Maureen Stillman March 17, 2003

Slides:

Advertisements

Similar presentations

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Advertisements

1 SASP v1 (Server/Application State Protocol) draft-bivens-sasp-00.txt Alan Bivens IBM Research New York, USA IETF 60.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –

Intro to SSL/TLS Network Security Gene Itkis. 6/23/2015 cs Network Security (Gene Itkis) 2 Origins Internet Engineering Task Force (IETF) –

0-1 Team ?? Status Report (1 of 3) Client Contact –Point 1 –Point 2 Team Meetings –Point 1 –Point 2 Team Organization –Point 1 –Point 2 Team 1: Auraria.

1 Secure DNS Solutions Rooster. 2 Introduction What does security mean for DNS? What security problems exist for DNS, what is being done about them, and.

Technology Integration: RSerPool & Server Load-balancing Curt Kersey, Cisco Systems Aron Silverton, Motorola Labs.

Windows 2003 and 802.1x Secure Wireless Deployments.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Draft-campbell-dime-load- considerations-01 IETF 92 DIME Working Group Meeting Dallas, Texas.

1 IPFIX Protocol Specifications IPFIX IETF-59 March 3, 2004 Benoit Claise Mark Fullmer Reinaldo Penno Paul Calato Stewart Bryant Ganesh Sadasivan.

IAM REFERENCE ARCHITECTURE BRICKS EMBEDED ARCHITECTS COMMUNITY OF PRACTICE MARCH 5, 2015.

Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

© 1998 R. Gemmell IETF WG Presentation1 Robert Gemmell ROAMOPS Working Group.

Example of OOR Architecture Open Ontology Repository Architecture – Some Considerations March, 2008 Dr. Ravi Sharma Senior Enterprise Architect Technology.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Reliable Server Pooling Implementations Presenter: Aron Silverton IETF 60 San Diego, California

Reliable Server Pooling Implementations Aron Silverton & Michael Tuexen

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

SIP working group IETF#70 Essential corrections Keith Drage.

S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

SIP-H.323 Interworking Group RRR-1 IETF-48 SIP-H.323 Interworking Requirements draft-agrawal-sip-h323-interworking-reqs-00.txt Hemant.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Cryptography and Network Security Chapter 16 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

IETF #65 Network Discovery and Selection Problem draft-ietf-eap-netsel-problem-04 Farooq Bari Jouni Korhonen.

Signaling Transport WG (sigtran) Wednesday, March 29, :30 AM =================================== CHAIR: Lyndon Ong -- Intro and agenda bashing.

IETF sec - 1 Security Work in the IETF Scott Bradner Harvard University

Netprog: Chat1 Chat Issues and Ideas for Service Design Refs: RFC 1459 (IRC)

December 5, 2007IETF 70 L3VPN WG1 MVPN Profiles Why do we need “profiles”? –By design, architecture provides many choices: PE-PE C-multicast routing info.

7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.

TEE: TLS Authentication Using EAP draft-nir-tls-eap-02.txt Yoav Nir Yaron Sheffer (presenter) Hannes Tschofenig Peter Gutmann IETF-70, Vancouver, Dec.

Services Provided by RSerPool Authors: Peter Lei Phillip Conrad Presenter: Michael Tüxen.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.

Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.

Rserpool Security Trust Argument draft-ietf-rserpool-asap-13.txt Maureen Stillman November 6, 2006

Who am I? ● Michael Richardson ● ● ● Director, Consumer Desktop Desktop Development – working on an ubuntu-based* virtual.

Emerging Solutions in Network Time Synchronization Security

IP Flow Information eXport (IPFIX)

Convergence of Network Management Protocols

Network Security Gene Itkis

Open issues with PANA Protocol

RADEXT WG RADIUS Attributes for WLAN Draft-aboba-radext-wlan-00.txt

Encryption and Network Security

Katrin Hoeper Channel Bindings Katrin Hoeper

AAA and AAAS URI Miguel A. Garcia draft-garcia-dime-aaa-uri-00.txt

draft-ietf-netconf-reverse-ssh

Module 8: Securing Network Traffic by Using IPSec and Certificates

Cryptography and Network Security Chapter 16

The Reliable Server Pooling Framework

Igor Bryskin - Adrian Farrel -

Softwire Security Update

Glen Zorn Cisco Systems

Chat Refs: RFC 1459 (IRC).

Maryna Komarova (ENST)

draft-ipdvb-sec-01.txt ULE Security Requirements

Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls

Module 8: Securing Network Traffic by Using IPSec and Certificates

Transport Layer Security (TLS)

WLAN Architectural Considerations for IETF CAPWAP

DNS SD Privacy Christian Huitema, Daniel Kaiser

Integrated Security System

Presentation transcript:

Maureen Stillman March 17, 2003 maureen.stillman@nokia.com Rserpool Security Maureen Stillman March 17, 2003 maureen.stillman@nokia.com

Design Team objectives Revisit i-d draft-ietf-rserpool-threats-00.txt Add directives from Transport Area Directors Secure Rserpool infrastructure does not include application (PU-PE data) Support client (PU) to ENRP server authentication PU authenticates ENRP server to prevent rogue ENRP servers

PE and ENRP security Mandatory to implement TLS OR IPsec security Choice is design decision left to the designers and network architects Using IPsec Must implement draft-ietf-ipsec-sctp-04 Using TLS MUST support TLS with SCTP as described in RFC 3436 or TLS over TCP as described in RFC 2246

PU Authenticates ENRP server Consensus reached by the security design team TLS would be used by the PU to authenticate the ENRP server (mandatory to implement) Other methods of authentication are optional TLS was deemed mandatory to implement for reasons of interoperability

Open Issue Even if the PU “trusts” the ENRP server, ENRP might have gotten registrations from rougue PEs Do we need to require that the PEs be authenticated to the ENRP server as well?

Threats to consider What are the threats? Rouge ENRP servers Rouge registrations from PEs or unauthorized PEs PE thinks it has registered with a “good” ENRP server, but it is really a rouge Corrupted data Sent from the ENRP server to the PU Sent from the PE to the ENRP server PU-PE authentication addresses only #1

Issues What I really want to know is that the addresses served up to the PU are “trusted” Want to know that all the PEs have registered with a “trusted” ENRP server Therefore, the real threat is the one of bogus addresses for PEs or no addresses for the PEs Do we need data integrity as well? (yes)

Security Architecture PU PU authentication, integrity authentication, integrity Mutual authentication, integrity ENRP Server PE PE Mutual authentication, integrity

The big question Do we need to make mandatory implementation of the previous architecture? If we don’t when PU queries the ENRP server and authenticates, it doesn’t necessarily mean anything about the data it gets

Still not done – control channel Need to define the control channel Need to secure the control channel as it is part of the Rserpool infrastructure

Next steps Design team should keep meeting When the control channel definition is complete, we will need to define the security for it Are we there yet? Are there other open issues? Join the security design team to help E-mail maureen.stillman@nokia.com