Showing papers on "IPsec published in 1998"

A security architecture for the Internet protocol

Abstract: In this paper we present the design, rationale, and implementation of a security architecture for protecting the secrecy and integrity of Internet traffic at the Internet Protocol (IP) layer. The design includes three components: (1) a security policy for determining when, where, and how security measures are to be applied; (2) a modular key management protocol, called MKMP, for establishing shared secrets between communicating parties and meta-information prescribed by the security policy; and (3) the IP Security Protocol, as it is being standardized by the Internet Engineering Task Force, for applying security measures using information provided through the key management protocol. Effectively, these three components together allow for the establishment of a secure channel between any two communicating systems over the Internet. This technology is a component of IBM's firewall product and is now being ported to other IBM computer platforms.

Mobile IP mobility agent standby protocol

Abstract: Disclosed is a method and apparatus for automatically backing up a Home Agent in Mobile IP. The method employs important components of the widely-used Hot Standby Router Protocol, but extends it to include synchronization of the mobility binding table between an active Home Agent and a standby Home Agent that backs it up. Also disclosed is a more general protocol for extending HSRP and related redundancy protocols to synchronize higher level functions other than mobility binding lists in Mobile IP (e.g., address translation tables in Network Address Translation (NAT), address bindings in Dynamic Host Configuration Protocol (DHCP) servers, dynamic ACL in Reflexive Access List, and TCP and GTP layer context in GPRS support nodes: SGSN & GGSN). Still other protocols that could benefit from HSRP include Lock and Key, Context-Based Access List, IP Security (IPSec), and H.323 gatekeeper.

Internet Security Association and Key Management Protocol (ISAKMP) Status of this Memo

Abstract: This memo describes a protocol utilizing security concepts necessary for establishing Security Associations (SA) and cryptographic keys in an Internet environment. A Security Association protocol that negotiates, establishes, modifies and deletes Security Associations and their attributes is required for an evolving Internet, where there will be numerous security mechanisms and several options for each security mechanism. The key management protocol must be robust in order to handle public key generation for the Internet community at large and private key requirements for those private networks with that requirement. The Internet Security Association and Key Management Protocol (ISAKMP) defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks). All of these are necessary to establish and maintain secure communications (via IP Security Service or any other security protocol) in an Internet environment.

Internet Security Association and Key Management Protocol (ISAKMP)

Abstract: This memo describes a protocol utilizing security concepts necessary for establishing Security Associations (SA) and cryptographic keys in an Internet environment. A Security Association protocol that negotiates, establishes, modifies and deletes Security Associations and their attributes is required for an evolving Internet, where there will be numerous security mechanisms and several options for each security mechanism. The key management protocol must be robust in order to handle public key generation for the Internet community at large and private key requirements for those private networks with that requirement. The Internet Security Association and Key Management Protocol (ISAKMP) defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks). All of these are necessary to establish and maintain secure communications (via IP Security Service or any other security protocol) in an Internet environment.

Guidelines for Writing an IANA Considerations Section in RFCs

Abstract: Many protocols make use of identifiers consisting of constants and other well-known values. Even after a protocol has been defined and deployment has begun, new values may need to be assigned (e.g., for a new option type in DHCP, or a new encryption or authentication algorithm for IPSec). To insure that such quantities have consistent values and interpretations in different implementations, their assignment must be administered by a central authority. For IETF protocols, that role is provided by the Internet Assigned Numbers Authority (IANA).

The Use of HMAC-SHA-1-96 within ESP and AH

Abstract: This memo describes the use of the HMAC algorithm [RFC-2104] in conjunction with the SHA-1 algorithm [FIPS-180-1] as an authentication mechanism within the revised IPSEC Encapsulating Security Payload [ESP] and the revised IPSEC Authentication Header [AH]. HMAC with SHA-1 provides data origin authentication and integrity protection.

The Internet IP Security Domain of Interpretation for ISAKMP

Abstract: The Internet Security Association and Key Management Protocol (ISAKMP) defines a framework for security association management and cryptographic key establishment for the Internet. This framework consists of defined exchanges, payloads, and processing guidelines that occur within a given Domain of Interpretation (DOI). This document defines the Internet IP Security DOI (IPSEC DOI), which instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate security associations.

The Use of HMAC-MD5-96 within ESP and AH

Abstract: This memo describes the use of the HMAC algorithm [RFC-2104] in conjunction with the MD5 algorithm [RFC-1321] as an authentication mechanism within the revised IPSEC Encapsulating Security Payload [ESP] and the revised IPSEC Authentication Header [AH]. HMAC with MD5 provides data origin authentication and integrity protection.

IP Security Document Roadmap

Abstract: The IPsec protocol suite is used to provide privacy and authentication services at the IP layer. Several documents are used to describe this protocol suite. The interrelationship and organization of the various documents covering the IPsec protocol are discussed here. An explanation of what to find in which document, and what to include in new Encryption Algorithm and Authentication Algorithm documents are described.

The NULL Encryption Algorithm and Its Use With IPsec

Abstract: This memo defines the NULL encryption algorithm and its use with the IPsec Encapsulating Security Payload (ESP). NULL does nothing to alter plaintext data. In fact, NULL, by itself, does nothing. NULL provides the means for ESP to provide authentication and integrity without confidentiality.

PF_KEY Key Management API, Version 2

Abstract: A generic key management API that can be used not only for IP Security [Atk95a] [Atk95b] [Atk95c] but also for other network security services is presented in this document. Version 1 of this API was implemented inside 4.4-Lite BSD as part of the U. S. Naval Research Laboratory's freely distributable and usable IPv6 and IPsec implementation[AMPMC96]. It is documented here for the benefit of others who might also adopt and use the API, thus providing increased portability of key management applications (e.g. a manual keying application, an ISAKMP daemon, a GKMP daemon [HM97a][HM97b], a Photuris daemon, or a SKIP certificate discovery protocol daemon).

Building and Managing Virtual Private Networks

Abstract: THE INTERNET AND BUSINESS. Business on the Internet. Virtual Private Networks. A Closer Look at Internet VPNs. SECURING AN INTERNET VPN. Security: Threats and Solutions. Using IPSec to Build a VPN. Using PPTP to Build a VPN. Using L2TP to Build a VPN. Designing Your VPN. BUILDING BLOCKS OF A VPN. The ISP Connection. Firewalls and Routers. VPN Hardware. VPN Software. MANAGING A VPN. Security Management. IP Address Management. Performance Management. LOOKING AHEAD. Extending VPNs to Extranets. Future Directions. Appendices. Glossary. Index.

Security at the Internet layer

Abstract: The Internet Engineering Task Force is standardizing security protocols (IPsec protocols) that are compatible with IPv6 and can be retrofitted into IPv4. The protocols are transparent to both applications and users and can be implemented without modifying application programs. The current protocol versions were published as Internet drafts in March 1998. The article overviews the proposed security architecture and the two main protocols-the IP Security Protocol and the Internet Key Management Protocol-describes the risks they address, and touches on some implementation requirements. IPsec's major advantage is that it can provide security services transparently to both applications and users. Also, the application programs using IPsec need not be modified in any way. This is particularly important when securing application programs that are not available in source code, which is common today. This transparency sets IPsec apart from security protocols that operate above the Internet layer. At present, IPsec is likely to be used in conjunction with and complemented by other security technologies, mechanisms, and protocols. Examples include firewalls and strong authentication mechanisms for access control, and higher layer security protocols for end-to-end communication security. In the near future, however, as virtual private networking and corporate intranets and extranets mature, IPsec is likely to be deployed on a larger scale.

A certified e-mail protocol

Abstract: Protocols to facilitate secure electronic delivery are necessary if the Internet is to achieve its true potential as a business communications tool. We present a protocol for secure e-mail that protects both the sender and the receiver, and can be implemented using current e-mail products and existing Internet infrastructure.

Secure wiretap support for internet protocol security

Abstract: Secure wiretap support for Internet Protocol security. Specifically, one embodiment of the present invention includes a system for allowing controlled access to a networked communication. The system comprises an intermediate device that includes memory. The memory of the intermediate device is for storing a policy rule therein. The intermediate device is adapted to download the policy rules governing access to a desired location. The system further comprises a client which is coupled to the intermediate device. The client is adapted to receive the policy rule when the intermediate device downloads it to the client. As such, any communication data intended to travel between a first destination and the client is forwarded to a second destination. Therefore, the present invention provides a method and system for providing law enforcement agencies the ability to wiretap specific encrypted communications. Moreover, the present invention provides this ability while allowing the established hardware infrastructure of computer networks to remain essentially unchanged. Furthermore, the present invention does not affect the performance of the network while enabling end users to utilize any encryption algorithms for their communications. Additionally, the present invention enables encrypted communication data to remain encrypted during transmittal en route to its destination.

Use of IPSec in Mobile IP

Abstract: INTRODUCTION As mobile computing has become a reality, new technologies and protocols have been developed to provide to mobile users the services that already exist for non-mobile users. Mobile IP, one of these technologies, enables a node to change its point of attachment to an internet in a manner transparent to applications running on top of the protocol stack, since its IP address does not change. To provide this transparency, new elements are required: the " home agent " (HA), located in the home network, will forward all incoming packets addressed to the mobile node's (MN) new location. The foreign agent (FA) is responsible for providing a temporary address to the MN. The flexibility of communication through the Internet allows the existence of such protocols as Mobile IP. As much as this is true, it is as well the fact that every time new protocols or services are made available on the Internet, new security challenges arise. IPSec has been developed as a protocol to provide security at the IP layer. That is to say, using IPSec all communications on the Internet can be accomplished in a secure fashion. Providing security is not an easy task, since many situations have to be taken into account. The approach IPSec uses to address security is by managing two key concepts: privacy and authentication. In this paper, the MOBILE IPv4 & MOBILE IPv6 with the security considerations are introduced, after that the IPsec is explained, focusing on the IP Authentication Header and the IPsec Encapsulating Security Payload. Then the USE OF IPsec IN MOBILE IP part is treated, finally a performance analysis done in Carnegie Mellon University on IPsec usage in MOBILE IP on wireless environments is presented. The current Mobile IPv4 protocol is completely transparent to the transport and higher layers and does not require any changes to existing Internet hosts and routers. The Mobile IP protocol allows the MNs to retain their IP address regardless of their point of attachment to the network. This can be fulfilled by allowing the MN to use two IP addresses. The first one, called home address, is static and is mainly used to identify higher layer connections, e.g., TCP. The second IP address that can be used by a MN is the Care-of Address. While the mobile is roaming among different networks, the Care-of Address changes. The reason of this is that the Care-of Address …

Evaluating certification authority security

Abstract: A growing number of applications in the Internet are making use of X.509 public key certificates. Examples include security protocols such as SSL (used in web browsers), IPsec (used in firewalls and desktop computers), S/MIME (a secure e-mail protocol), and SET (the electronic commerce credit card transaction protocol). The public key certificates employed by the applications are created by Certification Authorities (CAs), that vouch for the binding of various attributes (e.g., identity) to a public key. Thus security of these applications is dependent on the security of the CA function. This paper examines security for CAs. It begins with a characterization of security requirements for CAs and continues with an exploration of the wide range of attacks that can be mounted against CAs. Included are attacks against network communications, against the operating systems used by CAs, "close-in" technical attacks against CA components (including cryptographic modules), and even misbehavior by human operators. The paper concludes with an examination of three approaches to implementing CA cryptographic support functions, analyzing each relative to the attack scenarios developed earlier in the paper.

Internet security protocols

Abstract: This article describes various efforts to address security in three areas of the Internet protocol suite: the Internet Protocol itself (IPsec), the domain between transport and application layer (the Secure Sockets Layer and the Transport Layer Security protocols) and security extensions for the HyperText Transfer Protocol (S-HTTP). For each area the current technology, relevant standardization activities and likely future developments are discussed. In addition, a brief introduction to the Internet standardization process is given.

Design and implementation of Network CryptoGate-IP-layer security and mobility support

Abstract: As the commercial use of the Internet becomes common and the demand for mobile computing through the Internet is emerging, it is necessary to construct a secure mobile environment. The paper presents an implementation example of such a system: "Network CryptoGate (NGG)", which employs the IETF/Mobile IP and the IETF/IP security on stationary security gateways (NCG servers) and mobile hosts (NCG clients). Using IP security primitives, both packets going into a corporate network and packets going out of the visiting network are securely guarded. This IP security based packet control allows transparent mobile access from anywhere on an IP network with sufficient security support by encrypting and authenticating IP packets. Currently the NCG system is implemented on BSD/OS, Solaris and Windows NT/95. Preliminary performance measurements show that the proposed NCGs IPsec and Mobile IP processings are sufficient in the current Internet environment.

An efficient authentication protocol for high performance networks

Abstract: With the use of high performance networks (HPNs) for forthcoming commercial applications as well as communication including personal sensitive data, not only high performance in terms of bandwidth or delay from underlying communication networks become fundamental requirements, but also with ever increasing importance adequate security services. This paper discusses the tasks of authentication and key management in HPNs with respect to the main requirements performance, manageability and security. It analyses existing solutions to the problem of authentication in networks with special regards to high performance networks and proposes the use of a hybrid key hierarchy for efficient authentication and key management. The approach is validated with a prototype, that utilises the hybrid key hierarchy in a key management daemon for the IP security architecture.

Management of IP numbers by peg-dhcp

Abstract: This RFC describes a protocol to dynamically hand out ip-numbers on field networks and small events that don't necessarily have a clear organisational body. This memo provides information for the Internet community. It does not specify an Internet standard of any kind.

Internet Security Association and Key Management Protocol (ISAKMP) Status of this Memo This document specifies an Internet standards track protocol for the

Abstract: This memo describes a protocol utilizing security concepts necessary for establishing Security Associations (SA) and cryptographic keys in an Internet environment. A Security Association protocol that negotiates, establishes, modifies and deletes Security Associations and their attributes is required for an evolving Internet, where there will be numerous security mechanisms and several options for each security mechanism. The key management protocol must be robust in order to handle public key generation for the Internet community at large and private key requirements for those private networks with that requirement. The Internet Security Association and Key Management Protocol (ISAKMP) defines the procedures for authenticating a communicating peer, creation and management of Security Associations, key generation techniques, and threat mitigation (e.g. denial of service and replay attacks). All of these are necessary to establish and maintain secure communications (via IP Security Service or any other security protocol) in an Internet environment.

A Note on an Authentication Technique Based on Distributed Security Management for the Global Mobility Network

Abstract: In this paper, we analyse the authentication protocol that has been proposed for the so called global mobility network in the October 1997 issue of the IEEE Journal on Selected Areas in Communications. Using a simple logic of authentication, we show that the protocol has flaws, and we present three different attacks that exploit these. We correct the protocol using a simple design tool that we have developed.

Design and Implementation of Mobile IP System with Security Consideration

Abstract: As the commercial use of the Internet is becoming common and the demand for mobile computing over the Internet is emerging, it is necessary to construct a secure mobile environment. This paper presents an implementation example of such a system which employs a secure mobile IP protocol on stationary security gateways and mobile hosts. The IETF standard Mobile IP protocol is modified with IP security primitives, which control the packet flow from a mobile host through multiple security gateways. Using IP security primitives, the packet going into a corporate network and the packet going out of the visiting network are both securely processed. This IP security based packet control allows transparent mobile access from anywhere on an IP network even with sufficient security support by encrypting and authenticating IP packets. The current implementation status and the performance evaluation are also reported.