Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Slides:



Advertisements
Similar presentations
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Microsoft ® System Center Configuration Manager 2007 R3 and Forefront ® Endpoint Protection Infrastructure Planning and Design Published: October 2008.
Secure Network Bootstrapping Infrastructure May 15, 2014.
Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
DVG-N5402SP.
1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.
Billing Agent. Pre-Application Checklist Introduction to IMPACT and Key Terms Application Process Starting an Application The Business Process Wizard.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Form Builder Iteration 2 User Acceptance Testing (UAT) Denise Warzel Semantic Infrastructure Operations Team Presented to caDSR Curation Team March.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Lecture 5 Page 1 CS 236 Online Certificates A ubiquitous form of authentication Generally used with public key cryptography A signed electronic document.
Sharing Resources Lesson 6. Objectives Manage NTFS and share permissions Determine effective permissions Configure Windows printing.
1 DNS Discovery: Problem Statement Review host plug-n-play / auto-config / zero-config is an important goal for IPv6 — essential for, e.g., home networks,
1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.
Active Directory ® Certificate Services Infrastructure Planning and Design Published: June 2010 Updated: November 2011.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011 Wireless Network Authentication Regnauld / Büttrich, Edit: Sept 2011.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
70-411: Administering Windows Server 2012
draft-kwatsen-netconf-zerotouch-01
Configuring Encryption and Advanced Auditing
Troubleshooting Windows Vista Security Chapter 4.
Information Services, Topology and Discovery Working Group IS-WG Winter Joint Techs February 1 st, 2010.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 5 – Configure Site-to-Site VPNs Using Digital Certificates.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
draft-ietf-netconf-zerotouch
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
03/20/10Plug-and-Play Deployment of Network Devices Tina TSOU Juergen Schoenwaelder
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Protocol for I2RS I2RS WG IETF #89 London, UK Dean Bogdanovic v0.1.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
DataFlow Diagram – Level 0
Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.
1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Server to Server Group Requirements Simplifying key management between multiple vendor implementations.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Netconf Schema Query Mark Scott IETF 70 Vancouver December 2007
Module 5: Network Policies and Access Protection
DHCPv4 option for PANA Authentication Agents draft-suraj-dhcpv4-paa-option-00.txt DHC/PANA WG IETF-63 France, Paris.
Secure Access and Mobility Jason Kunst, Technical Marketing Engineer March 2016 Location Based Services with Mobility Services Engine ISE Location Services.
IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.
Bing Liu (speaker), Sheng WG, ietf96, July 2016
Bootstrapping Key Infrastructures
ONAP SD-WAN Use Case Proposal.
PANA Issues and Resolutions
Implementing Network Access Protection
A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.
Certificates An increasingly popular form of authentication
Voucher and Voucher Revocation Profiles for Bootstrapping Protocols draft-kwatsen-netconf-voucher-00 NETCONF WG IETF 97 (Seoul)
draft-ietf-geopriv-lbyr-requirements-02 status update
BRSKI overview and issues
Architecture Competency Group
By co-authors Sheng Jiang & Toerless Eckert
Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.
Allocating IP Addressing by Using Dynamic Host Configuration Protocol
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
Certificates An increasingly popular form of authentication
Update on BRSKI-AE – Support for asynchronous enrollment
Presentation transcript:

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update

Added state diagrams and updated document structure 3.1. Behavior of a new entity 3.3. Behavior of the Registrar 3.4. Behavior of the MASA Service Entity Domain Vendor

Simplified Architecture diagram Dropped extraneous elements Figure 1 Entity Domain Vendor

Aligned with Functional Overview Figure 2 Entity Domain Vendor

Reduced security operational modes s6.1. New Entity security reductions touch based s6.2. Registrar security reductions accept lower authentication / logging permanently claim the device s6.3. MASA security reductions not verifying ownership accept permanent claims

added bootstrap config discussion Config Information attached by Domain here see s3.1.2 see s3.3.5 see s.5.4 Config Information attached by Domain here see s3.1.2 see s3.3.5 see s.5.4 managed Entity Domain Vendor

netconf-zerotouch bootstrap server Entity Domain Vendor Domain Config Information uploaded to Bootstrap server here Config Information uploaded to Bootstrap server here

netconf-zerotouch bootstrap server netconf-zerotouch s2.1 “Bootstrap Servers may be deployed [Vendor] on the public Internet [Domain] or on a local network” “Devices may be preconfigured with a list of well-known Bootstrap Servers. Additional Bootstrap Servers (i.e. not in the device's preconfigured list) must be discovered from a DHCP server.” netconf-zerotouch s2.1 “Bootstrap Servers may be deployed [Vendor] on the public Internet [Domain] or on a local network” “Devices may be preconfigured with a list of well-known Bootstrap Servers. Additional Bootstrap Servers (i.e. not in the device's preconfigured list) must be discovered from a DHCP server.” Entity Domain Vendor Domain Vendor Domain or

Bootstrap->redirect Don’t put (full) config in the bootstrap It is either a security issue [exposes config to vendor] Or a complexity issue [config encryption] Make it just a redirect What is in the redirect? A URL? Model after DNS/TLS: No need for security until after redirect? ‘Ownership Voucher’ is sent after redirect anima-bootstrapping treats redirect as part of discovery but doesn’t say much about discovery. This is an important enough use case to add…

Aligned with Functional Overview Figure 2 Redirect Vendor Domain or

Ownership Voucher vs AuthZ Token anima-bootstrapnetconf-zerotouchNotes noncenecessary for devices w/o clocks created-on, expires-onallows long term ownership voucher that expire serial-numberunique-idallows entity to confirm validation is for itself multi-vendor support might require vendor-id domain-id owner-id The owner-id value must match the value in the owner- certificate below domain-id is

Bootstrap Configuration vs Configuration Information anima-bootstrapnetconf-zerotouchNotes Exact format undefined (“from netconf”) Exact format undefined (“using standards-based YANG modules”) It is tempting to optimize the msg flow by combining full config here but this author believes we are best served by limiting to just: Information necessary to bootstrap key infrastructure Information necessary to contact management system

Q&A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.