“SwIPe (protocol)”的意思、由来-开放百科全书

The swIPe IP Security Protocol (swIPe) is an experimental Internet Protocol (IP) security protocol that was specified in 1993. It operates at the Internet Layer of the Internet Protocol Suite.

Purpose

swIPe provides confidentiality, integrity, and authentication of network traffic, and can be used to provide both end-to-end and intermediate-hop security. swIPe is concerned only with security mechanisms. The protocol does not handle policy and key management, which are handled outside the protocol. It works by augmenting each packet with a cryptographically-strong authenticator and/or encrypting the data to be sent.^[1]

Protocol description

swIPe encapsulates each IP datagram to be secured inside a swIPe packet.^[1] A swIPe packet is an IP packet of protocol type 53.^[2]^[3] A swIPe packet starts with a header, which contains identifying data and authentication information; the header is followed by the original IP datagram, which in turn is followed by any padding required by the security processing. Depending on the negotiated policy, the sensitive part of the swIPe packet (the authentication information and the original IP datagram) may be encrypted.^[1]

Cisco routers and switches running IOS have been found vulnerable to denial of service (DoS) attacks which may result from processing packets with IP Protocol 53.^[4]

References

1. ^¹²{{cite news|url=http://www.crypto.com/papers/swipe.id.txt|title=The swIPe IP Security Protocol INTERNET DRAFT|date=December 1993 |author=John Ioannidis and Matt Blaze |publisher=Columbia University and AT&T Bell Labs }}
2. ^{{cite web |url=http://www.iana.org/assignments/protocol-numbers |publisher=Internet Assigned Numbers Authority (IANA)|title=Assigned Internet Protocol Numbers }}
3. ^{{cite news |title=RFC5237 |publisher=Internet Engineering Task Force (IETF) |url=http://rfc.net/rfc5237.html }}
4. ^Security advisory for Cisco products