Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Chap 1: Overview Concepts of CIA: confidentiality, integrity, and availability Confidentiality: concealment of information –The need arises from sensitive.
Cryptography and Network Security Chapter 1
Lecture 1: Overview modified from slides of Lawrie Brown.
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Applied Cryptography for Network Security
Introduction (Pendahuluan)  Information Security.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS 689 (Research Methods) Security in Asynchronous Transfer Mode(ATM) By SOBHA SIRIPURAPU.
IETF72 ANCP WG1 ANCP Applicability to PON draft-bitar-wadhwa-ancp-pon-00.txt Nabil Bitar, Verizon Sanjay Wadhwa, Juniper Networks.
IETF74 ANCP WG1 ANCP Applicability to PON draft-bitar-wadhwa-ancp-pon-01.txt Update on Differences from DSL Nabil Bitar, Verizon Sanjay Wadhwa, Juniper.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.
Cryptography and Network Security
Eng. Wafaa Kanakri Second Semester 1435 CRYPTOGRAPHY & NETWORK SECURITY Chapter 1:Introduction Eng. Wafaa Kanakri UMM AL-QURA UNIVERSITY
Wireless Network Security. What is a Wireless Network Wireless networks serve as the transport mechanism between devices and among devices and the traditional.
Network Security Essentials Chapter 1 Fourth Edition by William Stallings (Based on Lecture slides by Lawrie Brown)
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos “Securing.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 71 – Philadelphia draft-ietf-ancp-framework-05.txt.
Chapter 21 Distributed System Security Copyright © 2008.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
1 A VPN based approach to secure WLAN access John Floroiu
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks IETF 66 - ANCP WG July 9-14, 2006 draft-ooghe-ancp-framework-00.txt.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Ad Hoc Network.
MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks draft-ietf-ancp-framework-02.txt Presenter: Dong Sun.
Security Mechanisms for Delivering Ubiquitous Services in Next Generation Mobile Networks Haitham Cruickshank University of Surrey workshop on Ubiquitous.
Requirements For Handover Information Services MIPSHOP – IETF #65 Srinivas Sreemanthula (Ed.)
Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.
Network Security Introduction
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Security Threats and Requirements for Emergency Calling draft-tschofenig-ecrit-security-threats-01.txt Hannes Tschofenig, Henning Schulzrinne, Murugaraj.
By Chris Zachor CS 650.  Introduction  SSH Overview  Scenarios  How To:  Results  Conclusion.
IETF69 ANCP WG1 ANCP Multicast Handling draft-maglione-ancp-mcast-00.txt R. Maglione, A. Garofalo - Telecom Italia F. Le Faucheur, T. Eckert - cisco Systems.
Access Node Control Protocol (ANCP) IETF 68, Prague Wojciech Dec Matthew Bocci
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo.
ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July , 2010 Bo Wu Liang Fan.
Security Data Transmission and Authentication Lesson 9.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-00.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 73 – Minneapolis draft-ietf-ancp-framework-07.txt.
Network Security Analysis Name : Waleed Al-Rumaih ID :
ANCP Applicability to PON draft-bitar-wadhwa-ancp-pon-00
امنیت شبکه علی فانیان
Securing the CASP Protocol
IEEE MEDIA INDEPENDENT HANDOVER
Presentation transcript:

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt

Objective Investigating security threats that all ANCP nodes could encounter and developing a threat model at the ANCP level. Accordingly, security requirements for the ANCP are defined. Out of scope: –Security policy negotiation, including authentication and authorization to define per-subscriber policy at the AAA/policy server

System Overview and Threat Model | AAA | | Server | | | CPE |---| HGW |---| | | | | | | Access | | | | Internet | | Node | | NAS |---| | | (AN) | | | | | | CPE |---| HGW |---| | | | | | On-Path Attackers (active or passive) Off-Path Attackers (active or passive) Attackers can be either on-path or off-path : active or passive Threat Model: –Off-path adversary at the CPE or HGW –Off-path adversary on the Internet or a Regional Network –On-path adversary at the network elements between the AN and the NAS –Adversary taking control over the NAS –Adversary taking control over the AN

Attackers Objectives and Potential Attacks Attackers Objectives: –Attacking an individual entity Disrupt customer's communication Gain profit for the attacker –Attacking a portion of the access network Disrupt the network services Destruct the network functioning Intercepting subscribers-related data Potential Attacks: –Message Modification –Signaling Replay –Denial of Service –Traffic Analysis –Downgrading Attack –Man-in-the-Middle Attack –Network Snooping

Attacks Against Use Case 1: Dynamic Access Loop Attributes On-path attacks between the AN and the NAS during the Access Loop attributes transfer –Passive, learning the attributes Capturing information on clients' connection state Traffic analysis –Active, acting on the transferred attributes Man-in-the-middle attack causing faked attributes Messages' modification DoS: signaling replay Off-path attacks on the Internet affecting the Access Loop attributes sharing between the NAS and the policy server –Passive, gaining information of the Access Loop attributes shared with the policy server Eavesdropping Traffic Analysis –Active DoS on the communication links to the policy server Man-in-the-middle causing Access Loop configuration data retrieval from the policy server by illegitimate NAS

Attacks Against Use Case 2: Access Loop Configuration On-path Active Attacks –Downgrading attack during Access Loop configuration updates –DoS attack through replaying of the Configure Request message –Damaging clients' profile at ANs –Replaying old packets related to privileged client's profile Off-path Attacks –Passive adversary on the Internet through eavesdropping during the Access Loop configuration retrieval by the NAS from the policy server –Active adversary on the Internet threatening subscribers-related service data in the policy server

Attacks Against Use Case 3: Remote Connectivity Test On-path Active Attacks –Man-in-the-middle attack NAS triggering to the AN to carryout the test Subscriber Response Message transfer from the AN to the NAS Off-path Active Attacks –DoS attack, in case of ATM based Access Loop, through replaying the loopback cells generated by the AN –Message truncating leading to test failure assumption

Attacks Against Use Case 4: Multicast On-path Active Attacks –Signal truncating, damaging proxy functionality in the AN, aggregation node(s) or the NAS –DoS attack during the information exchange between the NAS and the AN on the subscriber's policy and the multicast traffic configuration –Man-in-the-middle attack during the multicast replication process

Security Requirements The protocol solution MUST offer authentication of the AN to the NAS The protocol solution MUST offer authentication of the NAS to the AN The protocol solution MUST allow authorization to take place at the NAS and at the AN The protocol solution MUST offer replay protection The protocol solution MUST provide data origin authentication The protocol solution SHOULD offer confidentiality protection The protocol solution MUST be robust against DoS attacks The protocol solution SHOULD provide mutual authentication between different communicating entities The protocol solution SHOULD distinguish the control messages from the data The protocol solution SHOULD provide privacy protection

Next Step Soliciting comments Progress the draft as a separate draft complementing the framework draft

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.