Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
TL;DR: This paper illustrates the major serious problems of the Internet caused by the overloading of IP address semantics, and classify the existing Loc/ID split network architectures based on their properties, abstract the general principle and framework for each classification, and demonstrate related representative architectures in detail.
Abstract: The Internet has achieved unprecedented success in human history. However, its original design has encountered many challenges in the past decades due to the significant changes of context and requirements. As a result, the design of future networks has received great attention from both academia and industry, and numerous novel architectures have sprung up in recent years. Among them, the locator/identifier (Loc/ID) split networking is widely discussed for its decoupling of the overloaded IP address semantics, which satisfies several urgent needs of the current Internet such as mobility, multi-homing, routing scalability, security, and heterogeneous network convergence. Hence, in this paper, we focus on Loc/ID split network architectures, and provide a related comprehensive survey on their principles, mechanisms, and characteristics. First, we illustrate the major serious problems of the Internet caused by the overloading of IP address semantics. Second, we classify the existing Loc/ID split network architectures based on their properties, abstract the general principle and framework for each classification, and demonstrate related representative architectures in detail. Finally, we summarize the fundamental features of the Loc/ID split networking, compare corresponding investigated architectures, and discuss several open issues and opportunities.
60 citations
TL;DR: Two flow-oriented mechanisms are introduced, in the context of Mobile IP, to ensure a mobile host's robust and efficient communication with other hosts in a changing environment and their implementation and performance are described.
Abstract: Fueled by the large number of powerful light-weight portable computers, the expanding availability of wireless networks, and the popularity of the Internet, there is an increasing demand to connect portable computers to the Internet at any time and in any place. However, the dynamic nature of a mobile host's connectivity and its use of multiple network interfaces require more flexible network support than has typically been available for stationary workstations. This paper introduces two flow-oriented mechanisms, in the context of Mobile IP [25], to ensure a mobile host's robust and efficient communication with other hosts in a changing environment. One mechanism supports multiple packet delivery methods (such as regular IP or Mobile IP) and adaptively selects the most appropriate one to use according to the characteristics of each traffic flow. The other mechanism enables a mobile host to make use of multiple network interfaces simultaneously and to control the selection of the most desirable network interfaces for both outgoing and incoming packets for different traffic flows. We demonstrate the usefulness of these two network layer mechanisms and describe their implementation and performance.
60 citations
24 Oct 2016
TL;DR: It is found that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable since 2008 to passive exploitation by an attacker who selects the Dual EC curve point.
Abstract: In December 2015, Juniper Networks announced multiple security vulnerabilities stemming from unauthorized code in ScreenOS, the operating system for their NetScreen VPN routers. The more sophisticated of these vulnerabilities was a passive VPN decryption capability, enabled by a change to one of the elliptic curve points used by the Dual EC pseudorandom number generator. In this paper, we describe the results of a full independent analysis of the ScreenOS randomness and VPN key establishment protocol subsystems, which we carried out in response to this incident. While Dual EC is known to be insecure against an attacker who can choose the elliptic curve parameters, Juniper had claimed in 2013 that ScreenOS included countermeasures against this type of attack. We find that, contrary to Juniper's public statements, the ScreenOS VPN implementation has been vulnerable since 2008 to passive exploitation by an attacker who selects the Dual EC curve point. This vulnerability arises due to apparent flaws in Juniper's countermeasures as well as a cluster of changes that were all introduced concurrently with the inclusion of Dual EC in a single 2008 release. We demonstrate the vulnerability on a real NetScreen device by modifying the firmware to install our own parameters, and we show that it is possible to passively decrypt an individual VPN session in isolation without observing any other network traffic. We investigate the possibility of passively fingerprinting ScreenOS implementations in the wild. This incident is an important example of how guidelines for random number generation, engineering, and validation can fail in practice.
60 citations
Patent•
22 Nov 1995
TL;DR: In this article, the authors present an approach to passage of packets or messages between a device and a network via a virtual connection or flow which conforms to a predefined communication protocol.
Abstract: Passage of packets or messages is controlled between a device and a network via a virtual connection or flow which conforms to a predefined communication protocol. In connection with processing a packet or message that triggers a step in managing the virtual connection or flow, predefined authorization rules are applied to determine whether to permit the step to occur. In connection with processing a packet or message that does not trigger a step in managing the virtual connection or flow, the packet or message is permitted to pass directly via the virtual connection or flow, without applying the predefined authorization rules.
60 citations
29 Mar 1998
TL;DR: This paper proposes a novel system architecture which allows both application specific data processing in network nodes as well as rapid deployment of new network protocol implementations.
Abstract: Active networking allows the network infrastructure to be programmable. Previous research focused on two commonly separated approaches: "capsules" and "programmable switches". Capsules are typically small programs in packets which flow through the network and are executed in-band on nodes receiving them. Programmable switches are network devices which offer a back-door to inject code by a network administrator out-of-band in order to enhance the device's capabilities. By combining these two approaches, this paper proposes a novel system architecture which allows both application specific data processing in network nodes as well as rapid deployment of new network protocol implementations. Instead of carrying code, data packets carry pointers to digitally signed active modules initially loaded on-the-fly, inband from trusted code servers on the network. Packet processing runs at high speed, may access and modify the whole network subsystem and no potentially slow virtual machines are needed.
60 citations
References
More filters
TL;DR: This paper suggests ways to solve currently open problems in cryptography, and discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Abstract: Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
14,980 citations
01 Mar 1997
TL;DR: This document defines these words as they should be interpreted in IETF documents as well as providing guidelines for authors to incorporate this phrase near the beginning of their document.
Abstract: In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. Authors who follow these guidelines should incorporate this phrase near the beginning of their document:
3,501 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
01 Dec 1995
TL;DR: In this paper, the authors specify version 6 of the Internet Protocol (IPv6), also referred to as IP Next Generation or IPng, and propose a new protocol called IPng.
Abstract: This document specifies version 6 of the Internet Protocol (IPv6), also sometimes referred to as IP Next Generation or IPng.
2,112 citations
[...]
01 Sep 1981
TL;DR: Along with TCP, IP represents the heart of the Internet protocols and has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of data links to support data links with different maximum transmission unit (MTU) sizes.
Abstract: IP is a network layer (Layer 3) protocol that contains addressing information and some control information that enables packets to be routed. IP is documented in RFC 791 and is the primary network layer protocol in the Internet protocol suite. Along with TCP, IP represents the heart of the Internet protocols. IP has two primary responsibilities: providing connectionless, best-effort delivery of datagrams through an internetwork; and providing fragmentation and reassembly of datagrams to support data links with different maximum transmission unit (MTU) sizes.
1,967 citations