REVIEW: "Demystifying the IPsec Puzzle", Sheila Frankel
- BKDMIPSP.RVW 20010511
"Demystifying the IPsec Puzzle", Sheila Frankel, 2001, 1-58053-079-6,
%A Sheila Frankel sheila.frankel@... frankel@...
%C 685 Canton St., Norwood, MA 02062
%I Artech House/Horizon
%O U$75.00 800-225-9977 fax: 617-769-6334 artech@...
%P 273 p.
%T "Demystifying the IPsec Puzzle"
With its reference to the dim and distant past when Bill Gates was
working on his fifth billion, the first sentence of the first chapter
makes you suspect that this book will be a fun read. Which is a very
strange thing to think about a security text. But the readability
aspect becomes understandable when the author points out that this is
not solely a work designed to turn out IPsec implementors (who may
need additional references), but to inform purchasers and users.
IPsec is both a part of the "next generation" IPv6 standard, and a
security option (or add-on) in the current IPv4. It is governed by
some two dozen Internet RFCs (Request For Comments documents). While
other security measures work only with specific programs, or at the
transport layer, IPsec functions at the IP (Internet Protocol) or
network layer, in order to address the widest range of applications
and problems. It can address both confidentiality and authentication,
as well as dealing with a number of denial of service (DoS) attacks
that other security systems cannot.
Chapter one provides a general introduction, and a brief and apposite
background of the Internet and IP layer functions. The author has
culled a minimal foundation from the normal barrage of design and
history, and even the description of IP headers is clear and important
to the matter at hand. The Authentication Header (AH), which assures
the detection of corruption or modification en route, is discussed in
chapter two. The material also introduces basic structures such as
the security association (SA) database, and provides some detail on
implementation issues and concerns. The Encapsulating Security
Payload (ESP) is described in chapter three, although not quite as
lucidly as was the case for prior material. However, there is also an
excellent section outlining design considerations for the protocol.
Chapter four details the symmetric key algorithms used for AH and ESP
operations, but does not go deeply into the asymmetric systems used by
the Internet Key Exchange (IKE). IKE itself is discussed, in general
in chapter five, with respect to remote users in chapter six, and
listing additional options in chapter seven. The PF_KEY application
programming interface for IPsec is described in chapter eight.
Chapter nine deals with issues of policy and policy enforcement. An
overview of PKI (Public Key Infrastructure) is given in chapter ten.
Chapter eleven looks at the special problems of multicast.
The book finishes off as many others start, with an analysis of
whether IPsec can be the right solution to the problem.
The title of this tome is quite appropriate. It provides a clear
outline and, if it isn't always articulate about the implications of
portions of the system, it does a good enough job that the persistent
reader will be able to work out other aspects. Not a book for the
masses, perhaps, but for those who need either to purchase IPsec, or
to choose between IPsec and other technologies, a very useful guide.
copyright Robert M. Slade, 2001 BKDMIPSP.RVW 20010511
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
What is the problem to which this technology is the answer?
- Neil Postman
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade