Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
Proceedings Article•
28 Jan 2002TL;DR: This paper uses a trace from a time-sharing UNIX server used by a medium-sized workgroup to quantify the costs associated with each of the secure storage systems, and shows that encrypt-on-disk systems offer both increased security and improved performance over encrypt- on-wire in the traced environment.
Abstract: There are a variety of ways to ensure the security of data and the integrity of data transfer, depending on the set of anticipated attacks, the level of security desired by data owners, and the level of inconvenience users are willing to tolerate. Current storage systems secure data either by encrypting data on the wire, or by encrypting data on the disk. These systems seem very different, and currently there are no common parameters for comparing them. In this paper we propose a framework in which both types of systems can be evaluated along the security and performance axes. In particular, we show that all of the existing systems merely make different trade-offs along a single continuum and among a set of related security primitives. We use a trace from a time-sharing UNIX server used by a medium-sized workgroup to quantify the costs associated with each of these secure storage systems. We show that encrypt-on-disk systems offer both increased security and improved performance over encrypt-on-wire in the traced environment.
197 citations
Patent•
11 Apr 2001
TL;DR: In this article, the authors present a method for providing network services using at least one processor, such as a network operations center that interfaces a base network, to self-configure itself as a gateway.
Abstract: Methods and systems are provided for providing network services using at least one processor, such as a network operations center that interfaces a base network. The network operations center may receive information identifying a user authorized to administer a first processor, which may be separate from the network operations center, and a base address that is routable in the base network. The network operations center may provide through the base network code and information for self-configuring the first processor as a gateway that interfaces the base network at the base address. The first processor may execute the provided code to self-configure itself as the gateway based on the provided information. The network operations center may then provide through the base network to the first processor additional information enabling at least one tunnel through the base network to a second processor, which may also be separate from the network operations center, when the first and second processors each provide to the network operations center a consent for enabling the tunnel.
193 citations
08 Dec 2003
TL;DR: A secure version of ARP that provides protection against ARP poisoning and performance measurements show that PKI based strong authentication is feasible to secure even low level protocols, as long as the overhead for key validity verification is kept small.
Abstract: Tapping into the communication between two hosts on a LAN has become quite simple thanks to tools that can be downloaded from the Internet. Such tools use the address resolution protocol (ARP) poisoning technique, which relies on hosts caching reply messages even though the corresponding requests were never sent. Since no message authentication is provided, any host of the LAN can forge a message containing malicious information. We present a secure version of ARP that provides protection against ARP poisoning. Each host has a public/private key pair certified by a local trusted party on the LAN, which acts as a certification authority. Messages are digitally signed by the sender, thus preventing the injection of spurious and/or spoofed information. As a proof of concept, the proposed solution was implemented on a Linux box. Performance measurements show that PKI based strong authentication is feasible to secure even low level protocols, as long as the overhead for key validity verification is kept small.
190 citations
05 Jan 2016
TL;DR: This paper is presenting review of security attacks from the perspective of layers that comprises IoT, and a review of methods that provide solutions to these issues is presented along with their limitations.
Abstract: Internet of Things (IoT) is an enabler for the intelligence appended to many central features of the modern world, such as hospitals, cities, grids, organizations, and buildings. The security and privacy are some of the major issues that prevent the wide adoption of Internet of Things. In this paper, with example scenarios, we are presenting review of security attacks from the perspective of layers that comprises IoT. In addition, a review of methods that provide solutions to these issues is presented along with their limitations. To overcome these limitations, we have provided future work recommendations with a framework. Further research and implementation of the framework and our recommendations will further enhance the robustness and reliability of the IoT and their applications against a variety of known attacks.
189 citations
30 Mar 2011
TL;DR: This paper shows that modern graphics processing units (GPUs) can be easily converted to general-purpose SSL accelerators and builds a transparent SSL proxy, SSLShader, that carefully leverages the trade-offs of recent hardware features such as AESNI and NUMA and achieves both high throughput and low latency.
Abstract: Secure end-to-end communication is becoming increasingly important as more private and sensitive data is transferred on the Internet Unfortunately, today's SSL deployment is largely limited to security or privacy-critical domains The low adoption rate is mainly attributed to the heavy cryptographic computation overhead on the server side, and the cost of good privacy on the Internet is tightly bound to expensive hardware SSL accelerators in practiceIn this paper we present high-performance SSL acceleration using commodity processors First, we show that modern graphics processing units (GPUs) can be easily converted to general-purpose SSL accelerators By exploiting the massive computing parallelism of GPUs, we accelerate SSL cryptographic operations beyond what state-of-the-art CPUs provide Second, we build a transparent SSL proxy, SSLShader, that carefully leverages the trade-offs of recent hardware features such as AESNI and NUMA and achieves both high throughput and low latency In our evaluation, the GPU implementation of RSA shows a factor of 226 to 317 improvement over the fastest CPU implementation SSLShader achieves 29K transactions per second for small files while it transfers large files at 13 Gbps on a commodity server machine These numbers are comparable to high-end commercial SSL appliances at a fraction of their price
189 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations