The IPsec protocol suite was designed in the IETF to provide crytographic network security services to protect datagrams in the Internet. IPsec tunnels have become one of the most widely adopted means to build secure VPNs between sites and individual computers. To date, most IPsec VPNs are statically configured and are of moderate scale. To facilitate future, very large VPNs with potentially varied security policies and changing memberships, the industry must move to the use of dynamic key management protocols and policy management systems to ease the administrative burden associated with VPN instantiation and operation.
However, the relative performance and dynamic behavior of interacting suites of security protocols in large-scale VPNs have not been thoroughly investigated and measured. Considering the complexity of the IPsec and key management systems and the dynamics of large networks, the security protocol suite interactions and their dynamic behaviour would seem to be difficult to study in real networking environments. Although the detailed security issues such as cryptographic strength may not be accurately evaluated in the simulation environment, understanding the dynamics of security protocol interactions in large-scale networks can best be accomplished through simulations.
We have developed a NIST IPSec and IKE Simulation Tool (NIIST) that provides an integrated Internet security modeling, to help examine and investigate behavioural and relative performance characteristics, including interoperability, scalability and performance implications of IPSec suites in large-scale VPN environments. Furthermore, the IETF IP security community is currently in the process of defining version 2 of Internet Key Exchange (IKEv2) Protocol, aiming to resolve the complexities of the current IKE version 1 (IKEv1) specification. We are also in the process of modeling a Internet Key Exchange (IKEv2) Protocol to help evaluate the performance improvement and behavioral characteristics of IKEv2.
The goals of the project are: