IPsec-Network Address Translation (NAT) Compatibility Requirements
01 Mar 2004-Vol. 3715, pp 1-18
TL;DR: This document describes known incompatibilities between Network Address Translation (NAT) and IPsec, and describes the requirements for addressing them.
Abstract: This document describes known incompatibilities between Network Address Translation (NAT) and IPsec, and describes the requirements for addressing them. Perhaps the most common use of IPsec is in providing virtual private networking capabilities. One very popular use of Virtual Private Networks (VPNs) is to provide telecommuter access to the corporate Intranet. Today, NATs are widely deployed in home gateways, as well as in other locations likely to be used by telecommuters, such as hotels. The result is that IPsec-NAT incompatibilities have become a major barrier in the deployment of IPsec in one of its principal uses.
Citations
More filters
01 Dec 2005
TL;DR: This document describes version 2 of the Internet Key Exchange (IKE) protocol, which does not interoperate with version 1, but it has enough of the header format in common that both versions can unambiguously run over the same UDP port.
Abstract: This document describes version 2 of the Internet Key Exchange (IKE)
protocol. IKE is a component of IPsec used for performing mutual
authentication and establishing and maintaining security associations
(SAs). This version of the IKE specification combines the contents of
what were previously separate documents, including Internet Security
Association and Key Management Protocol (ISAKMP, RFC 2408), IKE (RFC
2409), the Internet Domain of Interpretation (DOI, RFC 2407), Network
Address Translation (NAT) Traversal, Legacy authentication, and remote
address acquisition. Version 2 of IKE does not interoperate with
version 1, but it has enough of the header format in common that both
versions can unambiguously run over the same UDP port. [STANDARDS-
TRACK]
775 citations
31 May 2005
TL;DR: An overview of IT security issues in industrial automation systems which are based on open communication systems, which have a number of security-relevant characteristics distinct from the office IT systems are given.
Abstract: Modern industrial communication networks are increasingly based on open protocols and platforms that are also used in the office IT and Internet environment. This reuse facilitates development and deployment of highly connected systems, but also makes the communication system vulnerable to electronic attacks. This paper gives an overview of IT security issues in industrial automation systems which are based on open communication systems. First, security objectives, electronic attack methods, and the available countermeasures for general IT systems are described. General security objectives and best practices are listed. Particularly for the TCP/IP protocol suite, a wide range of cryptography-based secure communication protocols is available. The paper describes their principles and scope of application. Next, we focus on industrial communication systems, which have a number of security-relevant characteristics distinct from the office IT systems. Confidentiality of transmitted data may not be required; however, data and user authentication, as well as access control are crucial for the mission critical and safety critical operation of the automation system. As a result, modern industrial automation systems, if they include security measures at all, emphasize various forms of access control. The paper describes the status of relevant specifications and implementations for a number of standardized automation protocols. Finally, we illustrate the application of security concepts and tools by brief case studies describing security issues in the configuration and operation of substations, plants, or for remote access.
382 citations
Cites background from "IPsec-Network Address Translation (..."
...Finding the key is harder, but not impossible, if the en- cryption key is not read from storage but is dynamically composed from (physical) characteristics of the system, such as a processor identification number....
[...]
Patent•
13 Sep 2012
TL;DR: A secure domain name service for a computer network is disclosed that includes a portal connected to the Internet, and a domain name database that stores secure computer network addresses for the computer network as discussed by the authors.
Abstract: A secure domain name service for a computer network is disclosed that includes a portal connected to a computer network, such as the Internet, and a domain name database connected to the computer network through the portal. The portal authenticates a query for a secure computer network address, and the domain name database stores secure computer network addresses for the computer network. Each secure computer network address is based on a non-standard top-level domain name, such as .scom, .sorg, .snet, .snet, .sedu, .smil and .sint.
294 citations
Patent•
16 Aug 2007
TL;DR: In this article, a technique for establishing a secure communication link between a first computer and a second computer over a computer network has been described, where one or more data values that vary according to a pseudo-random sequence are inserted into each data packet.
Abstract: A technique is disclosed for establishing a secure communication link between a first computer and a second computer over a computer network. Initially, a secure communication mode of communication is enabled at a first computer without a user entering any cryptographic information for establishing the secure communication mode of communication. Then, a secure communication link is established between the first computer and a second computer over a computer network based on the enabled secure communication mode of communication. The secure communication link is a virtual private network communication link over the computer network in which one or more data values that vary according to a pseudo-random sequence are inserted into each data packet.
270 citations
01 Nov 2012
TL;DR: This document provides an architectural description and the concept of operations for the Identifier-Locator Network Protocol (ILNP), which is an experimental, evolutionary enhancement to IP.
Abstract: This document provides an architectural description and the concept of
operations for the Identifier-Locator Network Protocol (ILNP), which
is an experimental, evolutionary enhancement to IP. This is a product
of the IRTF Routing Research Group. This document defines an
Experimental Protocol for the Internet community.
94 citations