Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
TL;DR: This tutorial delves into protocols and devices at different layers, from the physical cyberinfrastructure to application-layer tools and security appliances, that must be carefully considered for the optimal operation of Science DMZs.
Abstract: Science and engineering applications are now generating data at an unprecedented rate. From large facilities such as the Large Hadron Collider to portable DNA sequencing devices, these instruments can produce hundreds of terabytes in short periods of time. Researchers and other professionals rely on networks to transfer data between sensing locations, instruments, data storage devices, and computing systems. While general-purpose networks, also referred to as enterprise networks, are capable of transporting basic data, such as e-mails and Web content, they face numerous challenges when transferring terabyte- and petabyte-scale data. At best, transfers of science data on these networks may last days or even weeks. In response to this challenge, the Science Demilitarized Zone (Science DMZ) has been proposed. The Science DMZ is a network or a portion of a network designed to facilitate the transfer of big science data. The main elements of the Science DMZ include: 1) specialized end devices, referred to as data transfer nodes (DTNs), built for sending/receiving data at a high speed over wide area networks; 2) high-throughput, friction-free paths connecting DTNs, instruments, storage devices, and computing systems; 3) performance measurement devices to monitor end-to-end paths over multiple domains; and 4) security policies and enforcement mechanisms tailored for high-performance environments. Despite the increasingly important role of Science DMZs, the literature is still missing a guideline to provide researchers and other professionals with the knowledge to broaden the understanding and development of Science DMZs. This paper addresses this gap by presenting a comprehensive tutorial on Science DMZs. The tutorial reviews fundamental network concepts that have a large impact on Science DMZs, such as router architecture, TCP attributes, and operational security. Then, the tutorial delves into protocols and devices at different layers, from the physical cyberinfrastructure to application-layer tools and security appliances, that must be carefully considered for the optimal operation of Science DMZs. This paper also contrasts Science DMZs with general-purpose networks, and presents empirical results and use cases applicable to current and future Science DMZs.
25 citations
13 Sep 2010
TL;DR: The analysis shows that PPDNS is a viable approach for obtaining a reasonably high level of privacy for name resolution queries, and serves as a demonstration of blending advanced systems techniques with their cryptographic counterparts.
Abstract: Privacy leaks are an unfortunate and an integral part of the current Internet domain name resolution. Each DNS query generated by a user reveals -- to one or more DNS servers -- the origin and the target of that query. Over time, users' communication (e.g., browsing) patterns might become exposed to entities with little or no trust. Current DNS privacy leaks stem from fundamental features of DNS and are not easily fixable by simple patches. Moreover, privacy issues have been overlooked by DNS security efforts (such as DNSSEC) and are thus likely to propagate into future versions of DNS. In order to mitigate privacy issues in DNS, this paper proposes a Privacy-Preserving DNS (PPDNS), that offers privacy during domain name resolution. PPDNS is based on distributed hash tables (DHTs), an alternative naming infrastructure, and computational private information retrieval (cPIR), an advanced cryptographic construct. PPDNS takes advantage of the DHT index structure to provide name resolution query privacy, while leveraging cPIR to reduce communication overhead for bandwidth-sensitive clients. Our analysis shows that PPDNS is a viable approach for obtaining a reasonably high level of privacy for name resolution queries. PPDNS also serves as a demonstration of blending advanced systems techniques with their cryptographic counterparts.
25 citations
20 Jun 2007
TL;DR: This paper introduces Clustered Anti-Replay Protection or CARP, which leverages sensor network clustering to place a limit on the amount of memory required to store anti-replay information, and shows the energy-consumption overhead of adding anti- replay counters to network traffic across several WSN medium access control protocols and two representative WSN platforms.
Abstract: Large-scale wireless sensor network (WSN) deployments show great promise for military, homeland security, and many other applications. This promise, however, is offset by important security concerns. The resource constraints that typify wireless sensor devices make traditional security solutions impractical. One threat to secure sensor networks is the replay attack, in which packets are captured and replayed into the network. This type of attack can be perpetrated to confuse observers or to mount a denial-of-service or denial-of-sleep attack. Traditional techniques for anti-replay protection are too resource intensive for large-scale WSN deployments. While techniques for reducing data transmission overhead of WSN-speciflc anti-replay mechanisms have been explored, the important problem of minimizing per-node reply table storage requirements has not been addressed. This paper introduces Clustered Anti-Replay Protection or CARP, which leverages sensor network clustering to place a limit on the amount of memory required to store anti-replay information. We show that clustering keeps the memory required for anti-replay tables manageable, reducing the size from 30% of a Mica2's memory to 4.4% for a 200-node network. While the advantages of this technique are clear, the difficulty lies in securely updating network-wide anti-replay tables when the network reclusters, an event that must happen routinely to distribute energy consumption across the nodes in the network. Our mechanism distributes necessary anti-replay information in a secure, low-overhead, and completely distributed manner. We further show the energy-consumption overhead of adding anti-replay counters to network traffic across several WSN medium access control (MAC) protocols and two representative WSN platforms. On the Mica2 platform, overheads range from a 0% to 1.32% decrease in network lifetime, depending on the MAC protocol. On the Tmote Sky, overheads range from 0% to 4.64%. Providing anti-replay support in a secure, scalable, and distributed way is necessary to the overall security of future WSN deployments if they are to meet current expectations.
25 citations
TL;DR: The envisioned role of Internet technology makes it worthwhile to undertake significant research efforts on the development of innovative IP-based mobile data systems, and opens promising opportunities for both telcos and Internet service providers.
Abstract: Mobile telephony and the Internet are the fastest growing businesses in the telecommunications market. This is why most operators and service providers are looking after the development of new services in both sectors, and newcomers are expected to enter the arena. The mobile operators foresee an increasing share of their revenues coming from new data services, while Internet service providers are attracted to wireless technology and mobility services both to reduce costs within the last-mile segment and to enrich their market share, providing ubiquitous access to the Internet and corporate intranets. In this scenario several wireless overlay networks will coexist, and their interworking will be a challenging objective. The employment of Internet technology, with its novel mobility and security extensions, seems to be the most attractive option for achieving that goal. In addition, the migration to a full IP network architecture, even within each specific wireless domain, will be another promising opportunity, already under consideration within several technical and standardization bodies. The envisioned role of Internet technology makes it worthwhile to undertake significant research efforts on the development of innovative IP-based mobile data systems, and opens promising opportunities for both telcos and Internet service providers.
25 citations
Cites background from "Security Architecture for the Inter..."
...Today's ISPs cope with these new user needs by offering a set of dial-up services including remote Internet access as well as secure access to corporate intranets established by means of tunneling protocols like PPP [5], L2TP [6] and IPSec [7]....
[...]
01 Jan 2002
TL;DR: This document describe the usage of the Bluetooth security as well as additional security mechanisms for selected Bluetooth wireless profiles for selectedetooth wireless profiles.
Abstract: This document describe the usage of the Bluetooth security as well as additional security mechanisms for selected Bluetooth wireless profiles
25 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations