ECRIT WG IETF-75 Trustworthy Location Bernard Aboba

Slides:

Advertisements

Similar presentations

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Advertisements

28-May Interim - Geneva 802.1AB-Rev Proposal for Device Specific Location Delivery over Wireless LAN.

IEEE P802 Handoff ECSG Submission July 2003 Bernard Aboba, Microsoft Detection of Network Attachment (DNA) and Handoff ECSG Bernard Aboba Microsoft July.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Call Server LIS VPC ESGW SR Manhattan PSAP LO=Wall St Route=Manhattan PSAP The Location Object (LO) is provided in the call setup information to the Call.

LoST draft-ietf-ecrit-lost-02 ECRIT Working Group IETF 67 7 November 2006 Andrew Newton Henning Schulzrinne Hannes Tschofenig Ted Hardie.

Detection of Network Attachment (DNA) in IPv4 Bernard Aboba Microsoft Draft-aboba-dhc-nad-ipv4-00.txt DNA BOF IETF 57 Vienna, Austria Monday, July 15,

Secure Network Bootstrapping Infrastructure May 15, 2014.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.

Risks with IP-based Emergency Services draft-ietf-ecrit-trustworthy-location.

STIR Secure Telephone Identity. Context and drivers STIR Working Group Charter Problem Statement Threats Status of work Related work and links Introduction.

Emergency Services IAB Tech Chat 28 th February 2007 Hannes Tschofenig.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Trustworthy Location Information draft-tschofenig-ecrit-trustworthy- location draft-tschofenig-ecrit-trustworthy- location Hannes Tschofenig, Henning Schulzrinne.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

An SAIC Company Telcordia View of NENA Progress on VoIP Migration Plan Telcordia Contacts: Nadine Abbott (732) An SAIC Company.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

Location Hiding: Problem Statement, Requirements, (and Solutions?) Richard Barnes IETF 71, Philadelphia, PA, USA.

ECRIT interim meeting - May Security Threats and Requirements for Emergency Calling draft-tschofenig-ecrit-security-threats Hannes Tschofenig Henning.

LLDP-MED Location Identification for Emergency Services Emergency Services Workshop, NY Oct 5-6, 2006 Manfred Arndt

RTCWEB WG draft-aboba-rtcweb-ecrit-00 Bernard Aboba Martin Thomson July 30, 2012 IETF 84, Vancouver Please join the Jabber room:

Chapter 10: Authentication Guide to Computer Network Security.

LLDP-MED Location Identification for Emergency Services Emergency Services Workshop, NY Oct 5-6, 2006 Manfred Arndt

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Draft-rosen-ecrit-emergency- framework-00 Brian Rosen NeuStar CPa

IETF – ECRIT Emergency Context Resolution using Internet Technologies ESW 5 – Vienna October 2008 Marc Linsner.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

A Routing Extension for HELD draft-winterbottom-ecrit-priv-loc-04 James Winterbottom Hannes Tschofenig Laura Liess.

November 2006IETF67 - GEOPRIV1 A Location Reference Event Package for the Session Initiation Protocol (SIP) draft-schulzrinne-geopriv-locationref-00 Henning.

Matej Bel University Cascaded signatures Ladislav Huraj Department of Computer Science Faculty of Natural Sciences Matthias Bel University Banska Bystrica.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Page 1 IETF Speermint Working Group Speermint Requirements/Guidelines for SIP session peering draft-ietf-speermint-requirements-02 IETF 69 - Monday July.

Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.

1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)

Protecting First-Level Responder Resources in an IP-based Emergency Services Architecture 13 th April 2007, THE FIRST INTERNATIONAL WORKSHOP ON RESEARCH.

Location Measurements Martin Thomson, IETF-77 draft-thomson-geopriv-held-measurements Location Generator Location Server Device Target Location Recipient.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

Internet Real-Time Lab, Columbia University NG9-1-1 Prototype Demo Jong Yul Kim, Wonsang Song, and Henning Schulzrinne.

7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.

EAP in Unauthenticated Network Access to Emergency Services draft-schulzrinne-ecrit-unauthenticated-access-06 H. Schulzrinne, S. McCann, G. Bajko, H. Tschofenig,

Key management issues in PGP

12th April 2007, SDO Emergency Services Workshop 2007

Phil Hunt, Hannes Tschofenig

Joint TGu : Location Configuration for Emergency Services

Timeline - ATIS Involvement

Telecommunications Industry Association TR L

Cryptography and Network Security

RELO: Retrieving End System Location Information draft-schulzrinne-geopriv-relo-03 Henning Schulzrinne March 2007 IETF68 - GEOPRIV.

Hannes Tschofenig, Henning Schulzrinne, Bernard Aboba

Henning Schulzrinne Stephen McCann Gabor Bajko Hannes Tschofenig

Session Initiation Protocol (SIP)

draft-ietf-geopriv-lbyr-requirements-02 status update

Timeline - ATIS Involvement

draft-ietf-ecrit-rough-loc

Security in Networking

Hannes Tschofenig Henning Schulzrinne M. Shanmugam

RELO: Retrieving End System Location Information draft-schulzrinne-geopriv-relo-03 Henning Schulzrinne March 2007 IETF68 - GEOPRIV.

Emergency call assurance

Trustworthy Location ECRIT WG IETF 80 Tuesday, March 29, 2011

Presentation transcript:

ECRIT WG IETF-75 Trustworthy Location Bernard Aboba draft-tschofenig-ecrit-trustworthy-location Bernard Aboba Wednesday July 29, 2009 Please join the Jabber room: ecrit@jabber.ietf.org

Some Recent Headlines The problem of “prank” emergency calls is http://www.networkworld.com/community/node/24714 http://www.usdoj.gov/usao/txn/PressRel09/weigman_swat_ple_pr.html http://www.pcworld.com/article/138591/couple_swarmed_by_swat_team_after_911_hack.html http://www.wired.com/threatlevel/2008/04/judge-throws-th/#previouspost http://www.youtube.com/watch?v=LYAoPyyWYjQ&feature=related The problem of “prank” emergency calls is substantial and quite serious.

Identity and Location Many (most?) “swatting” cases involve both identity spoofing and location spoofing. On the wired PSTN, caller-ID spoofing effectively enables location spoofing. However, trustworthiness of identity and location are independent issues. Examples: Emergency calls made over a wireless network providing trusted location but unauthenticated access Experience with unloaded and/or inactive SIM cards in Germany: http://www.ietf.org/mail-archive/web/ecrit/current/msg06378.html Situations where location is not available to the PSAP (e.g. Austria)

Additional Issues with VOIP Potential for authentication at multiple layers (link layer, voice) Popularity of anonymous/unauthenticated access (e.g. hot spots) Lack of relationship between link/network layer identity (e.g. IP addr, MAC addr, NAI) and SIP AoR Additional attack vectors

Threat Models External attacker Malicious infrastructure The attacker is located between the end host and the location server or between the end host and the PSAP. Malicious infrastructure The attacker gains control of the emergency call routing elements (the LIS, the LoST infrastructure or call routing elements) Malicious end host The end host acts maliciously, whether under the control of the owner or not (e.g. acting as a bot).

Location Spoofing Attacks Place shifting: the attacker claims to be at a location (either inside or outside the uncertainty band) that is significantly different from their own. Time shifting: the attacker claims to currently be at a previously visited location. Location theft: the attacker claims someone else’s location as their own. This can include collusion (e.g. location swapping).

NENA i2 Requirements for “Trustworthy Location” Attribution to a Specific Trusted Source Section 3.7: The i2 solution proposes a Location Information Server (LIS) be the source for distributing location information within an access network. Furthermore the validity, integrity and authenticity of this information are directly attributed to the LIS operator. Implications Where location depends on information contributed by parties trusted by neither the access, voice or LIS operator, this condition cannot be met. Trustworthiness is a property of a system, not a protocol.

Example LLDP-MED endpoint move detection notifications providing data to a LIS implementing HELD. Location data based on client LLDP announcements, not source IP or MAC addresses. Enables an end-run around return reachability PIDF-LO (even when signed!) cannot provide “trustworthy location” since location is attributable to the client, not the LIS!

Potential Solutions Location signing (Section 5.1) Location by reference (Section 5.2) Proxy adding location (Section 5.3)

Location Signing From NENA-i2 Section 3.7: The location object should be digitally signed. The certificate for the signer (LIS operator) should be rooted in VESA. For this purpose, VPC and ERDB operators should issue certs to LIS operators. The signature should include a timestamp. Where possible, the Location Object should be refreshed periodically, with the signature (and thus the timestamp) being refreshed as a consequence. Antispoofing mechanisms should be applied to the Location Reporting method.

LbyR Dereference Models Authorization by possession Anyone in possession of the LbyR can obtain location Incompatible with location hiding Authorization via Access Control Lists (ACLs) Only those enabled for access can obtain location

Operational Concerns Credential & ACL management Digital timestamping Are VPC and ERDB operators prepared to operate as Certificate Authorities? What are the pre-requisites for certificate issuance? How do PSAPs manage ACLs and LbyR credentials? Digital timestamping Are LIS operators required to support time synchronization? Is it possible for personnel to reset the clock? Anti-spoofing What mechanisms need to be put in place to enable “attribution to the LIS”? What prevents “cutting and pasting” of signed PIDF-LOs or LbyRs?

Some Closing Questions Is the NENA i2 notion of “attribution to the LIS” achievable in practice? If not, what is an alternative definition of “trustworthy location”? “Auditability after the fact”? Determination of “Prank call” probability with an acceptable rate of false positives?

Feedback?