November 9 1999IPsec Remote Access BOF Washington D.C. November 9 1999.

Slides:



Advertisements
Similar presentations
PAWS BOF Protocol to Access White Space DB IETF 80 Gabor Bajko, Brian Rosen.
Advertisements

Secure Mobile IP Communication
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
Guide to Network Defense and Countermeasures Second Edition
DHCP Configuration of IPSEC Tunnel Mode Draft-ipsec-dhcp-08.txt Bernard Aboba Microsoft.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
IPv6 over xDSL: The DIODOS Proposal Athanassios Liakopoulos Greek Research & Technology Network International IPv6 Workshop, Kopaonik,
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential The Internet offers no inherent security services to its users; the data transmitted.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
A Survey on Interfaces to Network Security
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.
Unrestricted Connection manager MIF WG IETF 78, Maastricht Gaëtan Feige, Cisco (presenter) Pierrick Seïté, France Telecom -
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
11/10/2003Pki4ipsec-nov03-agenda BOF Profiling Use of PKI in IPsec pki4ipsec Chairs: Gregory M Lebovitz Steve.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
IPSec Chapter 3 – Secure WAN’s. Definition IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering Task Force,
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
Internet Emergency Preparedness WG (ieprep) Agenda Monday, August 1, ============================== Chair(s): Scott Bradner Kimberly King AGENDA:
STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.
BEHAVE BOF (Behavior Engineering for Hindrance AVoidancE) Cullen Jennings Jiri Kuthan.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
1 Network Security Lecture 8 IP Sec Waleed Ejaz
MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.
3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.
DIME WG IETF 82 Dime WG Agenda & Status THURSDAY, November 17, 2011 Jouni Korhonen & Lionel Morand.
Mdnsext BoF Chairs: Tim Chown, Thomas Narten IETF85 Atlanta 6 th November, 2012.
Application Policy on Network Functions (APONF) G. Karagiannis and T.Tsou 1.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
A Brief Overview of draft-ietf-sidr-cp-01.txt draft-ietf-sidr-cps-rirs-01.txt draft-ietf-sidr-cps-isp-00.txt Steve Kent BBN Technologies.
Draft GEO Framework, Chapter 6 “Architecture” Architecture Subgroup / Group on Earth Observations Presented by Ivan DeLoatch (US) Subgroup Co-Chair Earth.
AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.
Scalability of Geopriv LS GLI Project Toshiharu Kurisu Yasuhito Watanabe
Peer to Peer Streaming Protocol (PPSP) BOF Gonzalo Camarillo Ericsson Yunfei Zhang China Mobile IETF76, Hiroshima, Japan 13:00~15:00 THURSDAY, Nov 12,
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
SLRRP BoF 62 nd IETF Scott Barvick Marshall Rose
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
Update on the IETF Diffserv Working Group NANOG 13 Detroit, MI June 8, 1998 Kathleen M. Nichols
By Mau, Morgan Arora, Pankaj Desai, Kiran.  Large address space  Briefing on IPsec  IPsec implementation  IPsec operational modes  Authentication.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Moving towards an IRS WG Charter Ross Callon IETF 85, Atlanta.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
1 Header Compression over IPsec (HCoIPsec) Emre Ertekin, Christos Christou, Rohan Jasani {
NETLMM BOF IETF 64 James Kempf, DoCoMo Labs USA Phil Roberts, Motorola Labs November 7, 2005.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
Layer 2 Control Protocol BoF (L2CP) IETF 65, Dallas, TX Wojciech Dec Matthew Bocci
Doc.: IEEE /403r0 Submission July 2001 Albert Young, 3Com, et alSlide 1 Supplementary Functional Requirements for Tgi ESS Networks Submitted to.
MODERN BoF Managing, Ordering, Distributing, Exposing, and Registering telephone Numbers IETF 92.
Profiling Use of PKI in IPsec (pki4ipsec) Date: Monday, Mar 7, 2005 at Location: Rochester room Chairs: Paul Knight Gregory Lebovitz Mail list:
Securing Access to Data Using IPsec Josh Jones Cosc352.
Doc.: IEEE /0122r0 Submission January 2012 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:
IP Security
Network Virtualization Overlays (NVO3) Working Group IETF 97, November 2016, Seoul Chairs: Secretary: Sam Aldrin Matthew Bocci.
Thierry Ernst (INRIA and WIDE) Hesham Soliman (Ericsson)
Chapter 18 IP Security  IP Security (IPSec)
SECURING NETWORK TRAFFIC WITH IPSEC
Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made.
OmniRAN Introduction and Way Forward
Public Key Infrastructure Using X.509 (PKIX) Working Group
Cloud Testing Shilpi Chugh.
draft-ipdvb-sec-01.txt ULE Security Requirements
Presentation transcript:

November IPsec Remote Access BOF Washington D.C. November

IPsec Remote Access BOF Co-chairs: Roy Pereira Sara Bitan Mailing list : Subscribe : Archive :

November IPsec Remote Access BOF Agenda 5 mins Agenda bashing 5 mins High level goals and requirements 10 mins Reading of the Charter 35 mins Discussion of Charter & requirements 5 mins Finalize Charter

November IPsec Remote Access BOF High Level Goals 1)Provide support for non-PKI scalable legacy end-user authentication technologies. 2)Support dynamic resource assignment. 3)Enhance IKE to support mobile remote users.

November IPsec Remote Access BOF IPSRA requirements Generic Maintain or exceed security strength Complement current and future IKE specifications –Maintain compatibility with current and future IKE specification Seamless migration from direct-dial remote access –User perspective

November IPsec Remote Access BOF IPSRA requirements Authentication Support existing legacy user authentication system (e.g. SecurID, RADIUS,CHAP) –seamless integration into an organization’s existing infrastructure. Seamless migration to a PKI

November IPsec Remote Access BOF IPSRA requirements Configuration Resource allocation (specifically private IP address) –Should be referenceable to IKE IDs. VPN configuration (e.g. allowed subnets, IPsec policy) ???? Distribution of VPN configuration ???

November IPsec Remote Access BOF Charter The rapid growth of remote access and the subsequent transition from older direct-dial remote access to Internet-based remote access carries with it a requirement for secure communications. While IPsec is an obvious solution in this space, it has several easy-to-fix shortcomings:

November IPsec Remote Access BOF 1) IPsec, and particular, IKE, assumes the widespread deployment of public-key technology to achieve mutual authentication between parties. There exists a large demand for the support of scalable non (public-key) certificate end-user authentication technologies in the IPsec remote-access space.

November IPsec Remote Access BOF 2) IPsec makes it difficult to support dynamic resource assignment, particularly addresses, based on authenticated user identity, from within a private address space behind an IPsec security gateway. This is an operational property of the current IKE specification, and implementations.

November IPsec Remote Access BOF 3) The current IKE protocol does not properly answer the requirements of remote access users when non-certificate based authentication is used. Main mode with shared secret authentication cannot be used with dynamic IP addresses. Aggressive mode is exposed to a wide range of denial of service attacks (unlike main mode). In addition, the use of all the existing modes with the authentication mechanism listed in (2a) below, creates a list of new problems (among them - man in the middle, binding IKE authentication to the user authentication). (If the working group will reach the conclusion that) We will define new IKE modes (are required) to securely support legacy user authentication (then we will move forward to defining such new modes).

November IPsec Remote Access BOF The outputs of this working group will include: 1) A framework document that specifies the requirements for secure IPsec remote access. This document will identify all the entities participating in the secure remote access, and define the secure remote access architecture.

November IPsec Remote Access BOF 2) Standards-track documents that fulfill the requirements outlined by the goals of this charter. Specifically: a) A PROPOSED STANDARD (or BCP or Informational) document describing extensions to IPsec and/or IKE to support existing end-user authentication, by itself or in conjunction with another IKE authentication mechanism, including, but not limited to: - username/password (eg. RADIUS PAP) - Tokens: both Challenge/Response and SecurID-like - OTP b) A PROPOSED STANDARD (or BPC or informational) document describing a mechanism for providing secure configuration for remote users needing access to a private network on the other side of an IPsec gateway. At a minimum, this would involve address assignment for the user-side virtual interface.

November IPsec Remote Access BOF The proposed work items for this group would yield standards that are compatible with the existing IPsec architecture [RFC 2401] and IKE, complementing the standards work achieved by the IPsec Working Group. Since this working group is focusing on IP Security, its protocol specifications will be designed to have no negative impact on the security of the underlying protocols (ESP,AH, and IKE), or the Internet in general.

November IPsec Remote Access BOF There are existing, marketed, implementations based on previous work in (this field) the user authentication field and thus a major focus for this working group will be to leverage the existing practice and operational experience, and extract from the implementations a scheme that is flexible, and architecturally sound.

November IPsec Remote Access BOF Thus, this work will be derived from, but not limited to, all or some of the following documents : draft-gupta-ipsec-remote-access draft-aboba-ipsra-req draft-kelly-ipsra-userauth draft-ietf-ipsec-isakmp-hybrid-auth draft-harkins-ipsec-ike-crack draft-ietf-ipsec-iskamp-xauth draft-ietf-ipsec-ike-base-mode draft-ietf-ipsec-isakmp-mode-cfg draft-ietf-ipsec-dhcp draft-ietf-pppext-l2tp-security draft-ietf-pppext-secure-ra

November IPsec Remote Access BOF Milestones: November 1999: Second BOF meeting November 1999: New drafts of addressing mechanisms November 1999: New drafts of authentication mechanisms January 2000: First draft of framework document February 2000: Framework document submitted for standards track March 2000: First WG meeting May 2000: Addressing mechanism document submitted for standards track May 2000: Authentication mechanism document submitted for standards track May 2000: Enhanced IKE document submitted for standards track