Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
07 Jun 2004
TL;DR: A formal framework and hierarchical representation for security policies exposes the structure of the policies and leads to an efficient reconciliation algorithm and it is demonstrated that agent preferences for security mechanisms can be readily incorporated into the framework.
Abstract: A major hurdle in sharing resources between organizations is heterogeneity. Therefore, in order for two organizations to collaborate their policies have to be resolved. The process of resolving different policies is known as policy reconciliation, which in general is an intractable problem. This paper addresses policy reconciliation in the context of security. We present a formal framework and hierarchical representation for security policies. Our hierarchical representation exposes the structure of the policies and leads to an efficient reconciliation algorithm. We also demonstrate that agent preferences for security mechanisms can be readily incorporated into our framework. We have implemented our reconciliation algorithm in a library called the policy reconciliation engine or PRE. In order to test the implementation and measure the overhead of our reconciliation algorithm, we have integrated PRE into a distributed high-throughput system called Condor.
39 citations
Cites background from "Security Architecture for the Inter..."
...To this end, we show how our policy reconciliation framework can augment IPsec’s existing policy negotiation and support the Condor distributed computing system....
[...]
...The IPsec [19] suite of protocols provides source authentication, data integrity and data confidentiality at the IP layer....
[...]
...In practice, we have found the vast majority of IPsec configurations use group 2....
[...]
...Each IPsec node (host or security gateway) maintains a security and compression policy defined in terms of these transforms....
[...]
...Figure 1 shows a graphical provisioning policy for key management used in an IPsec VPN....
[...]
06 Aug 2012
TL;DR: In this article, an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), crosssite request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server, and circumventing known defenses.
Abstract: We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server, and circumventing known defenses. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a victim client machine, and an attacker capable of IP-spoofing on the Internet.
Our attacks are based on a technique that allows an off-path attacker to efficiently learn the sequence numbers of both the client and server in a TCP connection. This technique exploits the fact that many computers, in particular those running (any recent version of) Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers.
We present results of experiments evaluating the learning technique and the attacks that exploit it. We also present practical defenses that can be deployed at the firewall level, either at the client or server end; no changes to existing TCP/IP stacks are required.
39 citations
01 Jan 2002
TL;DR: It is argued that there is significant benefit in providing multiple progressively stronger layers of security for hosts connecting to the Internet, and that this multi-layered approach allows early discard of packets associated with attacks, which reduces server vulnerability to computational denial of service attacks via heavyweight cryptography calculations.
Abstract: This paper argues that there is significant benefit in providing multiple progressively stronger layers of security for hosts connecting to the Internet. It claims that this multi-layered approach allows early discard of packets associated with attacks. This reduces server vulnerability to computational denial-of-service attacks via heavyweight cryptography calculations. To this end, it presents three techniques that allow TCP/IP services to be concealed from non-authorized users of said services, while still allowing access to the services for authorized users. These techniques can be entirely implemented at the edges of the network and require no changes to the interior of the network. They work alongside, and augment, existing protocols making deployment practical.
39 citations
01 Dec 2017
TL;DR: In this paper, the authors present the formal modeling and performance analysis of one of the Internet of Things (IoT) protocols, Message Queue Telemetry Transport (MQTT), and further statistical model checking of UPPAAL SMC toolset for the performance evaluation of the protocol.
Abstract: This paper presents the formal modeling and performance analysis of one of Internet of Things (IoT) protocols. The Internet of Things is among the subjects best financed in the industry and studied in the academic world. The rapid evolution of mobile Internet, the manufacture of mini hardware, microcomputer, and machine-to-machine (M2M) enabled IoT technologies to be at the top of media subjects. These technologies allow things or devices that are not computers to act intelligently and to make collaborative decisions that are beneficial for certain applications. Hence, the intelligent decision making, the self configuration and the ad hoc networking are from the main characteristics of IoT. Therefore, the implementation of protocols for IoT must comply the standards and satisfy the good properties. Using formal methods in the study of developed protocols ensure these conditions. In this paper, we use probabilistic timed automata for the formal modeling of Message Queue Telemetry Transport (MQTT) and we use further statistical model checking of UPPAAL SMC tool-set for the performance evaluation of the protocol.
39 citations
TL;DR: This work presents an architecture for an automatic intentbased provisioning of a secure service in a multilayer—IP, Ethernet, and optical—network while choosing the appropriate encryption layer using an open-source softwaredefined networking (SDN) orchestrator.
Abstract: Growing traffic demands and increasing security awareness are driving the need for secure services. Current solutions require manual configuration and deployment based on the customer’s requirements. In this work, we present an architecture for an automatic intentbased provisioning of a secure service in a multilayer—IP, Ethernet, and optical—network while choosing the appropriate encryption layer using an open-source softwaredefined networking (SDN) orchestrator. The approach is experimentally evaluated in a testbed with commercial equipment. Results indicate that the processing impact of secure channel creation on a controller is negligible. As the time for setting up services over WDM varies between technologies, it needs to be taken into account in the decision-making process.
39 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations