthen the security level by modifying the IPsec security policies. Usually anIPsec policy rule consists of two parts: condition and action; if the condition part is met, then the action part will beenforced. The values in the IP header fields are mapped to condition part as one traffic selector, while the action partspecifies how to handle the traffic flow that fits the selector. For an IPsec/VPN policy, it can enforce the followingthree possible actions: deny, allow, IPSec-actions (these can include ESP – Encapsulating Security Payload, AH –Authentication Header, tunnel mode or transportation mode etc.), as shown in the examples in Fig. 1.However, IPsec/VPN policies on the Internet today are being configured by different administrative domains,which is inefficient and error-prone. Even for IPsec/VPN policy configuration in an intra-domain network environment, very limited management tools are available to the administrators, and to our best knowledge, noneof them guarantees any rigorous form of correctness about IPsec/VPN policies. Small or subtle errors in thiscomplex/tedious process as shown in the scenarios below may manifest themselves as massive holes in the overallsecurity of the network. In addition, the interactions among policies can cause unexpected security breaches, whichare very difficult to check even with careful and experienced administrators.