NORM PI Update draft-ietf-rmt-pi-norm-revised-04 68th IETF - Prague Brian Adamson NRL.

Slides:

Advertisements

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

Advertisements

Internet Protocol Security (IP Sec)

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.

Internet Security CSCE 813 IPsec

INRIA Rhône-Alpes - Planète research group 1 Security and RMT Protocols: TESLA I-D simple-auth I-D rmt-sec I-D IETF 69 th – Chicago meeting, July 2007.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

IPSec Access control Connectionless integrity

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

K. Salah1 Security Protocols in the Internet IPSec.

CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Karlstad University IP security Ge Zhang

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

By Mau, Morgan Arora, Pankaj Desai, Kiran.  Large address space  Briefing on IPsec  IPsec implementation  IPsec operational modes  Authentication.

Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

Currently Open Issues in the MIPv6 Base RFC MIPv6 security design team.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

1 IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

OSPF WG Security Extensions for OSPFv2 when using Manual Keying Manav Bhatia, Alcatel-Lucent Sam Hartman, Huawei Dacheng Zhang, Huawei IETF 80, Prague.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

Network Layer Security Network Systems Security Mort Anvari.

K. Salah1 Security Protocols in the Internet IPSec.

Network Transport Circuit Breakers draft-ietf-tsvwg-circuit-breaker Most recent version -08 (uploaded for this meeting). Editor: Gorry Fairhurst.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

@Yuan Xue CS 285 Network Security IP Security Yuan Xue Fall 2013.

NACK-Oriented Reliable Multicast (NORM) Update

Network Coding Architecture Framework

Chapter 18 IP Security  IP Security (IPSec)

Internet and Intranet Fundamentals

In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia

IPSec IPSec is communication security provided at the network layer.

draft-ipdvb-sec-01.txt ULE Security Requirements

Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls

Presentation transcript:

NORM PI Update draft-ietf-rmt-pi-norm-revised-04 68th IETF - Prague Brian Adamson NRL

Overview Added details for application of IPSec security to NORM –Baseline security mode for SSM operation –Also applicable to ALC Some editorial cleanup and clarifications. –E.g., how to NACK when sender shortens FEC code blocks on the fly

Baseline Secure NORM Operation Goal: Establish a baseline “secure mode” of operation for NORM that is realizable with existing security mechanisms. NORM SSM operation identified as likely most pragmatic paradigm to secure.

NORM SSM Paradigm

Some Current IP Security Protocols IPSec –Tunnel and Transport modes Unicast and Multicast supported DTLS –TLS (aka SSL) for datagrams –Unicast only SRTP –Security extension to RTP (something similar could be done using NORM/ALC “EXT_AUTH” header extension?) –Unicast and Multicast supported

Options Investigated Hybrid IPSec/ DTLS –IPSec for sender->receiver(s) multicast –DTLS for receiver(s)->sender unicast IPSec Transport Mode –Readily available in hosts –Multicast support wr2 replay attack protection required experimentation SRTP-like adaptation –Development required.

IPSec Approach Developed and Tested Used transport mode IPSec –AH, ESP, and ESP+AH were tested. Two security associations (SA) per host –Sender->receiver(s) multicast –Receiver(s)->sender unicast Used IPSec replay attack protection for sender->receiver(s) flow. Receivers->sender flows replay attack protection strategy identified using NORM header fields and sender repair window state.

Sender Protection from Receiver NACK/ACK replay Make use of sequence number in NORM message header –16 bits, but receiver feedback is sparse Need to maintain state only for receivers that have NACKed within current sender repair window Replay of NACKs from outside of repair window inflict little harm –Sender may transmit limited NORM_CMD(SQUELCH) or ignore. Similar for congestion control feedback and other receiver ACK messages. RECOMMEND use of encryption to minimize chance of complex attacks on long-lived NORM sessions. –But would likely rekey before repair window space (objectId::fecBlockId::symbolId) wraps anyway

Key Management NORM IPSec use compatible with out-of-band key management including: –GDOI –GSAKMP –MIKEY Possible that a key update message like GDOI “GROUPKEY-PUSH” could be transmitted from the sender to the group as an in-band message using NORM (or ALC) reliable transport Reliability mechanism helps mitigate any packets that might be dropped during a key update, but graceful rollover might be accomplished as well. The two SAs could use a common key?

NORM PI Revision Included detailed description of IPSec usage in “Security Considerations” section. Followed guidelines on IPSec usage specification per Steve Bellovin’s draft. Examined other similar approaches such as RFC4552 (OSPF WG has also recently created a group security requirements draft)

Potential Future Specification EXT_AUTH extension allows for similar approach to be taken above IPSec layer –Similar to SRTP, NORM/ALC header fields could be compressed (e.g. ala RoHC) –A different approach to replay protection could be pursued if necessary –Implementation-unique or standardized as needed. TESLA details are being worked out.

Summary A sufficient baseline secure mode of operation has been identified and described that should allow NORM (and ALC, if it follows) to proceed forward.