Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
TL;DR: IPv6 protocol, which should replace the actual IPv4 protocol, brings many new possibilities and improvements considering simplicity, routing speed, quality of service and security, but security remains a very important issue since there are some security threats and attack types that can affect IPv6 network.
37 citations
09 Apr 2003
TL;DR: This paper focuses on characterizing the overhead of IP security (IPSec) for email and Web applications using a set of test bed configurations and provides practical guidance for choosing the IPSec configuration needed in a network environment.
Abstract: This paper focuses on characterizing the overhead of IP security (IPSec) for email and Web applications using a set of test bed configurations. The different configurations are implemented using both wireline and wireless network links. The testing considers different combinations of authentication algorithms and authentication protocols. Authentication algorithms include Hashed Message Authentication Code-Message Digest 5 (HMAC-MD5) and Hashed Message Authentication Code-Secure Hash Algorithm 1 (HMAC-SHA1). Authentication protocols include Encapsulating Security Payload (ESP) and Authentication Header (AH) protocols. Triple Digital Encryption Standard (3DES) is used for encryption. Overhead is examined for scenarios using no encryption and no authentication, authentication and no encryption, and authentication and encryption. A variety of different file sizes are considered when measuring the overhead The results present a thorough analysis of the overhead of different IPSec configurations and provide practical guidance for choosing the IPSec configuration needed in a network environment.
37 citations
Dissertation•
01 Jan 2002
TL;DR: Migrate works with application-selected naming services to enable seamless, mobile “suspend/resume” operation of legacy applications and provide enhanced functionality for mobileaware, session-based network applications, enabling adaptive operation of mobile clients and allowing Internet servers to support large numbers of intermittently connected sessions.
Abstract: The proliferation of mobile computing devices and wireless networking products over the past decade has led to an increasingly nomadic computing lifestyle. A computer is no longer an immobile, gargantuan machine that remains in one place for the lifetime of its operation. Today’s personal computing devices are portable, and Internet access is becoming ubiquitous. A well-traveled laptop user might use half a dozen different networks throughout the course of a day: a cable modem from home, wide-area wireless on the commute, wired Ethernet at the office, a Bluetooth network in the car, and a wireless, local-area network at the airport or the neighborhood coffee shop. Mobile hosts are prone to frequent, unexpected disconnections that vary greatly in duration. Despite the prevalence of these multi-homed mobile devices, today’s operating systems on both mobile hosts and fixed Internet servers lack fine-grained support for network applications on intermittently connected hosts. We argue that network communication is well-modeled by a session abstraction, and present Migrate, an architecture based on system support for a flexible session primitive. Migrate works with application-selected naming services to enable seamless, mobile “suspend/resume” operation of legacy applications and provide enhanced functionality for mobileaware, session-based network applications, enabling adaptive operation of mobile clients and allowing Internet servers to support large numbers of intermittently connected sessions. We describe our UNIX-based implementation of Migrate and show that sessions are a flexible, robust, and efficient way to manage mobile end points, even for legacy applications. In addition, we demonstrate two popular Internet servers that have been extended to leverage our novel notion of session continuations to enable support for large numbers of suspended clients with only minimal resource impact. Experimental results show that Migrate introduces only minor throughput degradation (less than 2% for moderate block sizes) when used over popular access link technologies, gracefully detects and suspends disconnected sessions, rapidly resumes from suspension, and integrates well with existing applications. Thesis Supervisor: Hari Balakrishnan Title: Associate Professor of Computer Science and Engineering Thesis Supervisor: M. Frans Kaashoek Title: Professor of Computer Science and Engineering
36 citations
Cites methods from "Security Architecture for the Inter..."
...Use of the insecure version, which contains only a Curve Name field (which must be set to zero) allows the end points using network-layer security mechanisms such as IPsec [55] to avoid additional cryptographic overhead....
[...]
...For example, IP addresses are often used to specify security and access policies as in IPsec Security Associations [55] and ingress filters used to alleviate DoS attacks [34]....
[...]
...There are several issues raised when the Migrate options are used in conjunction with IPsec [55]....
[...]
Patent•
24 May 2001
TL;DR: In this article, a method for processing location information relating to a certain mobile station in a cellular network is presented, which involves a first network element, which is connected to the cellular network, and second and third network elements, which are connected to a packet data network.
Abstract: A method (400) for processing location information relating to a certain mobile station in a cellular network is presented. The method involves a first network element, which is connected to the cellular network, and second and third network elements, which are connected to a packet data network. The first network receives (401) a location information request (201) relating to the mobile station from a second network element. A security document relating to the second network element is requested (404) from a third network element; establishment (406) of one security association pointing from the second network element to the first network element and involving information is the security document is initiated; after successful establishment of said security association, the data origin of the location service request is authenticated (408); and after successful authentication, a location procedure relating to the mobile station in the cellular network is initiated (410). Also a network element (900), a packet data device (950) and a mobile station (901) are presented.
36 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations