{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T16:42:43Z","timestamp":1781109763968,"version":"3.54.1"},"reference-count":29,"publisher":"IGI Global Scientific Publishing","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010,1,1]]},"abstract":"<p>Firewalls are an essential component of the Internet and enterprise network security policy enforcement today. The configurations of enterprise firewalls are typically rather static. Even if client\u2019s IP addresses can be dynamically added to the packet filtering rules, the services allowed through the firewall are commonly still fixed. In this paper, we present a transparent firewall configuration solution based on mobile cryptographic identifiers of Host Identity Protocol (HIP). HIP allows a client to protect the data transfer with IPsec ESP, and supports dynamic address changes for mobile clients. The HIP-based firewall learns the identity of a client when it communicates with the server over HIP. The firewall configures the necessary rules based on HIP control messages passing through the firewall. The solution is secure and flexible, and introduces only minimal latency to the initial HIP connection establishment.<\/p>","DOI":"10.4018\/jhcr.2010090905","type":"journal-article","created":{"date-parts":[[2010,4,16]],"date-time":"2010-04-16T14:53:10Z","timestamp":1271429590000},"page":"79-94","source":"Crossref","is-referenced-by-count":1,"title":["Enterprise Network Packet Filtering for Mobile Cryptographic Identities"],"prefix":"10.4018","volume":"1","author":[{"given":"Janne","family":"Lindqvist","sequence":"first","affiliation":[{"name":"Helsinki University of Technology, Finland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Essi","family":"Vehmersalo","sequence":"additional","affiliation":[{"name":"Helsinki University of Technology, Finland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Miika","family":"Komu","sequence":"additional","affiliation":[{"name":"Helsinki Insitute for Information Technology, Finland"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jukka","family":"Manner","sequence":"additional","affiliation":[{"name":"Helsinki University of Technology, Finland"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"jhcr.2010090905-0","unstructured":"Aura, T., Roe, M., & Mohammed, A. (2005). Experiences with host-to-host IPsec. Security Protocols, 13th International Workshop."},{"key":"jhcr.2010090905-1","unstructured":"Benvenuto, M. C., & Keromytis, A. D. (2003). EasyVPN: IPsec Remote Access Made Easy. 17th USENIX Large Installation Systems Administration (LISA) Conference."},{"key":"jhcr.2010090905-2","unstructured":"Candolin, C., Komu, M., Kousa, M., & Lundberg, J. (2003). An implementation of HIP for Linux. In Proc. of the Linux Symposium 2003, Ottawa, Canada."},{"key":"jhcr.2010090905-3","unstructured":"Casado, M., Gar\ufb01nkel, T., Akella, A., Freedman, M. J., Boneh, D., McKeown, N., & Shenker, S. (2006). Sane: A protection architecture for enterprise networks. In Proc. of 15th USENIX Security Symposium."},{"key":"jhcr.2010090905-4","doi-asserted-by":"crossref","unstructured":"Heer, T., Hummen, R., Komu, M., G\u00f6tz, S., & Wehrle, K. (2009). End-host authentication and authorization for middleboxes based on a cryptographic namespace. In ICC2009 Communication and Information Systems Security Symposium.","DOI":"10.1109\/ICC.2009.5198984"},{"key":"jhcr.2010090905-5","doi-asserted-by":"crossref","unstructured":"Ioannidis, S., Keromytis, A. D., Bellovin, S. M., & Smith, J. M. (2000). Implementing a distributed \ufb01rewall. In Proceedings of the 7th ACM conference on Computer and communications security.","DOI":"10.1145\/352600.353052"},{"key":"jhcr.2010090905-6","doi-asserted-by":"crossref","unstructured":"Jokela, P., Moskowitz, R., & Nikander, P. (2008). Using the encapsulating security payload (ESP) transport format with the host identity protocol (HIP). RFC 5202, IETF.","DOI":"10.17487\/rfc5202"},{"key":"jhcr.2010090905-7","unstructured":"Jokela, P., Nikander, P., Melen, J., Ylitalo, J., & Wall, J. (2003). Host identity protocol: Achieving IPv4 - IPv6 handovers without tunneling. In Proc. of Evolute workshop 2003: \u201cBeyond 3G Evolution of Systems and Services"},{"key":"jhcr.2010090905-8","unstructured":"Karlsson, N. (2005). Enabling Multiple HIP Identities on Linux. Master\u2019s thesis, Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory."},{"key":"jhcr.2010090905-9","unstructured":"Kitamura, H. (1999). Entering the IPv6 communication world by the SOCKS-based IPv6\/IPv4 Translator. In Proc. of INET99."},{"key":"jhcr.2010090905-10","unstructured":"Komu, M., & Henderson, T. (2008). Basic Socket Interface Extensions for Host Identity Protocol (HIP). IETF."},{"key":"jhcr.2010090905-11","doi-asserted-by":"crossref","unstructured":"Komu, M., Henderson, T., Tschofenig, H., Melen, J., & Keranen, A. (2009). Basic hip extensions for traversal of network address translators.","DOI":"10.17487\/rfc5770"},{"key":"jhcr.2010090905-12","doi-asserted-by":"crossref","unstructured":"Laganier, J., & Eggert, L. (2008). protocol (HIP) rendezvous extension. RFC 5204, IETF. Host identity","DOI":"10.17487\/rfc5204"},{"key":"jhcr.2010090905-13","doi-asserted-by":"crossref","unstructured":"Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., & Jones, L. (1996). Socks protocol version 5. RFC 1928, IETF.","DOI":"10.17487\/rfc1928"},{"key":"jhcr.2010090905-14","doi-asserted-by":"crossref","unstructured":"Lindqvist, J., & Takkinen, L. (2006). Privacy management for secure mobility. In Proceedings of the 5th ACM CCS Workshop on Privacy in Electronic Society.","DOI":"10.1145\/1179601.1179612"},{"key":"jhcr.2010090905-15","unstructured":"Lindqvist, J., Vehmersalo, E., Komu, M., & Manner, J. (2007, June 17-22). Enterprise Network Packet Filtering for Mobile Cryptographic Identities (extended abstract). In USENIX annual technical conference poster session, Santa Clara, CA."},{"key":"jhcr.2010090905-16","doi-asserted-by":"crossref","unstructured":"Moskowitz, R., & Nikander, P. (2006). Host Identity Protocol Architecture. RFC 4423, IETF.","DOI":"10.17487\/rfc4423"},{"key":"jhcr.2010090905-17","doi-asserted-by":"crossref","unstructured":"Moskowitz, R., Nikander, P., Jokela, P., & Henderson, T. (2008). Host identity protocol. RFC 5201, IETF.","DOI":"10.17487\/rfc5201"},{"key":"jhcr.2010090905-18","doi-asserted-by":"crossref","unstructured":"Nikander, P., Arkko, J., Vogt, C., & Henderson, T. (2008). End-Host mobility and Multi-Homing with the host identity protocol. RFC 5206, IETF.","DOI":"10.17487\/rfc5206"},{"key":"jhcr.2010090905-19","doi-asserted-by":"crossref","unstructured":"Nikander, P., & Laganier, J. (2008). Host identity protocol (HIP) domain name system (DNS) extension. RFC 5205, IETF.","DOI":"10.17487\/rfc5205"},{"key":"jhcr.2010090905-20","unstructured":"Nikander, P., Ylitalo, J., & Wall, J. (2003). Integrating security, mobility, and multi-homing in a HIP way. In Proc. of Network and Distributed Systems Security Symposium (NDSS\u201903), San Diego, CA, USA. Internet Society."},{"key":"jhcr.2010090905-21","doi-asserted-by":"crossref","unstructured":"Rhea, S., Godfrey, B., Karp, B., Kubiatowicz, J., Ratnasamy, S., Shenker, S., et al. (2005). OpenDHT: A public DHT service and its uses. In Proc. of ACM SIGCOMM\u201905, Philadelphia, PA, USA: ACM Press.","DOI":"10.1145\/1080091.1080102"},{"key":"jhcr.2010090905-22","unstructured":"Stiemerling, M., Tschofenig, H., Aoun, C., & Davies, E. (2008). NAT\/Firewall NSIS Signaling Layer Protocol (NSLP)."},{"key":"jhcr.2010090905-23","doi-asserted-by":"crossref","unstructured":"Tschofenig, H., Nagaraja, A., Shanmugam, M., Ylitalo, J., & Gurtov, A. (2005a). Traversing Middleboxes with Host Identity Protocol. In Proc. of ACISP\u201905.","DOI":"10.1007\/11506157_2"},{"key":"jhcr.2010090905-24","unstructured":"Tschofenig, H., Nagarajan, A., Torvinen, V., Ylitalo, J., & Grimminger, J. (2005b). NAT and \ufb01rewall traversal for HIP: draft-tschofenighiprg-hip-natfw-traversal-02."},{"key":"jhcr.2010090905-25","unstructured":"van Rooij, G. (2000). Real Stateful TCP Packet Filtering in Ip\ufb01lter. 2nd International SANE Conference, Maastricht, The Netherlands."},{"key":"jhcr.2010090905-26","unstructured":"Vehmersalo, E. (2005). Host Identity Protocol Enabled Firewall - A Prototype Implementation and Analysis. Master\u2019s thesis, Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory."},{"key":"jhcr.2010090905-27","unstructured":"Wal\ufb01sh, M., Stribling, J., Krohn, M., Balakrishnan, H., Morris, R., & Shenker, S. (2004). Middleboxes no longer considered harmful. In Proc. of the 7th USENIX Symposium on Operating System Design and Implementation (OSDI 2004), San Fransisco, CA, USA: ACM Press."},{"key":"jhcr.2010090905-28","doi-asserted-by":"crossref","unstructured":"Ylitalo, J., Salmela, P., & Tschofenig, H. (2005). SPINAT: Integrating IPsec into Overlay Routing. In First International Conference on Security and Privacy for Emerging Areas in Communication Networks.","DOI":"10.1109\/SECURECOMM.2005.53"}],"container-title":["International Journal of Handheld Computing Research"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=39054","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T10:44:04Z","timestamp":1654080244000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jhcr.2010090905"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2010,1,1]]},"references-count":29,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2010,1]]}},"URL":"https:\/\/doi.org\/10.4018\/jhcr.2010090905","relation":{},"ISSN":["1947-9158","1947-9166"],"issn-type":[{"value":"1947-9158","type":"print"},{"value":"1947-9166","type":"electronic"}],"subject":[],"published":{"date-parts":[[2010,1,1]]}}}