Controlling Service Function Access to NSH

Slides:

Advertisements

Similar presentations

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Advertisements

Network Service Header (NSH) draft-quinn-sfc-nsh IETF 90

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

SFC Header Mapping for Legacy SF draft-song-sfc-legacy-sf-mapping-03 Haibin Song Jianjie You Lucy Yong.

Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

1 Clark Wilson Implementation Shilpa Venkataramana.

Draft-ietf-sfc-architecture Prepared by Carlos Pignataro and Joel Halpern.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

SFC OAM Requirements and Framework

Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Modification Proposals to Current TURN Spec Mikael Latvala.

Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

A Survey on Secure Cloud Data Storage ZENG, Xi CAI, Peng

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Interworking between SIP and QSIG for call transfer draft-rey-sipping-qsig2sip-transfer-00.txt Jean-Francois Rey Alcatel IETF59.

Csci5233 computer security & integrity 1 An Overview of Computer Security.

Update on the IETF Diffserv Working Group NANOG 13 Detroit, MI June 8, 1998 Kathleen M. Nichols

Entropy Labels in MPLS Forwarding draft-kompella-mpls-entropy-label-01 Kireeti Kompella Juniper Networks Shane Amante Level 3 Communications.

RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

1 Use of PE-PE IP/GRE/IPsec for MPLS PWs draft-raggarwa-pwe3-pw-over-ip- 00.txt Rahul Aggarwal

Multicast Routing Optimization Juan-Carlos Zúñiga Luis M. Contreras Carlos J. Bernardos Seil Jeon Younghan Kim MULTIMOB WG, July

Draft-carpenter-v6ops-label-balance-02 Brian Carpenter Sheng Jiang (Speaker) Willy Tarreau March 2012 IPv6 Flow Label for Server Load Balancing - update.

Network Service Header (NSH) draft-quinn-sfc-nsh IETF 89 A. Chauhan Citrix U. Elzur Intel B. McConnell Rackspace C. Wright Red Hat Inc. P. Quinn J. Guichard.

Network Service Header (NSH) draft-ietf-sfc-nsh-04 IETF95, Buenos Aires, March 2016 Paul Quinn, Editor Uri Elzur, Editor.

J. Halpern (Ericsson), C. Pignataro (Cisco)

IETF SFC active drafts PRESENTER: VU ANH VU

SFC Trace Issue Analysis and Solutions IETF 94 Yokohama draft-yang-sfc-trace-issue-analysis-00 Xu. Yang L. Zhu G. Karagiannis.

PRESENTED BY Raju. What is information security?  Information security is the process of protecting information. It protects its availability, privacy.

94th IETF, Yokohama, November 2015 Segment Routing Conflict Resolution draft-ginsberg-spring-conflict-resolution-00 Les Ginsberg

Only Use FD.io VPP to Achieve high performance service function chaining Yi Intel.

Draft-mpls-tp-OAM-maintnance-points-00

Service Function Chaining

LISP Flow Mapping Service

100% Exam Passing Guarantee & Money Back Assurance

ODL SFC, Implementing IETF SFC November 14, 2016

SFC Working Group Session 97th IETF Seoul, South Korea Chairs overview

Network Service Header (NSH) draft-ietf-sfc-nsh

Taekhee Kim Hyun Yu, Chiwook Jeong, Youngtae Han, Eunkyoung Paik

Author list: Rakesh Gandhi Zafar Ali

RPSEC WG Issues with Routing Protocols security mechanisms

IETF 97, November 2016 Seoul, Korea

IP Router-Alert Considerations and usage

ROLL RPL Security IETF 77 status

of Dynamic NFV-Policies

IETF 97, November 2016 Seoul, Korea

An MPLS-Based Forwarding Plane for Service Function Chaining

* Essential Network Security Book Slides.

Loop Protection in EVPN Networks draft-snr-bess-evpn-loop-protect-00

Debashish Purkayastha, Dirk Trossen, Akbar Rahman

Service Function Chaining-Enabled

Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks.

Sangfor Cloud Security Pool, The First-ever NSH Use Case

Xiaohu Xu (Huawei) Stewart Bryant (Huawei) Hamid Assarpour (Broadcom)

IETF 100, November 2017 Singapore

Comparing draft-ietf-mpls-sfc and draft-malis-mpls-sfc-encapsulation

ONLINE SECURE DATA SERVICE

Consideration of IPv6 Encapsulation for Path Services draft-li-6man-ipv6-sfc-ifit-00 Zhenbin Li, Shuping Peng.

draft-guichard-sfc-nsh-sr-02

An MPLS-Based Forwarding Plane for Service Function Chaining

Editors: Bala’zs Varga, Jouni Korhonen

BGP VPN service for SRv6 Plus IETF 105, Montreal

Geneve applicability for service function chaining draft-boutros-nvo3-geneve-applicability-for-sfc-02 Sami Boutros Dharma Rajan Philip Kippen Pierluigi.

Pseudo-Wire Protection

Tokyo OpenStack® Summit

DetNet Data Plane Solutions draft-ietf-detnet-dp-sol-ip-02 draft-ietf-detnet-dp-sol-mpls-02 Bala’zs Varga, Jouni Korhonen, Janos Farkas, Lou Berger,

DetNet Architecture Updates

Presentation transcript:

Controlling Service Function Access to NSH IETF 97 – Seoul SFC WG Vu Anh Vu – vuva@dcn.ssu.ac.kr Younghan Kim - younghak@ssu.ac.kr IETF 97 Seoul

Problem Statement Should SFs be trusted ?? Operator deploy and operate SFs => Ok, let’s trust them but ... how much ??? SFs can be malnipulated by malwares SFs can be malfunctioned Third-party SFs Service provider outsource their services Enterprise rent external SFs from SPs Transportation network security threats (man-in-the middle, SF spoof, etc.) IETF 97 Seoul

Problem Statement What if a SF can malnipulate: SPI: wrong service path redirect SI: forwarding loop or skip SFs Metadata: Information leaking (sub) NSH information must be protected Header encryption: costly The document propose an inexpensive mechanism to protect the sensitive information in NSH IETF 97 Seoul

Terminologies Access-Controlled Segment (ACS): an area/field within NSH that carries a piece of sensitive SFC information needed to be protected SF Access Control List (SF ACL): a list describes the access permission of an SF to each ACS in the packet NSH-state: a set of value/information stored in the NSH of a packet at a particular moment IETF 97 Seoul

Access Control Policies An Access Control List of an SF contains access permissions of the SF to each ACS Three levels of permission to access an ACS Hidden: the SF cannot view the information in this ACS Read-only: the SF can view, but cannot modify the information in this ACS Write: the SF can view and modify the information in this ACS IETF 97 Seoul

Mechanism Only give SFs what information they need to access SFFs cannot control SFs not to modify SFC information, but they can choose to discard the modification Advantages: Obscure sensitive information Detect abnormal SF behavior SFs are unaware of being controlled IETF 97 Seoul

Flow tracking Track the packet between ingress and egress Sub-CFs in order to recover the appropriate NSH state: Reclassification: i.e. Using 5-tuple Using Metadata IETF 97 Seoul

Implementation Demo in IETF 97Hackathon Using OpenDaylight as control plane and OVS as dataplane SFF and CF are combine into a OVS Using flow-rule to save NSH-state IETF 97 Seoul

Consideration Define MD mask for SF: Only give SFs what information they need to access Dynamic MD for concealing information : MCH value changes constantly between SFs to conceal the real value Subsequent CF handle value mapping IETF 97 Seoul

Discussion Should Service Path Header be access controlled or only MD? Addition requirements for access control for MD type 2 NSH-State sync between ingress and egress Sub-CFs IETF 97 Seoul

Thank you !!! IETF 97 Seoul