Ken Grewal Gabriel Montenegro Manav Bhatia

Slides:

Advertisements

Similar presentations

WESP Extensions 76 IETF Nov 2009 IPsecme WG Meeting 12-Nov-2009 Gabriel Montenegro Ken Grewal.

Advertisements

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,

IPv4 - The Internet Protocol Version 4

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.

1Group 07 IPv6 2 1.ET/06/ ET/06/ ET/06/ EE/06/ EE/06/ EE/06/6473 Group 07 IPv6.

03/11/200871st IETF Meeting - 6LoWPAN WG1 Compression Format for IPv6 Datagrams in 6LoWPAN Networks Jonathan Hui 6LoWPAN WG Meeting 71 st IETF Meeting.

Dr. John P. Abraham Professor UTPA

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

Dime WG Status Update IETF#80, 1-April Agenda overview Agenda bashing WG status update Active drafts Recently expired IESG processing Current milestones.

OSPF WG Stronger, Automatic Integrity Checks for OSPF Packets Paul Jakma, University of Glasgow Manav Bhatia, Alcatel-Lucent IETF 79, Beijing.

Transport-Friendly ESP Steven M. Bellovin AT&T Labs Research

Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

THE CLASSIC INTERNET PROTOCOL (RFC 791) Dr. Rocky K. C. Chang 20 September

By Mau, Morgan Arora, Pankaj Desai, Kiran.  Large address space  Briefing on IPsec  IPsec implementation  IPsec operational modes  Authentication.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

Generic UDP Encapsulation for IP Tunneling Lucy Yong July 2014 Toronto CA draft-ietf-tsvwg-gre-in-udp-02.

MPLS over L2TPv3 Encapsulation IETF VersionIHLTOSTotal length IdentificationFlagsFragment offset TTL Protocol ==

Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

6LoWPAN Meeting 66 IETF Dallas Format Document changes July 11, 2006.

K. Salah1 Security Protocols in the Internet IPSec.

Chapter 5 Network Security Protocols in Practice Part I

Internet Protocol Version 6 Specifications

Chapter 3 TCP and IP Chapter 3 TCP and IP.

Bob Briscoe, BT IETF-73 pcn Nov 2008

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

CSE 4905 IPsec.

Encryption and Network Security

PANA Issues and Resolutions

GRE-in-UDP Encapsulation

Chapter 18 IP Security  IP Security (IPSec)

NEMO Basic Support Protocol IETF 60, San Diego

Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460

EAP-GEE Lakshminath Dondeti Vidya Narayanan

Compression Format for IPv6 Datagrams in 6LoWPAN Networks

LMP Behavior Negotiation

Carrying IPSEC Authentication and ESP Headers Across SCPS-NP Networks

Topic #1 & #5 “All that has to do with header formats”

IPv6 / IP Next Generation

Bob Briscoe, BT IETF-72 tsvwg Jul 2008

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

IPv4 Support for Proxy Mobile IPv6 Ryuji Wakikawa & Sri Gundavelli

Guide to TCP/IP Fourth Edition

Dr. John P. Abraham Professor UTPA

Dr. John P. Abraham Professor UTRGV, EDINBURG, TX

Dr. John P. Abraham Professor UTPA

STIR WG IETF-100 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-01) November, 2017 Ray P. Singh, Martin Dolly, Subir Das,

Net 323 D: Networks Protocols

IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )

Internet Protocol (IP)

NET 323D: Networks Protocols

Active OAM in Geneve draft-mmbb-nvo3-geneve-oam

How OAM Identified in Overlay Protocols draft-mirsky-rtgwg-oam-identify Greg Mirsky IETF-104 March 2019, Prague.

BPSec: AD Review Comments and Responses

draft-ietf-bier-ipv6-requirements-01

Editors: Bala’zs Varga, Jouni Korhonen

IPv6 Current version of the Internet Protocol is Version 4 (v4)

IESG LC: BFD for VXLAN draft-ietf-bfd-vxlan

Presentation transcript:

Ken Grewal Gabriel Montenegro Manav Bhatia IPsec Wrapped ESP (WESP) for Traffic Visibility 75 IETF IPSECME WG 27-Jul-09 Ken Grewal Gabriel Montenegro Manav Bhatia

Current Status All tickets closed WG Last Call issued on rev 5 from 4-18 July. http://tools.ietf.org/html/draft-ietf-ipsecme-traffic-visibility-05. Tickets closed before May interim (and reviewed during the interim): #85 Clarify the units for WESP header Added length of fields in bits & units #88 UDP Encapsulation diagram is wrong #89 Version field in the flags Set version to 0, added text to enforce checking #91 Next Header should not be optional in ESP-NULL 27-Jul-09 75 IETF IPSECME WG

Closed after May interim (1/2) #84 Scope of WESP Leverage WESP ‘Next Header’ value to differentiate between ESP-NULL and encryption If Zero, then encrypted data, else ESP-NULL Note: Alternative was to add a bit in the flags more on this later #90 Shorter WESP negotiation along the lines of the USE_TRANSPORT_MODE (tunnel mode) of rfc4306 Added text for WESP notification 27-Jul-09 75 IETF IPSECME WG

Closed after May interim (2/2) #92 Specify clearly how to treat bits in flags Added text including Integrity protection of WESP header #93 Next header field to specify value of tunneled payload Dan McDonald (during the interim) et al: just say “IP” as ESP does… No change to existing usage. #104 Handling malformed fields in WESP header Added integrity check over WESP header, which enforces recipient validation of fields (no number) Revert WESP fields to original order: - Flags as the last field - Next Header as the first field 27-Jul-09 75 IETF IPSECME WG

WG LC issues (1) HdrLen is an offset to the payload, but we don’t say where from submitted by Yaron (thanks!), solution below ok by him OLD: HdrLen, 8 bits: Offset to the beginning of the Payload Data in octets. NEW: HdrLen, 8 bits: Offset from the beginning of the WESP header to the beginning of the Rest of Payload Data (i.e., past the IV, if present) within the encapsulated ESP header, in octets. 27-Jul-09 75 IETF IPSECME WG

WG LC issues (2) Conflict between Next Header values due to overloading of this field (submitted by Qiu Ying, thanks!) 0 can mean both (“encryption being used”) as well as “IPv6 Hop-by-Hop option” alternatives: assign a protocol value to use as “encryption being used” in Next Header Pros: simple change to the draft Cons: field overloading, consumes another protocol number use existing value for ESP when using encryption Cons: field overloading, more overloading, can we guarantee this is not a valid usage? Use 0xFF instead Cons: field overloading, this field is reserved by IANA bring back the “Encryption bit” in the flags Pros: no overloading, clean Cons: more delta in the draft (but we had this text before anyways), potential mismatch with usage of encryption vs ESP NULL What to set the Next Header field to? 0? 0xFF? If 0xFF, then why not alternative #3? 27-Jul-09 75 IETF IPSECME WG

Next Steps Issue revision per WG LC comments Advance to the IESG 27-Jul-09 75 IETF IPSECME WG