Mobile multi-layered IPsec

To achieve high throughput in wireless networks, smart forwarding and processing of packets in access routers is critical for overcoming the effects of the wireless links. However, these services cannot be provided if data sessions are protected using end-to-end encryption as with IPsec, because the information needed by these algorithms resides inside the portion of the packet that is encrypted, and can therefore not be used by the access routers. A previously proposed protocol, called Multi-layered IPsec (ML-IPsec) modifies IPsec in a way so that certain portions of the datagram may be exposed to intermediate network elements, enabling these elements to provide performance enhancements. In this paper we extend ML-IPsec to deal with mobility and make it suitable for wireless networks. We define and implement an efficient key distribution protocol to enable fast ML-IPsec session initialization, and two mobility protocols that are compatible with Mobile IP and maintain ML-IPsec sessions. Our measurements show that, depending on the mobility protocol chosen, integrated Mobile IP/ML-IPsec handoffs result in a pause of 53–100 milliseconds, of which only 28–75 milliseconds may be attributed to ML-IPsec. Further, we provide detailed discussion and performance measurements of our MML-IPsec implementation. We find the resulting protocol, when coupled with SNOOP, greatly increases throughput over scenarios using standard TCP over IPsec (165% on average). By profiling the MML-IPsec implementation, we determine the bottleneck to be sending packets over the wireless link. In addition, we propose and implement an extension to MML-IPsec, called dynamic MML-IPsec, in which a flow may switch between plaintext, IPsec and MML-IPsec. Using dynamic MML-IPsec, we can balance the tradeoff between performance and security. Heesook Choi is a Ph.D. candidate in the Department of Computer Science and Engineering at the Pennsylvania State University. She received her B.S. degree in Computer Science and Statistics and M.S. degree in Computer Science from the Chungnam National University, Korea, in 1990 and 1992 respectively. She was a senior research staff in Electronics and Telecommunications Research Institute (ETRI) in Korea before she enrolled in the Ph.D. program at the Pennsylvania State University in August 2002. Her research interests lie in security and privacy in distributed systems and wireless mobile networks, focusing on designing algorithms and conducting system research. Hui Song is a Ph.D. candidate in the Department of Computer Science and Engineering at the Pennsylvania State University, University Park. He received the M.E. degree in Computer Science from Tsinghua University, China in 2000. His research interests are in the areas of network and system security, wireless ad-hoc and sensor networks, and mobile computing. He was a recipient of the research assistant award of the Department of Computer Science and Engineering at the Pennsylvania State University in 2005. Guohong Cao received his BS degree from Xian Jiaotong University, Xian, China. He received the MS degree and Ph.D. degree in computer science from the Ohio State University in 1997 and 1999 respectively. Since then, he has been with the Department of Computer Science and Engineering at the Pennsylvania State University, where he is currently an Associate Professor. His research interests are wireless networks and mobile computing. He has published over one hundred papers in the areas of sensor networks, wireless network security, data dissemination, resource management, and distributed fault-tolerant computing. He is an editor of the IEEE Transactions on Mobile Computing and IEEE Transactions on Wireless Communications, a guest editor of special issue on heterogeneous wireless networks in ACM/Kluwer Mobile Networking and Applications, and has served on the program committee of many conferences. He was a recipient of the NSF CAREER award in 2001. Thomas F. La Porta received his B.S.E.E. and M.S.E.E. degrees from The Cooper Union, New York, NY, and his Ph.D. degree in Electrical Engineering from Columbia University, New York, NY. He joined the Computer Science and Engineering Department at Penn State in 2002 as a Full Professor. He is the Director of the Networking and Security Research Center at Penn State. Prior to joining Penn State, Dr. La Porta was with Bell Laboratories since 1986. He was the Director of the Mobile Networking Research Department in Bell Laboratories, Lucent Technologies where he led various projects in wireless and mobile networking. He is a Bell Labs Fellow. Dr. La Porta was the founding Editor-in-Chief of the IEEE Transactions on Mobile Computing and served as Editor-in-Chief of IEEE Personal Communications Magazine. He is currently the Director of Magazines for the IEEE Communications Society and is a member of the Communications Society Board of Governors. He has published over 50 technical papers and holds 28 patents. His research interests include mobility management, signaling and control for wireless networks, mobile data systems, and protocol design.