BKDMIPSP.RVW 20010511 "Demystifying the IPsec Puzzle", Sheila Frankel, 2001, 1-58053-079-6, U$75.00 %A Sheila Frankel sheila.frankel@nist.gov frankel@artechhouse.com %C 685 Canton St., Norwood, MA 02062 %D 2001 %G 1-58053-079-6 %I Artech House/Horizon %O U$75.00 800-225-9977 fax: 617-769-6334 artech@artech-house.com %P 273 p. %T "Demystifying the IPsec Puzzle" With its reference to the dim and distant past when Bill Gates was working on his fifth billion, the first sentence of the first chapter makes you suspect that this book will be a fun read. Which is a very strange thing to think about a security text. But the readability aspect becomes understandable when the author points out that this is not solely a work designed to turn out IPsec implementors (who may need additional references), but to inform purchasers and users. IPsec is both a part of the "next generation" IPv6 standard, and a security option (or add-on) in the current IPv4. It is governed by some two dozen Internet RFCs (Request For Comments documents). While other security measures work only with specific programs, or at the transport layer, IPsec functions at the IP (Internet Protocol) or network layer, in order to address the widest range of applications and problems. It can address both confidentiality and authentication, as well as dealing with a number of denial of service (DoS) attacks that other security systems cannot. Chapter one provides a general introduction, and a brief and apposite background of the Internet and IP layer functions. The author has culled a minimal foundation from the normal barrage of design and history, and even the description of IP headers is clear and important to the matter at hand. The Authentication Header (AH), which assures the detection of corruption or modification en route, is discussed in chapter two. The material also introduces basic structures such as the security association (SA) database, and provides some detail on implementation issues and concerns. The Encapsulating Security Payload (ESP) is described in chapter three, although not quite as lucidly as was the case for prior material. However, there is also an excellent section outlining design considerations for the protocol. Chapter four details the symmetric key algorithms used for AH and ESP operations, but does not go deeply into the asymmetric systems used by the Internet Key Exchange (IKE). IKE itself is discussed, in general in chapter five, with respect to remote users in chapter six, and listing additional options in chapter seven. The PF_KEY application programming interface for IPsec is described in chapter eight. Chapter nine deals with issues of policy and policy enforcement. An overview of PKI (Public Key Infrastructure) is given in chapter ten. Chapter eleven looks at the special problems of multicast. The book finishes off as many others start, with an analysis of whether IPsec can be the right solution to the problem. The title of this tome is quite appropriate. It provides a clear outline and, if it isn't always articulate about the implications of portions of the system, it does a good enough job that the persistent reader will be able to work out other aspects. Not a book for the masses, perhaps, but for those who need either to purchase IPsec, or to choose between IPsec and other technologies, a very useful guide. copyright Robert M. Slade, 2001 BKDMIPSP.RVW 20010511