Security Architecture for the Internet Protocol
01 Aug 1995-Vol. 1825, pp 1-101
TL;DR: This document describes an updated version of the "Security Architecture for IP", which is designed to provide security services for traffic at the IP layer, and obsoletes RFC 2401 (November 1998).
Abstract: This document describes an updated version of the "Security
Architecture for IP", which is designed to provide security services
for traffic at the IP layer. This document obsoletes RFC 2401
(November 1998). [STANDARDS-TRACK]
Citations
More filters
Patent•
30 Sep 2010TL;DR: In this article, the authors proposed a secure content distribution method for a configurable general-purpose electronic commercial transaction/distribution control system, which includes a process for encapsulating digital information in one or more digital containers, a process of encrypting at least a portion of digital information, a protocol for associating at least partially secure control information for managing interactions with encrypted digital information and/or digital container, and a process that delivering one or multiple digital containers to a digital information user.
Abstract: PROBLEM TO BE SOLVED: To solve the problem, wherein it is impossible for an electronic content information provider to provide commercially secure and effective method, for a configurable general-purpose electronic commercial transaction/distribution control system. SOLUTION: In this system, having at least one protected processing environment for safely controlling at least one portion of decoding of digital information, a secure content distribution method comprises a process for encapsulating digital information in one or more digital containers; a process for encrypting at least a portion of digital information; a process for associating at least partially secure control information for managing interactions with encrypted digital information and/or digital container; a process for delivering one or more digital containers to a digital information user; and a process for using a protected processing environment, for safely controlling at least a portion of the decoding of the digital information. COPYRIGHT: (C)2006,JPO&NCIPI
7,643 citations
01 Jul 2003
TL;DR: RTP provides end-to-end network transport functions suitable for applications transmitting real-time data over multicast or unicast network services and is augmented by a control protocol (RTCP) to allow monitoring of the data delivery in a manner scalable to large multicast networks.
Abstract: This memorandum describes RTP, the real-time transport protocol. RTP provides end-to-end network transport functions suitable for applications transmitting real-time data, such as audio, video or simulation data, over multicast or unicast network services. RTP does not address resource reservation and does not guarantee quality-of-service for real-time services. The data transport is augmented by a control protocol (RTCP) to allow monitoring of the data delivery in a manner scalable to large multicast networks, and to provide minimal control and identification functionality. RTP and RTCP are designed to be independent of the underlying transport and network layers. The protocol supports the use of RTP-level translators and mixers.
7,183 citations
01 Jun 2002
TL;DR: Session Initiation Protocol (SIP) as discussed by the authors is an application layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants, such as Internet telephone calls, multimedia distribution, and multimedia conferences.
Abstract: This document describes Session Initiation Protocol (SIP), an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences.
5,482 citations
18 Aug 1996
TL;DR: Two new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths.
Abstract: The use of cryptographic hash functions like MD5 or SHA-1 for message authentication has become a standard approach in many applications, particularly Internet security protocols. Though very easy to implement, these mechanisms are usually based on ad hoc techniques that lack a sound security analysis.
We present new, simple, and practical constructions of message authentication schemes based on a cryptographic hash function. Our schemes, NMAC and HMAC, are proven to be secure as long as the underlying hash function has some reasonable cryptographic strengths. Moreover we show, in a quantitative way, that the schemes retain almost all the security of the underlying hash function. The performance of our schemes is essentially that of the underlying hash function. Moreover they use the hash function (or its compression function) as a black box, so that widely available library code or hardwair can be used to implement them in a simple way, and replaceability of the underlying hash function is easily supported.
1,815 citations
Cites background from "Security Architecture for the Inter..."
...This is motivated by the use of these functions in basic applications like IP (Internet Protocol) security [ At1 , At2] where the performance cost of such a function in∞uences the computational and network performance of many other applications....
[...]
TL;DR: It is argued that router mechanisms are needed to identify and restrict the bandwidth of selected high-bandwidth best-effort flows in times of congestion, and several general approaches are discussed for identifying those flows suitable for bandwidth regulation.
Abstract: This paper considers the potentially negative impacts of an increasing deployment of non-congestion-controlled best-effort traffic on the Internet. These negative impacts range from extreme unfairness against competing TCP traffic to the potential for congestion collapse. To promote the inclusion of end-to-end congestion control in the design of future protocols using best-effort traffic, we argue that router mechanisms are needed to identify and restrict the bandwidth of selected high-bandwidth best-effort flows in times of congestion. The paper discusses several general approaches for identifying those flows suitable for bandwidth regulation. These approaches are to identify a high-bandwidth flow in times of congestion as unresponsive, "not TCP-friendly", or simply using disproportionate bandwidth. A flow that is not "TCP-friendly" is one whose long-term arrival rate exceeds that of any conformant TCP in the same circumstances. An unresponsive flow is one failing to reduce its offered load at a router in response to an increased packet drop rate, and a disproportionate-bandwidth flow is one that uses considerably more bandwidth than other flows in a time of congestion.
1,787 citations
Cites methods from "Security Architecture for the Inter..."
...The use of encryption in the IP Security Protocol (IPsec) [15] could prevent routers from using source IP addresses and port numbers for identifying some flows; for this traffic, routers could use the triple in the packet header that defines the Security Association to identify individual flows or aggregates of flows....
[...]
References
More filters
01 Jul 1997
TL;DR: This specification proposes a protocol to create grouped symmetric keys and distribute them amongst communicating peers that is virtually invisible to operator and can make use of multicast communications protocols.
Abstract: This specification proposes a protocol to create grouped symmetric keys and distribute them amongst communicating peers. This protocol has the following advantages: 1) virtually invisible to operator, 2) no central key distribution site is needed, 3) only group members have the key, 4) sender or receiver oriented operation, 5) can make use of multicast communications protocols.
438 citations
TL;DR: The implications of adding security mechanisms to high-level network protocols operating in an open-system environment are analyzed, and a brief description of the two basic approaches to communications security, link-oriented measures and end-to-end measures concludes that end- to- end measures are more appropriate in anopen- system environment.
Abstract: The implications of adding security mechanisms to high-level network protocols operating in an open-system environment are analyzed. First the threats to security that may arise in such an environment are described, and then a set of goals for communications security measures is established. This is followed by a brief description of the two basic approaches to communications security, link-oriented measures and end-to-end measures, which concludes that end-to-end measures are more appropriate in an open-system environment. Next, relevant properties of data encryption--the fundamental technique on which all communications security mechanisms are based--are discussed. The remainder of the paper describes ho~w end-to-end measures can be used to achieve each of the security goals previously established.
368 citations
[...]
01 Nov 1990
TL;DR: This memo describes a technique for dynamically discovering the maximum transmission unit (MTU) of an arbitrary internet path by specifying a small change to the way routers generate one type of ICMP message.
Abstract: This memo describes a technique for dynamically discovering the maximum transmission unit (MTU) of an arbitrary internet path. It specifies a small change to the way routers generate one type of ICMP message. For a path that passes through a router that has not been so changed, this technique might not discover the correct Path MTU, but it will always choose a Path MTU as accurate as, and in many cases more accurate than, the Path MTU that would be chosen by current practice.
352 citations
TL;DR: This proposal takes an extra interaction between A and B but requires no extra interactions with the authentication server and no accurate distributed clock-something that can only itself be maintained at the cost of interactions (see for example Lamport and Melliar-Smith).
Abstract: In a paper published in 1978 (Needham & Schroeder) we presented protocols for the use of encryption for authentication in large networks of computers. Subsequently the protocols were criticised (Denning and Sacco) on the grounds that compromise of a session key and copying of an authenticator would enable an enemy to pretend indefinitely to be the originator of a secure conversation. This note discusses a solution to the issue.
205 citations
01 Oct 1994
TL;DR: This document describes a spectrum of authentication technologies and provides suggestions to protocol developers on what kinds of authentication might be suitable for some kinds of protocols and applications used in the Internet.
Abstract: This document describes a spectrum of authentication technologies and
provides suggestions to protocol developers on what kinds of
authentication might be suitable for some kinds of protocols and
applications used in the Internet. This document provides information
for the Internet community. This memo does not specify an Internet
standard of any kind.
45 citations