DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.

Slides:



Advertisements
Similar presentations
G : DCM Signaling Mechanism Using GMPLS RSVP-TE ITU-T Workshop on IP-Optical, Chitose, Japan 7/11/2002 Dimitrios Pendarakis, Tellium, Inc. ITU-T.
Advertisements

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
Secure Socket Layer.
CCNA – Network Fundamentals
May 12, 2015IEEE Network Management Symposium Page-1 Requirements for Configuration Management of IP-based Networks Luis A. Sanchez Chief Technology Officer,
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Information Networking Security and Assurance Lab National Chung Cheng University Guidelines on Electronic Mail Security
PPP (Point to Point protocol).  On WAN connection, the protocol depends on the WAN technology and communicating equipment:  Examples:  HDLC –  The.
COE 342: Data & Computer Communications (T042) Dr. Marwan Abu-Amara Chapter 2: Protocols and Architecture.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
William Stallings Data and Computer Communications 7 th Edition Data Communications and Networks Overview Protocols and Architecture.
6.1. Transport Control Protocol (TCP) It is the most widely used transport protocol in the world. Provides reliable end to end connection between two hosts.
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
DSKPP And PSKC: IETF Standard Protocol And Payload For Symmetric Key Provisioning Philip Hoyer Senior Architect – CTO Office.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Dynamic Virtual Networks (DVNE) Margaret Wasserman & Paddy Nallur November 11, 2010 IETF Beijing, China.
Doc.: IEEE /495r1 Submission July 2001 Jon Edney, NokiaSlide 1 Ad-Hoc Group Requirements Report Group met twice - total 5 hours Group size ranged.
Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.
0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.
William Stallings Data and Computer Communications
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
An Introduction to Networking
Some use cases and requirements for handover Information Services Greg Daley MIPSHOP Session IETF 64.
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
62 nd IETF – CAPWAP Working Group1 CAPWAP Objectives Saravanan Govindan March 2005.
Page 1 IETF Speermint Working Group Speermint Requirements/Guidelines for SIP session peering draft-ietf-speermint-requirements-02 IETF 69 - Monday July.
Dec 5, 2007NEA Working Group1 NEA Requirement I-D IETF 70 – Vancouver Mahalingam Mani Avaya Inc.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
SIP-H.323 Interworking Group RRR-1 IETF-48 SIP-H.323 Interworking Requirements draft-agrawal-sip-h323-interworking-reqs-00.txt Hemant.
SACRED REQUIREMENTS DOCUMENT Stephen Farrell, Baltimore Alfred Arsenault, Diversinet.
PCE 64 th IETF PCE Policy Architecture draft-berger-pce-policy-architecture-00.txt Lou Berger Igor Bryskin Dimitri Papadimitriou.
Wireless Network Security CSIS 5857: Encoding and Encryption.
August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.
Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper.
M2M Service Layer – DM Server Security Group Name: OMA-BBF-oneM2M Adhoc Source: Timothy Carey, Meeting Date:
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design-considerations-01 Ele Hepworth (*), Robert Hancock, Srinivas.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
Netconf Schema Query Mark Scott IETF 70 Vancouver December 2007
7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.
User Application Control (Keypress Events) SIPPING WG - IETF 53 Robert Fairlie-Cuninghame, Bert Culpepper, Jean-François Mulé.
COPS Common Open Policy Services Protocol IETF RFC 2748, 2749, 2753, 3084 Diana Rawlins WorldCom.
Problem Statement: Media Independent Handover Signalling draft-hepworth-mipshop-mih-problem-statement-01 Ele Hepworth (*), Greg Daley, Srinivas Sreemanthula,
Omniran CF00 1 Key Concepts of Association and Disassociation Date: Authors: NameAffiliationPhone Max RiegelNokia
EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.
Phil Hunt, Hannes Tschofenig
ERP extension for EAP Early-authentication Protocol (EEP)
Application Layer Functionality and Protocols
Understand Networking Services
Application Layer Functionality and Protocols
Chapter 3: Open Systems Interconnection (OSI) Model
Application Layer Functionality and Protocols
Maryna Komarova (ENST)
draft-ipdvb-sec-01.txt ULE Security Requirements
Application Layer Functionality and Protocols
Application Layer Functionality and Protocols
Application Layer Functionality and Protocols
Networking for Home and Small Businesses – Chapter 6
Application Layer Functionality and Protocols
Application Layer Functionality and Protocols
Limiting GAS State-1 Query Response Length
Presentation transcript:

DOTS Requirements Andrew Mortensen November 2015 IETF 94 1

Overview DOTS requirements in context Establish common terminology (for now) General and operational requirements Data model TBD Status 2

Selected terminology DOTS agent — DOTS-aware element DOTS client —agent requesting mitigation DOTS server — agent handling client signals DOTS relay — client/server mediating agent DOTS signal — message between DOTS agents DOTS client signal — message from DOTS client DOTS server signal — message from DOTS server Signal channel — DOTS signal transport layer Data channel — Bulk data transport layer 3

4 DOTS agents — client and server

5 DOTS agents — relay

General Requirements 1.Interoperability 2.Extensibility 3.Resilience 4.Bidirectionality 5.Message size under MTU 6.Message integrity 7.Replay protection 8.Bulk data exchange 6

Interoperability and Extensibility Interoperability is fundamental to DOTS goals Extensibility acknowledges current solutions and looks ahead to changing needs 7

Protocol resilience and bidirectionality Protocol must continue operation in “hostile network conditions” Need for DOTS agents to signal, monitor peer health, provide feedback 8

General signal requirements Fit within MTU to avoid message loss incurred by possible failed fragment delivery Maintain integrity when transmitting signal across transit networks Replay protection to prevent protocol abuse 9

Bulk data exchange Supplement/bootstrap signaling relationship DOTS agent provisioning and discovery Configuration Characteristics suggest separate data channel desirable 10

Bulk data exchange Supplement/bootstrap signaling relationship DOTS agent provisioning and discovery Configuration Characteristics suggest separate data channel desirable 11

Operational requirements 1.Common transports 2.Mutual authentication 3.Session health monitoring 4.Mitigation capability opacity 5.Mitigation status feedback 6.Mitigation scope 12

Common transports Obvious requirement is obvious 13

Mutual authentication DOTS may affect network path or policy, agents must authenticate each other 14

Session health monitoring DOTS agents must be able to detect signal fidelity, peer availability Support protocol resilience and bidirectionality 15

Mitigation capability opacity Avoid assumptions about remote agents’ defensive capabilities DOTS client signal indicates mitigation need and desired outcome: advisory signaling DOTS server signal describes action taken 16

Mitigation scope DOTS client signal indicates desired address space coverage DOTS client signal may further narrow scope using e.g. transports, targeted ports DOTS client may request adjusted scope during attack 17

Bulk data channel requirements 1.Reliable transport 2.Data privacy and integrity 3.Mutual authentication 4.Black- and whitelist management 18

Data channel transport 1.Reliable transport 2.Data privacy and integrity 3.Mutual authentication 4.Black- and whitelist management 19

Data model requirements 1.TODO 20

Status Initial draft published 19 October 2015 Very little WG feedback so far Please send feedback on mailing list, or… Open github issues against requirements draft 21

Next Steps Align with and inform use cases Where does terminology belong? Incorporate feedback Inform and be informed by new protocol work 22

Questions? 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.