In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia manav.bhatia@alcatel-lucent.com.

Slides:

Advertisements

Similar presentations

Draft-ietf-pim-port-06. port-06 update Changes made in response to second wglc comments and following discussion Many minor editorial issues fixed Changed.

Advertisements

IS-IS ESN TLV draft-chunduri-isis-extended-sequence-no-tlv-01 Uma Chunduri, Wenhu Lu, Albert Tian Ericsson Inc. Naiming Shen Cisco Systems, Inc. IETF 83,

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Objectives After completing this chapter you will be able to: Describe hierarchical routing in OSPF Describe the 3 protocols in OSPF, the Hello, Exchange.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.

Karlstad University IP security Ge Zhang

OSPF WG Stronger, Automatic Integrity Checks for OSPF Packets Paul Jakma, University of Glasgow Manav Bhatia, Alcatel-Lucent IETF 79, Beijing.

 Development began in 1987  OSPF Working Group (part of IETF)  OSPFv2 first established in 1991  Many new features added since then  Updated OSPFv2.

Draft-ietf-pim-source- discovery-bsr-01 IJsbrand Wijnands, Stig Venaas, Michael Brig,

Draft-ietf-fecframe-config-signaling-02 1 FEC framework Configuration Signaling draft-ietf-fecframe-config-signaling-02.txt IETF 76 Rajiv Asati.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis,

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,

OSPF WG Security Extensions for OSPFv2 when using Manual Keying Manav Bhatia, Alcatel-Lucent Sam Hartman, Huawei Dacheng Zhang, Huawei IETF 80, Prague.

RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.

K. Salah1 Security Protocols in the Internet IPSec.

Analysis of BFD Security According to KARP Design Guide draft-ietf-karp-bfd-analysis-01 draft-ietf-karp-bfd-analysis-01 Manav Bhatia Dacheng Zhang Mahesh.

Network Management Security in distributed and remote network management protocols.

Emerging Solutions in Network Time Synchronization Security

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

Chapter 3 TCP and IP Chapter 3 TCP and IP.

Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

CSE 4905 IPsec.

J.W. Atwood PIM WG 2010/03/23 The KARP Working Group J.W. Atwood PIM WG 2010/03/23

Chapter 18 IP Security  IP Security (IPSec)

RPSEC WG Issues with Routing Protocols security mechanisms

Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460

Internet and Intranet Fundamentals

Distributed Keyservers

Agenda CCSDS Network Layer Security IPSec+IKE Profile for CCSDS

A. Báder, L. Westberg, G. Karagiannis,

(draft-archana-pimwg-pim-ping-00.txt)

IPSec IPSec is communication security provided at the network layer.

Softwire Security Update

Extending Option Space Discussion Overview and its requirements

Net 323: NETWORK Protocols

Network Security (contd.)

May 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Considerations on general MAC frame] Date Submitted:

draft-ipdvb-sec-01.txt ULE Security Requirements

Virtual Private Networks (VPNs)

Use of p2mp BFD in PIM-SM over shared-media segment draft-mirsky-pim-bfd-p2mp-use-case Greg Mirsky Ji Xiaoli

Beacon Protection Date: Authors: July 2018 July 2018

Chapter 15. Internet Protocol

Internet Protocol, Version 6 (IPv6)

Virtual Private Networks (VPNs)

PAA-2-EP protocol PANA wg - IETF 58 Minneapolis

Beacon Protection Date: Authors: July 2018 July 2018

PW security measures PWE3 – 65th IETF 21 March 2005 Yaakov (J) Stein.

PW Control Word Stitching

An MPLS-Based Forwarding Plane for Service Function Chaining

draft-ietf-dtn-bpsec-06

Use of p2mp BFD in PIM-SM (over shared-media segment) draft-mirsky-pim-bfd-p2mp-use-case Greg Mirsky Ji Xiaoli

Use of p2mp BFD in PIM-SM (over shared-media segment) draft-mirsky-pim-bfd-p2mp-use-case Greg Mirsky Ji Xiaoli

BIER in IPv6 draft-zhang-bier-bierin6-03

PW Control Word Stitching

BPSec: AD Review Comments and Responses

draft-ietf-bier-ipv6-requirements-01

PIM Assert Message Packing

OSPF WG Supporting Authentication Trailer for OSPFv3

Stig Venaas, Balaji Ganesh, Kesavan Thiruvenkatasamy,

E. Bellagamba, Ericsson P. Sköldström, Acreo D. Ward, Juniper

Presentation transcript:

In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia manav.bhatia@alcatel-lucent.com Dacheng Zhang zhangdacheng@huawei.com Hello everybody. I am dacheng, from huawei technologies. Today, I would like to introduce you the work that we have done on an in-band authentication exension for pim.

Problem Statement Existing PIM security mechanisms mandate to use IPsec to provide message authenticity and integrity. No suitable key management mechanism is provided to support multicast. Extremely difficult to use and configure - as a result nobody uses it today. When manual keying is used, the replay protection of IPsec does not work. Replay attacks can seriously disturb the normal operations of PIM For instance, when a PIM router received a hello message with a changed GenID and an re-initialized sequence number, it is difficult for the receiver to distinguish this message from a replay attack. Before introducing our solution, I intend to clarify the problem that we intend to address first. PIM request to use ipsec to provide message original authentication and message integrity protection for pim packets. However, this solution may cause several security issues with replay attacks. PIM may send signal packets using multicast. However, currently there is no suitable key management mechanism provided for supporting multicast. For instance, IKEv2 only supports unicast. GDOI is over complex. According to rfc 4601, when using manual keyed Sas, Ipsec must switch off its anti-replay detection mechanism. Therefore, there is no solution actually help pim to resist replay attacks. Therefore, it is possible for an attacker to impact the state of a pim router by resending a elaborately selected antique message and achieve a successful Dos attack.

Related Work The issues raised by using IPsec to protect OSPFv3 have been discussed in both the KARP and OSPF WGs. The analysis is proposed in draft-ietf-karp-ospf-analysis An in-band security approach is proposed in draft-ietf-ospf-auth-trailer-ospfv3 Applying similar principles in PIM The analysis is done in draft-bhatia-karp-pim-gap-analysis Similar with PIM, OSPFv3 use ipsec to protect its signaling packets and also sends our packet by multicast. The related issues caused by using Ipsec have been discussed and the associated solution has been proposed. We try to take advantage of such experience in ospf to improve the security of PIM.

Solution Define an in-band security solution to replaces IPsec to provide message authenticity, integrity, and freshness. A new type of PIM message is defined that encapsulates and secures other types of PIM messages. Manual keying is assumed The solution does not preclude the possibility of supporting automated keys in future. Our solution is to define an in band in-band security solution to replaces Ipsec. This solution should be provide checking on the authenticity, integrity and freshness on pim packet even there is no automatic key management mechanism provided. We propose a new type of PIM message. This type of message is able to encapsulate and secure another type of PIM packet which we expect to protect.

Packet Format So, this is our solution. This part is the pim packet that we expect to protect。 The type an the reserved field in the original packet header is kept but the pim version and checksum are removed since they are redundant. The packet header of the new type of the packet include key ID to support key update. Sequence number is provide to provide anti-replay services. You may have noted that the length of the sequence number is 64 bits. I will explain why we design in this way in the next slides. The method of generating authentication data has been defined in the document but we won’t go into the detail in this presentation.

Resistance on Replay Attacks: Protection against intra-connection replay attacks: A monotonically increased sequence number is provided The space of the sequence number should be big enough Protection against inter-connection replay attacks: The base solution is subject to inter-connection replay attacks. By using the approach proposed in draft-ietf-ospf-security-extension-manual-keying, this problem can be addressed The first 32 bits of the sequence number is used to count the reboot times which is maintained in non-violated memory Intra-connection replay attack: in which attackers replay the antique messages within the same connection. The inter-connection replay attacks. Which an attacker try to achieve by replaying messages from different connections. The count is stored in a non-violated memory and will be increased by one on every cold reboot. Actually, we copy the idea from the analogous solution in ospf. If you have any comments, you are more than welcome to let us know.

Question? At this stage, it is more important to clarify whether replay attacks should be considered in pim. So, I want to know whether you think the problems I introduced here are important and worthwhile for us to spend more time on.