(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 7, July 2011
related problems. Therefore, theeffectiveness of the IPSec technology withrespect to the security of Computernetworks is dependent on (1) the thoroughunderstanding of the sources of theseconflicts, (2) providing policymanagement techniques/tools that enablenetwork administrators to analyze, purifyand verify the correctness of written IPSecrules/policies, with minimal humaninterventionThis paper, defines a formal model forIPSec rule relations and their filteringrepresentation, and highlights the single-trigger as well as the multi-triggersemantics of IPSec policies. This paperalso presents comprehensive classificationof conflicts that could exist in a singleIPSec gateway (intra-policy conflicts) orbetween different IPSec gateways (inter-policy conflicts) in enterprise networkswith a view to enhancing the identificationof such conflicts. Finally, a brief description of the implementation ispresented.2. Internet Protocol Security (IPSec)Policy BackgroundIPSec policy is a list of ordered filteringrules that define the actions performed onmatching packets. A rule iscomposed of filtering fields (also callednetwork fields) such as protocol type,source IP address, destination IP address,source port and destination port, and afilter action field. Each network field couldbe a single value or range of values.Filtering actions are either of thefollowing;-
for secure transmission of packets in and/or out of the securednetwork
for insecure transmission
to drop the traffic (causethe packets to be discarded).
A packet is protected or discarded, asthe case may be, by a specific rule if thepacket header information matches all thenetwork fields of this rule. Otherwise, thenext following rule is used to test thematching with this packet again. Similarly,this process is repeated until a matchingrule is found. If no matching rule is found,the assumption here is that traffic isdropped /discarded.
2.1 The basic Filtering Rule Format
The most commonly used matching fieldsIPSec filtering rules are: protocol type,source IP address, source port, destinationIP address and destination port. and .Below is a common packet filtering ruleformat in an IPSec policy;
<order> <protocol> <src_ip> <src_port> <dst_ip><dst_port> <action>
of a rule determines itsposition relative to other filteringrules.-
specifies the transportprotocol of the packet, and can beone of these values: IP, ICMP,IGMP, TCP or UDP.
specify the IPaddresses of the source anddestination of the packetrespectively.
fields specifythe port address of the source anddestination of the packetrespectively. The port can be asingle specific port number or any
port number, indicated by “any”.
specifies the action to betaken when a packet matches arule.The
protocol, src_ip, src_port, dst_ip,
fields, can be referred to as
“network fields” or 5