Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
TL;DR: It is identified that application layer DDoS attacks possess the ability to produce greater impact on the victim as they are driven by legitimate-like traffic, making it quite difficult to identify and distinguish from legitimate requests.
Abstract: Distributed Denial of Service (DDoS) attacks exhaust victim’s bandwidth or services. Traditional architecture of Internet is vulnerable to DDoS attacks and an ongoing cycle of attack & defense is observed. A recent attack report of year 2013 — ‘Quarter 1’ from Prolexic Technologies identifies that 1.75 percent increase in total number of DDoS attacks has been recorded as compared to similar attacks of previous year’s last quarter. In this paper, different types and techniques of DDoS attacks and their countermeasures are surveyed. The significance of this paper is the coverage of many aspects of countering DDoS attacks including new research on the topic. We survey different papers describing methods of defense against DDoS attacks based on entropy variations, traffic anomaly parameters, neural networks, device level defense, botnet flux identifications, application layer DDoS defense and countermeasures in wireless networks, CCN & cloud computing environments. We also discuss some traditional methods of defense such as traceback and packet filtering techniques, so that readers can identify major differences between traditional and current techniques of defense against DDoS attacks. We identify that application layer DDoS attacks possess the ability to produce greater impact on the victim as they are driven by legitimate-like traffic, making it quite difficult to identify and distinguish from legitimate requests. The need of improved defense against such attacks is therefore more demanding in research. The study conducted in this paper can be helpful for readers and researchers to recognize better techniques of defense in current times against DDoS attacks and contribute with more research on this topic in the light of future challenges identified in this paper.
33 citations
Patent•
IBM1
TL;DR: In this paper, a server including a dual channel communications module operable to establish a communication session between the server and a client is provided, where the server may also include a translation module for retrieving the client external IP address from the header.
Abstract: A server including a dual channel communications module operable to establish a communication session between the server and a client is provided. The server may be operable to receive a dual channel communication packet from the client. In a particular embodiment, the dual channel communication packet may include a header in a data payload. The header includes a client external IP address, and the data payload includes an encoded port command having a client internal IP address and a client data port number. A codec operable to decode the port command may also be provided. The server may also include a translation module for retrieving the client external IP address from the header. In a particular embodiment, the server is operable to establish data channel coordinates including the client external IP address, the client data port number, a server internal IP address and a server data port number.
33 citations
Patent•
17 Jun 2014TL;DR: In this paper, a method implemented for a link aggregation group is disclosed, which starts with determining that the local network element is active by checking that an aggregate state of the links coupled to the local node is active and then the method continues with detecting an anomaly of the active links and sending a notification to the peer node about the anomaly.
Abstract: A method implemented for a link aggregation group is disclosed. The link aggregation group contains a local interface and a remote interface. The local interface is a logical interface formed by a plurality of network elements including a local network element and a peer network element. The local network element communicates with the peer network element through an inter-peer link. The method starts with determining that the local network element is active by checking that an aggregate state of the links coupled to the local network element is active. The method continues with detecting an anomaly of the active links and sending a notification to the peer network element about the anomaly. Then method continues with receiving an activation confirmation that the peer network element is ready for switching and switching traffic from the active links to the inter-peer link in response to receiving the activation confirmation.
33 citations
30 Nov 2017
TL;DR: Accel-Brake Control is a protocol that integrates a simple and deployable signaling scheme at cellular base stations with an endpoint mechanism to respond to these signals and outperforms prior approaches significantly.
Abstract: We propose Accel-Brake Control (ABC), a protocol that integrates a simple and deployable signaling scheme at cellular base stations with an endpoint mechanism to respond to these signals. The key idea is for the base station to enable each sender to achieve a computed target rate by marking each packet with an "accelerate" or "brake" notification, which causes the sender to either slightly increase or slightly reduce its congestion window. ABC is designed to rapidly acquire any capacity that opens up, a common occurrence in cellular networks, while responding promptly to congestion. It is also incrementally deployable using existing ECN infrastructure and can co-exist with legacy ECN routers. Preliminary results obtained over cellular network traces show that ABC outperforms prior approaches significantly.
33 citations
TL;DR: The patterns and principles manifested in this system can potentially serve as guidelines for current and future practitioners in this field.
Abstract: Architecting software for a cloud computing platform built from mobile embedded devices incurs many challenges that aren't present in traditional cloud computing. Both effectively managing constrained resources and isolating applications without adverse performance effects are needed. A practical design- and runtime solution incorporates modern software development practices and technologies along with novel approaches to address these challenges. The patterns and principles manifested in this system can potentially serve as guidelines for current and future practitioners in this field.
33 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations