NFD Tunnel Authentication

Slides:



Advertisements
Similar presentations
Client Server. Server Client Model Servers- Wait for requests from clients - Sends requested data to client - May have to communicate with other servers.
Advertisements

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
Wireless Security In wireless networks. Security and Assurance - Goals Integrity Modified only in acceptable ways Modified only by authorized people Modified.
Chapter 13 Mobile IP. Outline  ADDRESSING  AGENTS  THREE PHASES  AGENT DISCOVERY  REGISTRATION  DATA TRANSFER  INEFFICIENCY IN MOBILE IP.
Routing Security in Ad Hoc Networks
Forwarding Hint in NFD Junxiao Shi,
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
NFD Permanent Face Junxiao Shi, Outline what is a permanent face necessity and benefit of having permanent faces guarantees provided by.
NFD Tunnel Authentication Junxiao Shi,
Virtual Private Network(VPN) Presented By Aparna Chilukuri.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
CCNA 2 Router and Routing Basics Module 8 TCP/IP Suite Error and Control Messages.
Reliable multicast Tolerates process crashes. The additional requirements are: Only correct processes will receive multicasts from all correct processes.
Security Handshake Pitfalls. Client Server Hello (K)

SIP connection tracking
1 CMPT 471 Networking II OSPF © Janice Regan,
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Mobile IP Lecture 5.
KAMAN Kerberos Assisted Authentication in Mobile Ad-hoc Networks
IPSecurity.
RFC 3775 IPv6 Mobility Support
Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks
Mobile IP.
“Request /Reply Communication”
Chapter 18 IP Security  IP Security (IPSec)
Secure Sockets Layer (SSL)
Chapter 9 ICMP.
Outline Basics of network security Definitions Sample attacks
CS480 Cryptography and Information Security
ICMP ICMP – Internet Control Message Protocol
Module 8: Securing Network Traffic by Using IPSec and Certificates
Chapter 6: Transport Layer (Part I)
IPSec VPN Chapter 13 of Malik.
Introduction to Networking
Mobility And IP Addressing
Byungchul Park ICMP & ICMPv DPNM Lab. Byungchul Park
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
NET323 D: Network Protocols
The New Virtual Organization Membership Service (VOMS)
Providing Secure Storage on the Internet
NET323 D: Network Protocols
Unit 3 Mobile IP Network Layer
Assignment #4 – Solutions
Chapter 5 TCP Control Flow
SSL (Secure Socket Layer)
– Chapter 3 – Device Security (B)
IP-Spoofing and Source Routing Connections
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Outline Using cryptography in networks IPSec SSL and TLS.
Allocating IP Addressing by Using Dynamic Host Configuration Protocol
Module 8: Securing Network Traffic by Using IPSec and Certificates
Internet Control Message Protocol
Link Setup Flow July 2011 Date: Authors: Name Company
Introduction to Network Security
CDK: Chapter 7 TvS: Chapter 9
Public-Key, Digital Signatures, Management, Security
Chapter 5 TCP Control Flow
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Virtual Private Network zswu
Lecture 4a Mobile IP 1.
Link Setup Flow July 2011 Date: Authors: Name Company
Outline Basics of network security Definitions Sample attacks
Digital Signatures Network Security.
NFD Tunnel Authentication
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Presentation transcript:

NFD Tunnel Authentication Junxiao Shi, 2016-06-30

Outline Why is tunnel authentication necessary? Which faces need tunnel authentication? At high level, how does tunnel authentication work? What packets are used by tunnel authentication? How does client and server operate? Are there any deployment issues? How does NFD tunnel authentication compare to IP-based VPN solutions?

Necessity

Overlay Tunnel needs Authentication You don't want to allow anyone in the world to gain connectivity through your router. Analogy in IP world: You don't want to open up your VPN server to everyone.

Authentication is for Tunnels Only Multicast faces do not need authentication: local area network is trusted. Backbone overlay links (eg. between testbed routers) SHOULD have mutual tunnel authentication.

High-level Design

Feature Overview Tunnel opening is explicit: tunnel authentication request and reply. Other packet exchanges are rejected before this sequence is done. Authentication is mutual. Keep-alive is done by repeating the tunnel opening sequence, shortly before previous one expires. Tunnel closing can be explicit: tunnel closure request and reply. Tunnel closing can also be implicit: failure to keep- alive closes the tunnel.

Tunnel Opening (successful) C-S: tunnel authentication request Interest signed by client's key contains a TunnelLifetime chosen by client S-C: tunnel authentication reply Data signed by server's key contains a TunnelLifetime chosen by server Tunnel is open.

Tunnel Opening (server rejects) C-S: tunnel authentication request Interest signed by client's key contains a TunnelLifetime chosen by client Server does not trust the signature in the request, or does not want to establish the tunnel. S-C: tunnel authentication reply Producer-generated NACK signed by server's key contains an error code; no error message to avoid leaking sensitive information

Tunnel Opening (client rejects) C-S: tunnel authentication request Interest signed by client's key contains a TunnelLifetime chosen by client S-C: tunnel authentication reply Data signed by server's key contains a TunnelLifetime chosen by server C-S: tunnel closure request

Tunnel Lifetime Tunnel lifetime is requested by client and granted by server. Tunnel lifetime MUST NOT be less than 2000ms, to ensure correct protocol operations. Server MAY grant a TunnelLifetime that is less than client's request. Client perceives the tunnel to be open for negotiated lifetime since the moment it sends tunnel authentication request. Server perceives the tunnel to be open for negotiated lifetime since the moment it sends tunnel authentication reply.

Keep-Alive and Implicit Closing At some random point between 50% and 75% of tunnel lifetime, client repeats tunnel opening sequence. If a valid tunnel authentication request does not arrive at the end of tunnel lifetime as perceived by the server, the tunnel is implicitly closed. If a valid tunnel authentication reply does not arrive at the end of tunnel lifetime as perceived by the client, the tunnel is implicitly closed.

Explicit Closing C-S: tunnel closure request S-C: tunnel closure reply Interest signed by client's key seize to send other packets; accept incoming packets S-C: tunnel closure reply Data signed by server's key Tunnel is closed. This sequence works on the other direction as well. Each party SHOULD first send other pending packets, wait for a short duration for them to be delivered, then send the tunnel closure request/reply.

Packet Injection Mitigation Tunnel authentication protocol does not mitigate packet injection and MITM attacks. NDNLP may provide mitigation through "packet injection prevention" feature, although this requires a careful security protocol design. Existing TLS/DTLS can be used to provide mitigation.

TLS/DTLS + Tunnel Authentication Client connects to server using TLS/DTLS. Client authenticates server's X509 certificate (one-way authentication), and establishes a secure tunnel. Server disallows all NDN communication from the client except NDN tunnel authentication commands. Client and server authenticate each other through NDN tunnel authentication. Server allows full NDN communication from the client.

Protocol Details

Deployment Issues

Comparison to VPN

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.