1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials draft-bajko-nsis-fw-reqs-01 Gábor Bajkó IETF Interim 23-24 May 2005.

Slides:

Advertisements

Similar presentations

Secure Mobile IP Communication

Advertisements

Network Localized Mobility Management using DHCP

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

Firewalls and Intrusion Detection Systems

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

NSIS Flow ID and packet classification issues Hong Cheng, Qijie Huang, Takako Sanda, Toyoki Ue IETF#63 August, 2005.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

A Brief Taxonomy of Firewalls

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Introduction to IPv6 NSS Wing,BSNL Mobile Services, Ernakulam 1.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.

CSCE 715: Network Systems Security

0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-ietf-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning Schulzrinne.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.

Components of wireless LAN & Its connection to the Internet

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Module 10: Windows Firewall and Caching Fundamentals.

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Guidelines for Firewall Administrators Mobile IPv6 Suresh Krishnan, Niklas Steinleitner, Ying Qiu, Gabor.

QoS in Mobile IP by Preethi Tiwari Chaitanya Deshpande.

PAGE 1 A Firewall Control Protocol (FCON) draft-soliman-firewall-control-00 Hesham Soliman Greg Daley Suresh Krishnan

Firewalls Fighting Spyware, Viruses, and Malware Ch 5.

0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

MPTCP Threat analysis draft-bagnulo-mptcp-threat-00 marcelo bagnulo IETF76 – MPTCP WG.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Guidelines for Firewall Vendors Mobile IPv6 Suresh Krishnan, Yaron Sheffer, Niklas Steinleitner, Gabor.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

K. Salah1 Security Protocols in the Internet IPSec.

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Process-to-Process Delivery:

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

Lab A: Planning an Installation

DMET 602: Networks and Media Lab

Support for Flow bindings in MIPv6 and NEMO

DMET 602: Networks and Media Lab

Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.

Chapter 11: Network Address Translation for IPv4

Computer Networks Protocols

Presentation transcript:

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials draft-bajko-nsis-fw-reqs-01 Gábor Bajkó IETF Interim May 2005

2 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Scope of the work in 3GPP2 Make Firewalls MIPv6 compatible Being possible to contact/connect_to Mobile Nodes from outside the FW protected network and filter out unsolicited traffic to save bandwidth, and battery

3 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Changes from version 00 Most of the SHOULDs changed to MUSTs Wildcard or address range is only needed for address, port, protocol and spi fields 2 new requirements added Reformulations, clarifications Lots of cleanups and editorials (non-relevant descriptive text and the annex have gone)

4 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials The new requirements “It MUST be possible to open a pinhole with a single protocol request/response pair of messages. This is required because: a wireless link is a scarce and expensive resource (save bandwidth) real-time applications are delay sensitive” “A client MUST be able to fetch the list of all its installed pinholes at a given time from a Firewall” possible LI requirements charging aspects

5 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials ‘Problematic’ requirements Some requirements do not fit with into the path-coupled scenario: A client MUST be able to close any or all the pinholes it created with a single protocol instance. A client MUST be able to refresh all associated pinhole timeouts with a single protocol instance. The protocol MUST allow an end point to create, modify or delete several firewall states with one protocol instance.

6 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Important requirements Encapsulated packet filtering (n levels, n=2?) Mobile IP is extensively used and the tunnel between the HA and the MN should not be an entry point for unsolicited traffic The ability of opening a pinhole without knowing the address of the CN is a basic requirement

7 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Standard use case Mobile Node hosts a server and installs a rule in the FW to be reachable by anyone Martin suggested to use UCREATE for this purpose, but: Section 2.9 reads: " The UCREATE mode is used to block a particular data flow on an upstream firewall.“ The use case require to install an ALLOW rule The “opportunistic address” does not have any relevance, as anyone should be able to contact the mobile node. The pinhole is not ment to allow SOMEONE specific to connect to the mobile node, but rather ANYONE should

8 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Opportunistic address hints in section 3.7 Public IP address of the data sender N/A, as the sender is unknown Public IP address of the data receiver N/A, as it is its own one (no NAT) IP address of the Application Server N/A, as ASs are in most cases part of the same address space or protected network ‘Random’ Opportunistic Address might be a DoS against itself randomly selected IP addresses are blacklisted to help fight against scanning worms

9 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Other protocol concerns “The CREATE/REA/UCREATE request message with a lifetime value of 0, does not generate any response, neither positive nor negative, since there is no NSIS state left at the nodes along the path” Carrying multiple objects in NSLP messages. E.g., CREATE[lifetime=0] for many flows at the same time. Security?