Softwire Security Update Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota 67 IETF, San Diego.

Slides:

Advertisements

Similar presentations

Secure Mobile IP Communication

Advertisements

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Security at the Network Layer: IPSec

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Softwires Hub & Spoke using L2TPv3

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

Internet Protocol Security (IPSec)

K. Salah1 Security Protocols in the Internet IPSec.

24/10/ Point6 Pôle de compétences IPv6 en Bretagne Avec le soutien de : Softwires interim meeting L2TP tunnels Laurent Toutain

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

CSCE 715: Network Systems Security

/IPsecurity.ppt 1 - Chapter 6 of William Stallings. Network Security Essentials (2nd edition). Prentice Hall.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Karlstad University IP security Ge Zhang

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

1 Chapter 6 IP Security. 2 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt.

IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

IPSec The Wonder Protocol Anurag Vij Microsoft IT.

Network Layer Security Network Systems Security Mort Anvari.

K. Salah1 Security Protocols in the Internet IPSec.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

BGP Encapsulation SAFI and BGP Tunnel Encapsulation Attribute draft-pmohapat-idr-info-safi-02.txt Pradosh Mohapatra and Eric Rosen Cisco Systems IETF-69,

IT443 – Network Security Administration Instructor: Bo Sheng

Softwire Mesh Solution Framework

Carlos Pignataro Bruno Stevant Jean-Francois Tremblay Bill Storer

Softwires Hub & Spoke using L2TPv3

Softwire Security Update

Chapter 6 IP Security.

Presentation transcript:

Softwire Security Update Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota 67 IETF, San Diego

2 Document Status l Published -01 version – Revised “Hubs and Spokes” security Security description in framework document is added. Modification with comments at Interim Meeting. – Security for Mesh solution is added. l Subject to Framework Document – This work will keep track with the framework document. – This document will change over time subject to change of framework document.

3 Hub & Spokes Security Model (Trusted) CPE Softwire HostUser’ Home ISP Network Access Network AF(i) SC SI PPP/L2TP/UDP/IP AAA Authentication can be turned off when already authenticated by other means. PPP Authentication (CHAP) DoS TRUSTED AF(i,j) AF(i) AF(j) Mutual Authentication SHOULD be offered. (optionally one side) PPP Encryption (ECP) Voluntary Tunnel

4 Hub & Spokes Security Model (Non-Trusted) Softwire Host User ISP Network AF(i) SC SI L2TPv2, PPP AAA IPsec authentication MUST be used. Snoop Spoof Replay Modification Deletion DoS SC MITM BLH Rogue SC Public Facilities Service Theft Non-TRUSTED PPP Authentication: no per- packet authentication, integrity nor replay protection PPP Encryption (ECP): No key management RFC3193 Mutual Authentication MUST be used.

5 Softwire Authentication Mechanism l PPP Authentication – Mutual authentication using CHAP – No per-packet authentication, no integrity, no replay protection l L2TPv2 Authentication – Optional CHAP-like authentication – Same security verunerability as PPP l IPsec Authentication – MUST be used in non-trusted, public IP network – IKE must be supported. – Selection of Key management mechanism depends on deployment scenario (shared secret, certificate and EAP exchange identity for IKEv2 ) – NAT-traversal in IKE

6 Control and Data Plane Protection l IPsec can provide the necessary security mechanisms l “Full payload security” on control and data plane when required. – For non-trusted network ControlData IntegrityMust ReplayMust ConfidentialityMustShould RFC3193: for Confidentiality, ‘Should’ for Control and ‘May’ for Data.

7 Applying IPsec in Hub&Spokes Scenario Softwire Host User ISP Network IPv6 SC SI (PPP/L2TPv2/UDP/IPv4) AAA ESP (transport mode) l L2TPv2 and IPsec filter guidelines described in RFC3193 in case where the SC chooses a new IP address/port number: load-balancing l Use RFC3193 IPsec filter details (section 4) l SC and SI must have IPsec security policy filters pre-configured.

8 IPsec Security Policy example Softwire User AF(j) SC SI (PPP/L2TPv2/UDP/AF(i)) ESP (transport mode) src dst Protocol Action SI SC ESP BYPASS SI SC IKE BYPASS SI SC UDP, src 1701, dst 1701 PROTECT(ESP,transport) SC SI UDP, src *, dst 1701 PROTECT(ESP,transport) src dst Protocol Action * SC ESP BYPASS * SC IKE BYPASS * SC UDP, src *, dst 1701 PROTECT(ESP,transport)

9 Hub & Spokes Non-Authenticated Mode Softwire Host User ISP Network (Visited) AF(i) SC SI L2TPv2, PPP Non-Authentication Service Snoop Spoof Replay Modification Deletion SC MITM BLH Rogue SC Public Facilities Service Theft Non-TRUSTED Ingress Filter Anonymous Connection

10 Hub & Spokes Security Model (Visited) Softwire Host User ISP Network (Visited) AF(i) SC SI L2TPv2, PPP AAA Authentication Snoop Spoof Replay Modification Deletion SC MITM BLH Rogue SC Public Facilities Service Theft Non-TRUSTED Host ISP Network (Home) SC AAA Roaming Agreement

11 Mesh Security Model P CE PPP AFBR-1 AFBR-2 AFBR-N AF(j) Backbone AF(i) Route Reflector BGP Update DoS Intrusion Attack on Data Plane Attack on Control Plane PE Static Route or Routing Protocol PE

12 Security Protection P CE PPP AFBR-1 AFBR-2 AFBR-N AF(j) Backbone AF(i) BGP Update PE Static Routing Packet Filtering IPsec TCP MD5 IPsec S-BGP, soBGP, psBGP Static Route or Routing Protocol Route Reflector PE

13 Softwire Mesh Security Protection l Control Plane Protection – TDP MD5 MUST be supported Peer-peer based authentication Replay protection is not enough No protection for confidentiality – IPsec ESP provide confidentiality as well as integrity and authentication. IKE must be supported for replay protection – S-BGP, soBGP, and psBGP (Byzantine attacks) l Data Plane Protection – IPsec Encapsulation To support replay protection, integrity, and confidentiality ESP, IKE – Access Control Techniques

14 TCP MD5 and IPsec for MP-BGP UPDATE l TCP MD5 (RFC2385) – Offering Authentication and integrity on a point-to-point basis – Protection from spoofing attacks and connection hijacking – But not for eavesdropping and weak against replay attacks – Lack of an automated key management l IPsec – ESP protocol offers authentication, data integrity, and anti-replay between BGP speakers (i.e. AFBRs) – IKE protocol supported for automated key management – PKI can be used when available. – draft-bellovin-useipsec-05.txt provides guidelines for mandating the use of IPsec.

15 IPsec Softwire Mesh (Data Plane) l Encapsulation – BGP Tunnel SAFI provides Softwire mesh encapsulation attributes. – IPsec encapsulation is defined in Tunnel SAFI attributes. l IPsec Parameters – ESP (with or without encryption) – Transport/Tunnel Mode – Automated Key Management (IKE phase1 and ID) – Selectors – SPD – Proposed IPsec Tunnel Information TLV is enough? (only IKE identifier)

16 Next Steps To work with security liaison for the review of the document. To continue to track the framework document update.

17 Comments from Tero Kivinen 1. Introduction –Needs more explanation 3.1 H&S deployment Scenario –Something missing in description 3.3 Softwire Security Threat Scenarios –Add more other protocol 3.4 Softwire Security Guidelines –Editorial –Need correction of IKE description 3.5 Guidelines for Usage of Security Protection Mechanism –Need for IKEv2 description

18 Comments from Tero Kivinen (cont.) IPsec Authentication –To address that Group Shared key should not be used IPv6 over IPv4 Softwire with L2TPv2 example –Comments on PDS table. Need more work. 4.1 Deployment Scenarios –Add more words 4.3 Softwire Threat Scenarios –Need some more explanation Security Protection mechanism for Control Plane –TCP MD5 should not be mandated. IPsec Should be.

19 Comments from Tero Kivinen (cont.) TCP MD5 –TCP MD5 does not protect against so security attacks described in the document. Need more proper description for TCP MD IPsec –Use of AH should be dropped. AH does not work for NAT traversal. –Should mention IKEv2 instead of IKEv Secure BGP –Typo