- address pool
A set of addresses that are designated by the home network
administrator for use by mobile nodes that need a home address.
- AES
Advanced Encryption Standard. A symmetric 128-bit block data
encryption technique. The U.S. government adopted the Rijndael variant of
the algorithm as its encryption standard in October 2000. AES replaces DES
encryption as the government standard.
- agent advertisement
A message that is periodically sent by home agents and foreign
agents to advertise their presence on any attached link.
- agent discovery
The process by which a mobile node determines if it has moved,
its current location, and its care-of address on a foreign network.
- anycast address
An IP address that is assigned to more than one interface
(typically belonging to different nodes). A packet that is sent to an anycast
address is routed to the nearest interface having that
address. The packet's route is in compliance with the routing protocol's measure
of distance.
- asymmetric key cryptography
An encryption system in which the sender and receiver of a
message use different keys to encrypt and decrypt the message. Asymmetric
keys are used to establish a secure channel for symmetric key encryption.
Diffie-Hellman is an example of an asymmetric key protocol. Contrast
with symmetric key cryptography.
- authentication header
An extension header that provides authentication and integrity
(without confidentiality) to IP datagrams.
- autoconfiguration
The process of a host automatically configuring its interfaces
in IPv6.
- bidirectional tunnel
A tunnel that can transmit datagrams in both directions.
- binding table
A home agent table that associates a home address with a care-of
address, including remaining lifetime and time granted.
- Blowfish
A symmetric block cipher algorithm that takes a variable-length
key from 32 bits to 448 bits. Its author, Bruce Schneier, claims that Blowfish
is optimized for applications where the key does not change often.
- care-of address
A mobile node's temporary address that is used as a tunnel
exit point when the mobile node is connected to a foreign network.
- Certificate Authority (CA)
A trusted third-party organization or company that issues
digital certificates used to create digital signatures and public-private
key pairs. The CA guarantees that the individual granted the unique certificate
is who she or he claims to be.
- DES
Data Encryption Standard. A symmetric-key encryption method
developed in 1975 and standardized by ANSI in 1981 as ANSI X.3.92. DES uses
a 56-bit key.
- digital signature
A digital code that is attached to an electronically transmitted
message that uniquely identifies the sender.
- DSA
Digital Signature Algorithm. A public key algorithm with a
variable key size from 512 to 1024 bits. It relies on SHA-1 for input.
- Diffie-Hellman protocol
Also known as public key cryptography. An asymmetric cryptographic
key agreement protocol that was developed by Diffie and Hellman in 1976. The
protocol enables two users to exchange a secret key over an insecure medium
without any prior secrets. Diffie-Hellman is used by the IKE protocol.
- dual stack
In the context of IPv6 transition, a protocol stack that contains
both IPv4 and IPv6, with the rest of the stack being identical.
- encapsulating security header
An extension header that provides integrity and confidentiality
to datagrams.
- encapsulation
The process of a header and payload being placed in the first
packet, which is subsequently placed in the second packet's payload.
- failback
The process of switching back network access to an interface
that has its repair detected.
- failover
The process of switching network access from a failed interface
to a good physical interface. Network access includes IPv4 unicast, multicast,
and broadcast traffic, as well as IPv6 unicast and multicast traffic.
- failure detection
The process of detecting when a NIC or the path from the NIC
to some layer 3 device starts operating correctly after a failure.
- firewall
Any device or software that protects an organization's private
network or intranet from intrusion by external networks such as the Internet.
- foreign agent
A router or server on the foreign network that the mobile
node visits.
- foreign network
Any network other than the mobile node's home network.
- forward tunnel
A tunnel that starts at the home agent and terminates at the
mobile node's care-of address.
- Generic Routing Encapsulation (GRE)
An optional form of tunneling that can be supported by home
agents, foreign agents, and mobile nodes. GRE enables a packet of any network-layer
protocol to be encapsulated within a delivery packet of any other (or the
same) network-layer protocol.
- hash value
A number that is generated from a string of text. Hash functions
are used to ensure that transmitted messages have not been tampered with.
MD5 and SHA-1 are examples of one-way hash functions.
- HMAC
Keyed hashing method for message authentication. HMAC is used
with an iterative cryptographic hash function, such as MD5 or SHA-1, in combination
with a secret shared key. The cryptographic strength of HMAC depends on the
properties of the underlying hash function.
- home address
An IP address that is assigned for an extended period to a
mobile node. The address remains unchanged when the node is attached elsewhere
on the Internet or an organization's network.
- home agent
A router or server on the home network of a mobile node.
- home network
A network that has a network prefix that matches the network
prefix of a mobile node's home address.
- hop
A measure that is used to identify the number of routers that
separate two hosts. If three routers separate a source and destination, the
hosts are four hops away from each other.
- IKE
Internet Key Exchange. IKE automates the provision of authenticated
keying material for IPsec security associations.
- IP-in-IP encapsulation
The Internet-standard protocol for tunneling IPv4 packets
within IPv4 packets.
- IP link
A communication facility or medium over which nodes can communicate
at the link layer. The link layer is the layer immediately below IPv4/IPv6.
Examples include Ethernets (simple or bridged) or ATM networks. One or more
IPv4 subnet numbers or prefixes are assigned to an IP link. A subnet number
or prefix cannot be assigned to more than one IP link. In ATM LANE, an IP
link is a single emulated LAN. When you use ARP, the scope of the ARP protocol
is a single IP link.
- IPsec
The security architecture (IPsec) that provides protection
for IP datagrams.
- IPv4
Internet Protocol, version 4. Sometimes referred to as IP.
This version supports a 32-bit address space.
- IPv6
Internet Protocol, version 6. This version supports a 128-bit
address space.
- key management
The way in which you manage security associations.
- link-local-use address
A designation that is used for addressing on a single link
for purposes such as automatic address configuration.
- local-use address
A unicast address that has only local routability scope (within
the subnet or within a subscriber network). This address also can have a local
or global uniqueness scope.
- MD5
An iterative cryptographic hash function that is used for
message authentication, including digital signatures. The function was developed
in 1991 by Rivest.
- Minimal encapsulation
An optional form of IPv4 in IPv4 tunneling that can be supported
by home agents, foreign agents, and mobile nodes. Minimal encapsulation has
8 or 12 bytes less of overhead than does IP-in-IP encapsulation.
- mobile node
A host or router that can change its point of attachment from
one network to another network while maintaining all existing communications
by using its IP home address.
- mobility agent
Either a home agent or a foreign agent.
- mobility binding
The association of a home address with a care-of address,
along with the remaining lifetime of that association.
- mobility security association
A collection of security measures, such as an authentication
algorithm, between a pair of nodes, which are applied to Mobile IP protocol
messages that are exchanged between the two nodes.
- MTU
Maximum Transmission Unit. The size, given in octets, that
can be transmitted over a link. For example, the MTU of an Ethernet is 1500
octets.
- multicast address
An IP address that identifies a group of interfaces in a particular
way. A packet that is sent to a multicast address is delivered to all of the
interfaces in the group.
- neighbor advertisement
A response to a neighbor solicitation message or the process
of a node sending unsolicited neighbor advertisements to announce a link-layer
address change.
- neighbor discovery
An IP mechanism that enables hosts to locate other hosts that
reside on an attached link.
- neighbor solicitation
A solicitation that is sent by a node to determine the link-layer
address of a neighbor. A neighbor solicitation also verifies that a neighbor
is still reachable by a cached link-layer address.
- Network Access Identifier (NAI)
A designation that uniquely identifies the mobile node in
the format of user@domain.
- network interface card (NIC)
Network adapter that is either internal or a separate card
that serves as an interface to a link.
- node
A host or a router.
- packet
A group of information that is transmitted as a unit over
communications lines. Contains a header plus payload.
- physical interface
A node's attachment to a link. This attachment is often implemented
as a device driver plus a network adapter. Some network adapters can have
multiple points of attachment, for example, qfe. The usage of network
adapter in this document refers to a "single point of attachment."
- physical interface group
The set of physical interfaces on a system that are connected
to the same link. These interfaces are identified by assigning the same (non-null)
character string name to all the physical interfaces in the group.
- physical interface group name
A name that is assigned to a physical interface that identifies
the group. The name is local to a system. Multiple physical interfaces, sharing
the same group name, form a physical interface group.
- PKI
Public Key Infrastructure. A system of digital certificates,
Certificate Authorities, and other registration authorities that verify and
authenticate the validity of each party involved in an Internet transaction.
- private address
An IP address that is not routable through the Internet.
- public key cryptography
A cryptographic system that uses two keys - a public key known
to everyone and a private key known only to the recipient of the message.
IKE provides public keys for IPsec.
- redirect
In a router, to inform a host of a better first-hop node to
reach a particular destination.
- registration
The process by which a mobile node registers its care-of address
with its home agent and foreign agent when it is away from home.
- repair detection
The process of detecting when a NIC or the path from the NIC
to some layer-3 device starts operating correctly after a failure.
- reverse tunnel
A tunnel that starts at the mobile node's care-of address
and terminates at the home agent.
- router advertisement
The process of routers advertising their presence together
with various link and Internet parameters, either periodically or in response
to a router solicitation message.
- router discovery
The process of hosts locating routers that reside on an attached
link.
- router solicitation
The process of hosts requesting routers to generate router
advertisements immediately, rather than at their next scheduled time.
- RSA
A method for obtaining digital signatures and public-key cryptosystems.
The method was first described in 1978 by its developers, Rivest, Shamir,
and Adleman.
- SADB
Security Associations Database. A table that specifies
cryptographic keys and algorithms that are used in the transmission of data.
- security associations
Associations that specify security properties from one host
to another.
- Security Parameter Index (SPI)
An integer that specifies the row in the security associations
database (SADB) that a receiver should use to decrypt a received packet.
- SHA-1 algorithm
Secure Hashing Algorithm. The algorithm operates on any input
length less than 264 to produce a message digest.
It is input to DSA.
- site-local-use address
A designation that is used for addressing on a single site.
- SPI
Security Parameters Index. An integer that specifies the row
in the SADB that a receiver should use to decrypt a received packet.
- standby
A physical interface that is not used to carry data traffic
unless some other physical interface has failed.
- stateful autoconfiguration
The process of a host obtaining interface addresses, configuration
information, and parameters from a server.
- stateless autoconfiguration
The process of a host generating its own addresses by using
a combination of locally available information and information that is advertised
by routers.
- symmetric key cryptography
An encryption system in which the sender and receiver of a
message share a single, common key that is used to encrypt and decrypt the
message. Symmetric keys are used to encrypt the bulk of data transmission
in IPsec. DES is one example of a symmetric key system.
- Triple-DES
Triple-Data Encryption Standard. A symmetric-key encryption
method which provides a key length of 168 bits.
- tunnel
The path that is followed by a datagram while it is encapsulated.
- tunneling
The mechanism by which IPv6 packets are placed inside IPv4
packets and routed through the IPv4 routers. The term is specific to IPv6
only.
- unicast address
An IP address that identifies a single interface.
- Virtual Private Network (VPN)
A single, secure, logical network that uses tunnels across
a public network such as the Internet.
- visited network
A network other than a mobile node's home network, to which
the mobile node is currently connected.
- visitor list
The list of mobile nodes that are visiting a foreign agent.
Previous