This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]

/pdf/security-architecture-for-the-internet-protocol-1x2l107p1d.pdf

Security Architecture for the Internet Protocol

In this paper we present the design, rationale, and implementation of a security architecture for protecting the secrecy and integrity of Internet traffic at the Internet Protocol (IP) layer. The design includes three components: (1) a security policy for determining when, where, and how security measures are to be applied; (2) a modular key management protocol, called MKMP, for establishing shared secrets between communicating parties and meta-information prescribed by the security policy; and (3) the IP Security Protocol, as it is being standardized by the Internet Engineering Task Force, for applying security measures using information provided through the key management protocol. Effectively, these three components together allow for the establishment of a secure channel between any two communicating systems over the Internet. This technology is a component of IBM's firewall product and is now being ported to other IBM computer platforms.

/pdf/a-security-architecture-for-the-internet-protocol-3zr7jwv5n3.pdf

A security architecture for the Internet protocol

This document specifies a protocol which allows nodes to remain
reachable while moving around in the IPv6 Internet. Each mobile node
is always identified by its home address, regardless of its current
point of attachment to the Internet. While situated away from its
home, a mobile node is also associated with a care-of address, which
provides information about the mobile node's current location. IPv6
packets addressed to a mobile node's home address are transparently
routed to its care-of address. The protocol enables IPv6 nodes to
cache the binding of a mobile node's home address with its care-of
address, and to then send any packets destined for the mobile node
directly to it at this care-of address. To support this operation,
Mobile IPv6 defines a new IPv6 protocol and a new destination option.
All IPv6 nodes, whether mobile or stationary can communicate with
mobile nodes.

/pdf/mobility-support-in-ipv6-3nt79cwsa7.pdf

Mobility support in IPv6

We consider the problem of incorporating security mechanisms into routing protocols for ad hoc networks. Canned security solutions like IPSec are not applicable. We look at AODV[21] in detail and develop a security mechanism to protect its routing information. We also briefly discuss whether our techniques would also be applicable to other similar routing protocols and about how a key management scheme could be used in conjunction with the solution that we provide.

/pdf/securing-ad-hoc-routing-protocols-d944huvp9s.pdf

Securing ad hoc routing protocols

A plurality of computer nodes communicate using seemingly random Internet Protocol source and destination addresses. Data packets matching criteria defined by a moving window of valid addresses are accepted for further processing, while those that do not meet the criteria are quickly rejected. Improvements to the basic design include (1) a load balancer that distributes packets across different transmission paths according to transmission path quality; (2) a DNS proxy server that transparently creates a virtual private network in response to a domain name inquiry; (3) a large-to-small link bandwidth management feature that prevents denial-of-service attacks at system chokepoints; (4) a traffic limiter that regulates incoming packets by limiting the rate at which a transmitter can be synchronized with a receiver; and (5) a signaling synchronizer that allows a large number of nodes to communicate with a central node by partitioning the communication function between two separate entities.

Agile network protocol for secure communications with assured system availability

This memo describes the use of the HMAC algorithm [RFC-2104] in conjunction with the SHA-1 algorithm [FIPS-180-1] as an authentication mechanism within the revised IPSEC Encapsulating Security Payload [ESP] and the revised IPSEC Authentication Header [AH]. HMAC with SHA-1 provides data origin authentication and integrity protection.

The Use of HMAC-SHA-1-96 within ESP and AH

This memo describes the use of the HMAC algorithm [RFC-2104] in conjunction with the MD5 algorithm [RFC-1321] as an authentication mechanism within the revised IPSEC Encapsulating Security Payload [ESP] and the revised IPSEC Authentication Header [AH]. HMAC with MD5 provides data origin authentication and integrity protection.

The Use of HMAC-MD5-96 within ESP and AH

This document describes the use of the Advanced Encryption Standard (AES) Cipher Algorithm in Cipher Block Chaining (CBC) Mode, with an explicit Initialization Vector (IV), as a confidentiality mechanism within the context of the IPsec Encapsulating Security Payload (ESP).

https://www.rfc-editor.org/rfc/pdfrfc/rfc3602.txt.pdf

The AES-CBC Cipher Algorithm and Its Use with IPsec

The IPsec protocol suite is used to provide privacy and authentication services at the IP layer. Several documents are used to describe this protocol suite. The interrelationship and organization of the various documents covering the IPsec protocol are discussed here. An explanation of what to find in which document, and what to include in new Encryption Algorithm and Authentication Algorithm documents are described.

IP Security Document Roadmap

This memo defines the NULL encryption algorithm and its use with the IPsec Encapsulating Security Payload (ESP). NULL does nothing to alter plaintext data. In fact, NULL, by itself, does nothing. NULL provides the means for ESP to provide authentication and integrity without confidentiality.

R. Glenn

Papers

The Use of HMAC-SHA-1-96 within ESP and AH

The Use of HMAC-MD5-96 within ESP and AH

The AES-CBC Cipher Algorithm and Its Use with IPsec

IP Security Document Roadmap

The NULL Encryption Algorithm and Its Use With IPsec