Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
19 Sep 2003
TL;DR: This proposal does not require any modifications to the access networks and can seamlessly co-exist with the existing Mobile IP mechanisms and therefore, can be used to provide seamless mobility across heterogeneous wireline and wireless networks.
Abstract: We propose a new network layer mobility architecture called MobileNAT to efficiently support micro and macro-mobility in and across heterogeneous address spaces common in emerging public networks. The key ideas in this architecture are as follows: (1) Use of two IP addresses -- an invariant virtual IP address for host identification at the application layer and an actual routable address at the network layer that changes due to mobility. Since physical address has routing significance only within a domain, it can be a private address and therefore, does not deplete the public IP address resource. (2) New DHCP enhancements to distribute the two addresses. (3) A new signaling element called Mobility Manager (MM) that uses Middlebox Communication (MIDCOM) framework to signal the changes in packet processing rules to the Network Address Translators (NATs) in the event of node mobility. Our proposal does not require any modifications to the access networks and can seamlessly co-exist with the existing Mobile IP mechanisms and therefore, can be used to provide seamless mobility across heterogeneous wireline and wireless networks. We report implementation details of a subset of our ideas in a testbed with Windows XP clients and Linux based NATs.
43 citations
Cites methods from "Security Architecture for the Inter..."
...The MM talks to ANs using the Middlebox communication protocol framework [20, 22] over secure communication channels such as IPSec [11]....
[...]
Patent•
20 May 2003TL;DR: In this paper, a privacy label is provided by the mobile node to the correspondent node in a way that allows the privacy label to be bound to the home address, but does not allow the home addresses to be visible during the exchange.
Abstract: The present invention provides location privacy against third parties while allowing route-optimized communication between the correspondent node and the mobile node. The mobile node's home address is hidden from an external observer thereby thwarting traffic analysis based attacks where a Home Address is correlated with a Care of Address of a mobile node (MN). A “privacy label” is used in place of a home address associated with the mobile node. The privacy label is supplied by the mobile node to the correspondent node in a way that that allows the privacy label to be bound to the home address, but does not allow the home address to be visible during the exchange. The privacy label may be also used to help prevent against replay attacks.
43 citations
TL;DR: This contribution appears to be the first thorough comparison of two public-key families, namely elliptic curve (ECC) and hyperelliptic curve cryptosystems on a wide range of embedded processor types (ARM, ColdFire, PowerPC).
Abstract: It is widely recognized that data security will play a central role in future IT systems. Providing public-key cryptographic primitives, which are the core tools for security, is often difficult on embedded processor due to computational, memory, and power constraints. This contribution appears to be the first thorough comparison of two public-key families, namely elliptic curve (ECC) and hyperelliptic curve cryptosystems on a wide range of embedded processor types (ARM, ColdFire, PowerPC). We investigated the influence of the processor type, resources, and architecture regarding throughput. Further, we improved previously known HECC algorithms resulting in a more efficient arithmetic.
43 citations
01 Jan 2003
TL;DR: The OpenBSD Cryptographic Framework (OCF), a service virtualization layer implemented inside the kernel, is presented, that provides uniform access to accelerator functionality by hiding card-specific details behind a carefully-designed API.
Abstract: Cryptographic transformations are a fundamental building block in many security applications and protocols. To improve performance, several vendors market hardware accelerator cards. However, until now no operating system provided a mechanism that allowed both uniform and efficient use of this new type of resource. We present the OpenBSD Cryptographic Framework (OCF), a service virtualization layer implemented inside the kernel, that provides uniform access to accelerator functionality by hiding card-specific details behind a carefully-designed API. We evaluate the impact of the OCF in a variety of benchmarks, measuring overall system performance, application throughput and latency, and aggregate throughput when multiple applications make use of it. We conclude that the OCF is extremely efficient in utilizing cryptographic accelerator functionality, attaining 95% of the theoretical peak device performance, and over 800 Mbit/sec aggregate throughput using 3DES. We believe that this validates our decision to opt for ease of use by applications and kernel components through a uniform API, and for seamless support for new accelerators. Furthermore, our evaluation points to several bottlenecks in system and operating system design: data copying between user and kernel modes, PCI bus signaling inefficiency, protocols that use small data units, and single-threaded applications. We offer several suggestions for improvements and directions for future work.
43 citations
20 Jul 2009
TL;DR: It is shown that it is possible to attack and gain control over PROFINET IO nodes and also that this can be done without any of the communicating peers detecting the attack.
Abstract: In this paper we show that it is possible to attack and gain control over PROFINET IO nodes and also that this can be done without any of the communicating peers detecting the attack. Analysis of attacks in both shared and packet switched networks show that the attacker can control the process data and thus the state of the machines connected to the I/O modules. As the security risks are increasing in automation with the level of vertical and horizontal integration, the concept of security modules is proposed towards a method to retrofit security in PROFINET IO. The concept of security modules can be applied without changing anything in the underlying transmission system and is extendable if and when new security threats are identified.
43 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations