Draft-kk-mpvd-ndp-support-01 MIF WG – IETF88 Jouni Korhonen Suresh Krishnan Sri Gundavelli.

Slides:



Advertisements
Similar presentations
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Advertisements

Multicast Reconfiguration Protocol for Stateless DHCPv6 DHC 61 st IETF S. Daniel Park
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Access control for IP multicast T Petri Jokela
K. Salah1 Security Protocols in the Internet IPSec.
Draft-ietf-v6ops-ra-guard-00.txt1 IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohácsi 72nd IETF.
Draft-vandevelde-v6ops-ra-guard-01.txt1 IPv6 RA-Guard G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohacsi IETF 71, March 11/14th 2008 Philadelphia.
Controlling Traffic Offloading Using Neighbor Discovery Protocol IETF#80 Mif WG, 28-March-2011 draft-korhonen-mif-ra-offload-01 Jouni Korhonen Teemu Savolainen.
Diameter End-to-End Security: Keyed Message Digests, Digital Signatures, and Encryption draft-korhonen-dime-e2e-security-00 Jouni Korhonen, Hannes Tschofenig.
CSIS 4823 Data Communications Networking – IPv6
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.
IP Security: Security Across the Protocol Stack
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Multiple Provisioning Domain (MPVD) Architecture status & next steps Dmitry Anipko (architecture document editor) IETF 89 MIF WG London, March 6 th 2014.
1 /10 Pascal URIEN, IETF 66 h, Wednesday July 12 th,Montreal, Canada draft-urien-badra-eap-tls-identity-protection-00.txt
DHCPv6 Redundancy Considerations Redundancy Proposals in RFC 6853.
1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses
IETF 51, IPv6 WG1 Multilink Subnets draft-thaler-ipngwg-multilink-subnets-01.txt Dave Thaler
Michael Myers VeriSign, Inc.
Cullen Jennings Certificate Directory for SIP.
Karlstad University IP security Ge Zhang
ARMD – Next Steps Next Steps. Why a WG There is a problem People want to work to solve the problem Scope of problem is defined Work items are defined.
1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
OSPF WG Stronger, Automatic Integrity Checks for OSPF Packets Paul Jakma, University of Glasgow Manav Bhatia, Alcatel-Lucent IETF 79, Beijing.
Session Recording (SIPREC) Protocol (draft-ietf-siprec-protocol-09) Leon Portman Henry Lum
Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.
1 Arkko, 57th IETF: SEND base protocol issue list Issues in the SEND base document draft-ietf-send-ipsec-01.txt
Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs.
6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
V6OPS WG – IETF #85 IPv6 for 3GPP Cellular Hosts draft-korhonen-v6ops-rfc3316bis-00 Jouni Korhonen, Jari Arkko, Teemu Savolainen, Suresh Krishnan.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.
Nov. 8, 2006IDR WG Meeting1 IPv6 Next Hop for IPv4 Prefix In BGP Updates, NH not necessarily of same address family as NLRI Currently deployed examples:
RTP Splicing Status Update draft-ietf-avtext-splicing-for-rtp-11 Jinwei Xia.
1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.
Transport Layer Security- based Mobile IPv6 Security Framework for MN Node to HA Communication IETF#80 MEXT WG, 1-April-2011 draft-ietf-mext-mip6-tls-00.
PAGE 1 A Firewall Control Protocol (FCON) draft-soliman-firewall-control-00 Hesham Soliman Greg Daley Suresh Krishnan
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG.
Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design-considerations-01 Ele Hepworth (*), Robert Hancock, Srinivas.
RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.
OSPF WG Security Extensions for OSPFv2 when using Manual Keying Manav Bhatia, Alcatel-Lucent Sam Hartman, Huawei Dacheng Zhang, Huawei IETF 80, Prague.
1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.
CSI WG / IETF741/12 Implementation of SeND/CGA and Extensions Beijing University of Posts and Telecommunications HUAWEI.
K. Salah1 Security Protocols in the Internet IPSec.
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Sheng Jiang (Speaker) Xu Chen Xuan Song Huawei Neighbor Cache Protection in Neighbor Discover Protocol draft-jiang-v6ops-nc-prtection-01 IETF 77 V6OPS.
Mobile IP Lecture 5.
Suresh Krishnan Secure Proxy ND Suresh Krishnan
End-to-middle Security in SIP
Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00
Encryption and Network Security
Access Network Information Option for Proxy Mobile IPv6
NAT State Synchronization using SCSP draft-xu-behave-nat-state-sync-01
In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia
IETF67 B. Patil, Gopal D., S. Gundavelli, K. Chowdhury
draft-ietf-detnet-dp-sol-00 Issues
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-19 NETCONF WG IETF 100 (Singapore)
Problem solving.
DetNet Data Plane design team IETF 98, Chicago, 2017
draft-ietf-bier-ipv6-requirements-01
Access Network Information Option for Proxy Mobile IPv6
BGP VPN service for SRv6 Plus IETF 105, Montreal
Internet Protocol version 6 (IPv6)
TRILL Header Extension Improvements
draft-ietf-ospf-te-link-attr-reuse-04
Presentation transcript:

draft-kk-mpvd-ndp-support-01 MIF WG – IETF88 Jouni Korhonen Suresh Krishnan Sri Gundavelli

Background A protocol solution proposal for draft-ietf-mif- mpvd-arch using IPv6 NDP. Complimentary work to draft-kkb-mpvd-dhcp- support-01 We assume you read the drafts..

Design choices in -01 A generic “PVD container/range” NDP option: – PVD_CO marks the start of a PVD – PVD_ID marks the end of a PVD. – Can carry existing NDP options. – Carries the PVD Identity, optional security information etc.. An RA/RS may contain zero or more PVD containers: – Multiple PVDs may be in one RA/RS.. – An RS may contain zero or more PVD containers to solicit information from a specific PVD:

Design choices in -01 cont’d Reuse selected parts of existing security mechanisms: SEND RFC6494/6495/3971 – Does not mandate implementation of SEND, though! – Mostly reuse the SEND Subject Key Identifier way of finding public keys. Defines the security principles: – PVD container content may be signed to prove the authenticity of the advertised information and to provide integrity protection. – Replay protection left for the “carrier protocol” to solve.

Changes from -00 Change of PVD_CO option not to contain sub- options but mark the start of options belonging to the PVD. Replacing the PVD Identity encodings defined in -00 to a common PVD-ID “blob” defined in draft-kkbg-mpvd-id-00. Minor tweaks..

PVD Container Option Marks the starts of ND options belonging to a specific PVD; options follow as-is. PVD unaware clients just skip the option and process the subsequent NDP options as any NDP options.. Option follows the normal ND option padding requirements.

PVD Identifier Option Marks the end of NDP options belonging to a PVD identified by the “Identity”. PVD unaware clients just skip the option.. “Identity” is a binary blob, whose encoding is defined in draft-kkbg-mpvd-id.

Issues to think more.. PVD_CO handling in case of PVD unaware host implementations: – Just skip the option and handle “PVD encapsulated” NDP options as any NDP options or.. (now in -01) – Craft PVD_CO in a way that an unaware host implementation would skip all “PVD encapsulated” NDP options (doable with PVD_CO Length tweaking).. (was in -00) Replay protection as part of the PVD container or left for the “carrier protocol” to deal with? Clarifying the case where a router advertises multiple PVDs – how to do signing of options. Trust anchors, certificate chains or something else..

Questions ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.