Browse Prior Art Database

Security Implementation at Internet Protocol Layer for TCP/I

IP.com Disclosure Number: IPCOM000111514D
Original Publication Date: 1994-Feb-01
Included in the Prior Art Database: 2005-Mar-26
Document File: 4 page(s) / 144K

Publishing Venue

IBM

Related People

Udupa, DK: AUTHOR

Abstract

Security implementation in Internet Protocol (IP) layer, as described here, facilitates selective use of security for TCP/IP.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 41% of the total text.

Security Implementation at Internet Protocol Layer for TCP/I

      Security implementation in Internet Protocol (IP) layer, as
described here, facilitates selective use of security for TCP/IP.

      In this implementation, a security feature is added in the IP
layer.  For this implementation to work, all hosts in a network will
have to follow a general set of rules on security.  Similarly, IP
gateways, which connect different networks, should also follow the
security feature.

      We assign security classification to each host in a network.
Here, only frames which have security classifications matching or
below a security classification will be processed.  As an example, if
a host has a security classification of B (Figure 2), it will process
all the frames which have security classifications of B and below B
(C, D, E, and F).  Every host has to include the security
classification in a frame, while it transmits.

      One host in a network will be designated as a system
administrator.  This host will control the whole range of security
operations in the network.  However, there should be a backup host to
take-up the role of system administrator, if that host fails.

      To add flexibility to the security scheme, these security
classifications should be configurable.  As an example, it must be
possible for a system administrator to change the order of securities
or add new security classifications to those given in Figure 2.
There should also be a default security table.

      This security scheme is in addition to the encryption of data
to make data transmission secure.

      The option field in the IP datagram has Code, Length, and
Option Data (Fig. 1).  For this security implementation, in the Code
field, a new Option number is required.

      The two bits in the Class are set to zeros for control.  The
value of 11 (or any unused value) for Option number is arbitrarily
selected.  Any unused value can to be taken for this implementation.

      Option Data (Fig. 1) contains 1 byte of Type and 1 byte of
security classification data.  One byte each for Type and security
classification data is sufficient for most of the applications.

      The first hex digit for security schemes is arbitrarily taken
as X 'A'.  A Type field value of X 'A0' is used to start this
security scheme.  A Type field value of X 'A3' will indicate the end
of the security implementation.  With these two Type field values, we
will be able to skip the security implementation when required.

      In networks connected together, if all the networks have this
security implementation, then there is no problem.  However, if some
networks don't have this security implementation, problems will
arise.  To overcome this, we have to make adjustments in the IP
gateways.

      Before starting the security scheme, send a frame which has a
Type field value of X 'A0'.  Add the address of each IP gateway which
su...