A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
01 Feb 2004-Vol. 3706, pp 1-13
TL;DR: This document describes the method detecting a dead Internet Key Exchange (IKE) peer that is presently in use by a number of vendors, and uses IPSec traffic patterns to minimize the number of IKE messages that are needed to confirm liveness.
Abstract: This document describes the method detecting a dead Internet Key Exchange (IKE) peer that is presently in use by a number of vendors. The method, called Dead Peer Detection (DPD) uses IPSec traffic patterns to minimize the number of IKE messages that are needed to confirm liveness. DPD, like other keepalive mechanisms, is needed to determine when to perform IKE peer failover, and to reclaim lost resources.
Citations
More filters
Patent•
13 Sep 2012
TL;DR: A secure domain name service for a computer network is disclosed that includes a portal connected to the Internet, and a domain name database that stores secure computer network addresses for the computer network as discussed by the authors.
Abstract: A secure domain name service for a computer network is disclosed that includes a portal connected to a computer network, such as the Internet, and a domain name database connected to the computer network through the portal. The portal authenticates a query for a secure computer network address, and the domain name database stores secure computer network addresses for the computer network. Each secure computer network address is based on a non-standard top-level domain name, such as .scom, .sorg, .snet, .snet, .sedu, .smil and .sint.
294 citations
Patent•
16 Aug 2007
TL;DR: In this article, a technique for establishing a secure communication link between a first computer and a second computer over a computer network has been described, where one or more data values that vary according to a pseudo-random sequence are inserted into each data packet.
Abstract: A technique is disclosed for establishing a secure communication link between a first computer and a second computer over a computer network. Initially, a secure communication mode of communication is enabled at a first computer without a user entering any cryptographic information for establishing the secure communication mode of communication. Then, a secure communication link is established between the first computer and a second computer over a computer network based on the enabled secure communication mode of communication. The secure communication link is a virtual private network communication link over the computer network in which one or more data values that vary according to a pseudo-random sequence are inserted into each data packet.
270 citations
Patent•
25 Jul 2013
TL;DR: In this paper, a system for connecting a first network device and a second network device includes one or more servers, which are configured to: (a) receive, from the first device, a request to look up a network address of the second device based on an identifier associated with the second one; (b) determine, in response to the request, whether the second node is available for a secure communications service; and (c) initiate a virtual private network communication link between the node and the node based on a determination that the node is not available for the secure communication service
Abstract: A system for connecting a first network device and a second network device includes one or more servers. The servers are configured to: (a) receive, from the first network device, a request to look up a network address of the second network device based on an identifier associated with the second network device; (b) determine, in response to the request, whether the second network device is available for a secure communications service; and (c) initiate a virtual private network communication link between the first network device and the second network device based on a determination that the second network device is available for the secure communications service, wherein the secure communications service uses the virtual private network communication link.
73 citations
Posted Content•
TL;DR: In this paper, the authors present an analysis of security and performance properties for IPSec and SSL in terms of IP Security and SSL Secure Socket Layer (SSL SLL) protocols.
Abstract: IPSec IP Security and SSL Secure Socket Layer have been the most robust and most potential tools available for securing communications over the Inter net Both IPSec and SSL have advantages and short comings Yet no paper has been found comparing the two protocols in terms of characteristic and functional ity Our objective is to present an analysis of security and performance properties for IPSec and SSL
67 citations
TL;DR: This survey highlights key challenges that cloud-based service providers might encounter while providing multitenant environments and succinctly describes some key solutions for providing simultaneous tenant and network isolation, as well as highlights their respective advantages and disadvantages.
Abstract: The infrastructure-as-a-service model is one of the fastest growing opportunities for cloud-based service providers. It provides an environment that reduces operating and capital expenses while increasing agility and reliability of critical information systems. In this multitenancy environment, cloud-based service providers are challenged with providing a secure isolation service combining different vertical segments, such as financial or public services, while nevertheless meeting industry standards and legal compliance requirements within their data centers. In order to achieve this, new solutions are being designed and proposed to provide traffic isolation for a large numbers of tenants and their resulting traffic volumes. This survey highlights key challenges that cloud-based service providers might encounter while providing multitenant environments. It also succinctly describes some key solutions for providing simultaneous tenant and network isolation, as well as highlights their respective advantages and disadvantages. We begin with generic routing encapsulation introduced in 1994 in “RFC 1701,” and will conclude with today’s latest solutions. We detail 15 of the newest architectures and then compare their complexities, the overhead they induce, their VM migration abilities, their resilience, their scalability, and their multidata center capacities. This paper is intended for, but not limited to, cloud-based service providers who want to deploy the most appropriate isolation solution for their needs, taking into consideration their existing network infrastructure. This survey provides details and comparisons of various proposals while also highlighting possible guidelines for future research on issues pertaining to the design of new network isolation architectures.
53 citations
Cites background from "A Traffic-Based Method of Detecting..."
...• The ability to utilize IPSec Dead Peer Detection (RFC 3706) [82]....
[...]
References
More filters
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
01 Aug 1995
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
3,455 citations
01 Nov 1998
TL;DR: ISAKMP ([MSST98]) provides a framework for authentication and key exchange but does not define them.
Abstract: ISAKMP ([MSST98]) provides a framework for authentication and key exchange but does not define them. ISAKMP is designed to be key exchange independant; that is, it is designed to support many different key exchanges.
1,144 citations