Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
TL;DR: This paper shows how Lucent Technologies uses IETF mobile IP, IP security, and multiple tunneling protocol standards to offer a comprehensive transport layer solution across 3G and WLAN air interface technologies.
Abstract: Mobile virtual private networks (MVPNs) can provide remote users with easy, secure high-speed access to their enterprise network resources. There is a tremendous market opportunity for operators who can meet the needs of these users. Third-generation (3G) systems, such as code division multiple access (CDMA) (3G-1X and 1xEV-DO) or universal mobile telecommunications system (UMTS), and IEEE 802.11b wireless local area network (WLAN) systems have complementary strengths. For end users, integrating these systems provides ubiquitous high-speed data coverage, continuous selection of the highest possible data rates, and seamlessly maintained user VPN sessions when moving between air interface technologies. For operators, they enable integrated billing and offload 3G network capacity for higher revenue voice subscribers. This paper shows how Lucent Technologies uses IETF mobile IP (MIP), IP security (IPSec), and multiple tunneling protocol standards to offer a comprehensive transport layer solution across 3G and WLAN air interface technologies. Shared requirements for accounting, authentication, security, and confidentiality in 3G and WLAN core data networks are also addressed.
23 citations
Cites background from "Security Architecture for the Inter..."
...Security is supported by IP security standards [21]....
[...]
01 Jan 2012
TL;DR: The relationship between all entities and potential attacks is systematically discussed to illustrate the importance of considering security issues in the design and implementation of virtualized networks.
Abstract: Network virtualization is a key technology that is necessary to support diverse protocol suites in the future Internet. A virtualized network uses a single physical infrastructure to support multiple logical networks. Each logical network can provide its users with a custom set of protocols and functionalities. Much research work has focused on developing infrastructure components that can provide some level of logical isolation between virtual networks. However, these systems often assume a somewhat cooperative environment where all network infrastructure providers, virtual network operators, and users collaborate. As this technology matures and becomes more widely deployed, it is also important to consider the effects of and possible defenses against malicious operators and users. In this paper, we explore these security issues in network virtualization. In particular, we systematically discuss the relationship between all entities and potential attacks to illustrate the importance of considering security issues in the design and implementation of virtualized networks. We also present several ideas on how to proceed toward the goal of secure network virtualization in the future Internet.
23 citations
Cites methods from "Security Architecture for the Inter..."
...• IPsec [63]: IPSec establishes a secure tunnel between gateways using the Encapsulating Security Payload (ESP) protocol suite....
[...]
TL;DR: This study focuses on building a product-like security gateway and on evaluating its performance, including the improper implementation in FWTK and the less scalable linear matching algorithms in ipchains and Snort.
Abstract: Network security has become a critical issue for enterprises. This article first gives a tutorial of each basic component of a security gateway, including the firewall, content filtering, network address translation (NAT), the virtual private network (VPN), and the intrusion detection system (IDS). The building of an integrated security gateway, using various open-source packages, is then described. Conflicts among the packages are resolved to ensure interoperability. Next, we internally/externally evaluate the performance of each component with six commercial implementations to identify the problems for future research directions. Readers can understand how these components deliver secure operations, how a packet can properly traverse through such a gateway, and how many resources are consumed in each software component. Selected packages include the Linux kernel, ipchains (packet filter), Squid (URL filter), FWTK (content filter), FreeS/WAN (VPN), and Snort (IDS). ipchains and FreeS/WAN are found viable, but FWTK and Snort suffer performance problems. Further examining their source code and data structures reveals the improper implementation in FWTK and the less scalable linear matching algorithms in ipchains and Snort. Finally, several approaches to scale up these software components are suggested to improve the performance. Note that installing such a security gateway does not mean secured. This study focuses on building a product-like security gateway and on evaluating its performance. The integrated system with a self-developed Web management console is publicly available for downloading.
23 citations
01 Nov 2006
TL;DR: This work has extended the IGMPv3 protocol, and called the new version the Internet group management protocol with access control (IGMP-AC), and the AAA framework is used for end user authentication, authorization and accounting purposes.
Abstract: IP Multicast is best known for its bandwidth conservation and lower resource utilization. The classical model of multicast makes it difficult to permit access only to authorized end users or paying customers. A scalable, distributed and secure architecture is needed where authorized end users can be authenticated before delivering any data or content. In (unsecure) multicast, an end user or host informs the multicast edge-router of its interest in receiving multicast traffic using the Internet Group Management Protocol (IGMP). To carry the end user authentication data, we have extended the IGMPv3 protocol, and called our new version the Internet Group Management Protocol with Access Control (IGMP-AC). New messages and reception states have been added to IGMPv3, and the AAA framework is used for end user authentication, authorization and accounting purposes. IGMP-AC is presented using state diagrams of the entities that are involved. The proposed protocol has been modeled in PROMELA, and has also been verified using SPIN.
23 citations
Cites background from "Security Architecture for the Inter..."
...In RFC 3376 [3], IPSec [ 18 ] in Authentication Header mode [17] has been suggested for use to provide connectionless integrity, data origin authentication and replay protection for the IGMPv3 messages....
[...]
Patent•
23 Jul 2001
TL;DR: In this paper, a secure communication channel for information flow between two or more computers communicating via an interconnected computer network, and a system for implementing the method, in response to receiving a security association data structure from one of the computers.
Abstract: A method for establishing a secure communication channel for information flow between two or more computers communicating via an interconnected computer network, and a system for implementing the method, in response to receiving a security association data structure from one of the computers. The received security association data structure is stored in a memory region having a specific memory address value, and the specific memory address value is assigned as the security parameter index value associated with the received inbound security association data structure. Additionally, a method of processing information received over a previously established secure communication channel, and a system for implementing the method, in response to receiving a data packet that includes an encrypted data portion, and a header portion that includes a security parameter index value. A memory region is located using the security parameter index value as an address pointer. The encrypted data portion of the received data packet is then processed based on a security association data structure stored in the located memory region.
23 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations