4.4. Transport Layer Security
Implementing security mechanisms at network layer for end-to-end communications can run into practical problems, since the network layer needs to take care of the details of packet routing between the two communicating end parties. For IP networking, this means the routers and other network agents such as mobility agents need to access the information inside the IP header to perform routing functions. As we saw earlier, when IPsec is used to protect the packets at IP layer, the information inside higher layer headers (such as TCP headers) is hidden from outside world. Interim network management entities or middle boxes, such as network address translators (NAT) or quality of service (Qos) policing entities that need to look at transport layer ports to perform address translations or traffic shaping will not be able to do their jobs. Significant amount of design and standardization effort has been devoted to solving interoperability issues between IPsec and a variety of middle boxes and network management entities.
Another serious problem for network layer security protocols such as IPsec and IKE is that they typically establish trust relationships (SAs) using IP addresses as identifiers. When a node changes its IP address due to using Mobile IP or other methods, the original SAs are no longer valid.
Figure 4.11. TLS Protocol stack
Finally, IPsec ...
Get AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
