IPSec/PHIL (packet header information list): design, implementation, and evaluation

For most TCP/UDP/IP applications, when a packet or a message arrives, usually only the payload portion of the original packet can be obtained by the application. For instance, if a packet has been delivered through some IPSec (IP security) tunnels along the route path, then the application, in general, does not know exactly which tunnels have been used to deliver this particular packet. The IPSec/PHIL (packet header information list) interface has been designed and implemented such that an "authorized" application is able to know which set of IPSec tunnels has been used to deliver a particular incoming packet. Furthermore, IPSec/PHIL enables controllability over which set of IPSec tunnels is used to send a particular outgoing packet. IPSec/PHIL is a key component in the Deciduous decentralized source tracing system to correlate the IPSec information with intrusion detection results. Other IPSec/PHIL applications we have built include a SNMPv3 security module using IPSec as well as an IPSec tunnel switching router.