IPsec/VPN security policy correctness and assurance

With IPsec/VPN policies being widely deployed, how to correctly specify and configure them is critical in enforcing security requirements, especially among different administrative domains across the Internet. Under current practice, IPsec/VPN policies are specified individually by system administrators from different organizations without any formal coordination. This practice implies unintentional errors due to inconsistent IPsec/VPN policies. Furthermore, Internet routing dynamics may possibly interfere with IPsec/VPN policies such that unexpected conflicts occur due to a mismatch between the routing and IPsec/VPN layers. To deal with these problems, we formally define IPsec security requirements, policies, and their correctness criteria. Based on these definitions, we present an inter-domain architecture to automatically generate correct and efficient security policies. Our approach works when we are given a set of security requirements for a single end-to-end traffic flow. We can also deal with changes when new security requirements are added. Finally, we present simulation results which evaluate the performance of our solutions.