LinkSec Architecture Attempt 3

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

MultiNet: Connecting to Multiple IEEE Networks Using a Single Radio Ranveer Chandra, Cornell University joint work with: Victor Bahl (MSR) and Pradeep.
Report from the Networking in Times of Disaster. What is a Disaster? Networks that work in times of disaster should address: Events that affect a network.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
1 IEEE Media Independent Handoff Overview of services and scenarios for 3GPP2 Stefano M. Faccin Liaison officer to 3GPP2.
1 2/20/03 Link Security Scenarios Ali Abaye Charles Cook Norm Finn Russ Housley Marcus Leech Mahalingam Mani Bob Moskowitz Dave Nelson Antti Pietilainen.
ECMP for 802.1Qxx Proposal for PAR and 5 Criteria Version 2 16 people from ECMP ad-hoc committee.
1 Introducing the Specifications of the Metro Ethernet Forum.
1 Introducing the Specifications of the Metro Ethernet Forum MEF 17 Service OAM Framework and Requirements February 2008.
M A Wajid Tanveer Infrastructure M A Wajid Tanveer
Extended Service Set (ESS) Mesh Network Daniela Maniezzo.
Lemonade and Mobile e- mail Stéphane H. Maes – Lemonade Intermediate meeting Vancouver, BC October 2004.
Data Link Layer B. Konkoth. PDU  Protocol Data Unit  A unit of data which is specified in a protocol of a given layer  Layer 5, 6, 7 – Data  Layer.
Omniran ecsg 1 Introduction to OmniRAN EC SG Max Riegel (OmniRAN SG Chair)
Omniran TG 1 Cooperation for OmniRAN P802.1CF Max Riegel, NSN (Chair OmniRAN TG)
UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Abstraction and Control of Transport Networks (ACTN) BoF
Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN
Virtual Private Network
1 Wide Area Network. 2 What is a WAN? A wide area network (WAN ) is a data communications network that covers a relatively broad geographic area and that.
Network Components 101 Travis Hill.
Doc.: IEEE /492r0-I Submission Robert Moskowitz, Trusecure/ICSALabsSlide 1 March 2002 An Authentication layering model Robert Moskowitz Trusecure.
Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General Links Date: Authors:
Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.
Chapter 8: Virtual LAN (VLAN)
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 5 Cabling LANs and WANs.
Basic Network Gear Created by Alex Schatz. Hub A hub is a very basic internetworking device. Hubs connect multiple machines together and allow them to.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
1 IEEE TGu Interworking with External Network Stefano M. Faccin Nokia IEEE Liaison to 3GPP2.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Services in a Converged WAN Accessing the WAN – Chapter 1.
1 Chapter 3: Multiprotocol Network Design Designs That Include Multiple Protocols IPX Design Concepts AppleTalk Design Concepts SNA Design Concepts.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Living in a Network Centric World Network Fundamentals – Chapter 1.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
Doc.: IEEE 11-04/0319r0 Submission March 2004 W. Steven Conner, Intel Corporation Slide 1 Architectural Considerations and Requirements for ESS.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
2016/3/11 1 Data Link Layer. 2016/3/11 2 Two basic services of Data Link Allows the upper layers to access the media using techniques such as framing.
K. Salah1 Security Protocols in the Internet IPSec.
Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.
1 01/27/03 Scenarios. 2 01/27/03 Business Applications Scenario 1: Secure EPON – FTTH/FTTB (provider network) Scenario 2: IEEE 802 Link Security – RPR.
IEEE Wireless LAN Standard
MPLS Introduction How MPLS Works ?? MPLS - The Motivation MPLS Application MPLS Advantages Conclusion.
UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.
Doc.: 802_Handoff_Linksec_Presentation Submission May David Johnston, IntelSlide Handoff LinkSec Handoff Issues? David Johnston
Virtual Private Network
Virtual Private Networks
SECURITY ZONES.
Configuring and Troubleshooting Routing and Remote Access
Robert Moskowitz ICSAlabs
Wide Area Network.
PPP PROTOCOL The First semester
OmniRAN Introduction and Way Forward
Jee sook, Eun May 2004 Presented in IEEE 802.1af - key management
Brief Introduction to IEEE P802.1CF
Chapter 3: Open Systems Interconnection (OSI) Model
doc.: IEEE <doc#>
Chapter 3 VLANs Chaffee County Academy
Data Link Layer 2019/2/19.
OmniRAN Introduction and Way Forward
Presentation transcript:

LinkSec Architecture Attempt 3 Robert Moskowitz ICSAlabs

LinkSec Network Model Hop-by-hop model for Link Confidentiality Except where provider bridges facilitate virtual links between subscriber bridges Terminology Provider ‘owns’ the network. A Provider may be the Corporate IT department Subscribers ‘use’ the network. E.G. a corporate employee or a paying customer. Transparency in security refers to 2 or more links appearing as a single link to the end devices with the intermediate bridges being transparent to the security services

LinkSec Network Model LinkSec delineates link ownership Provider link Joint link (Provider/Subscriber) Virtual link (Subscriber over Provider) The Network is the collection of Links, Provider link interfaces, and Provider Authentication Servers (and related services)

LinkSec Network Model Primarily to protect the Provider network from attack and misuse A Provider IEEE 802 Infrastructure Provider Links Cross-Provider Links Network attachment points Jointly controlled by Provider and Subscriber Network Authentication Link Authorization Link confidentiality (privacy and integrity)

Network Definition For purposes here, a Network refers to Layer 2 infrastructure and Layer 3 provisioning services The network is an entity in its own right that needs to be secure The components of a network need various levels of security Rest of the network Network Attachment Point Network Attachment Point The network topology Networked Device Networked Device Networked Device Networked Device Networked Device

Security Services Components Pre-existing trust between Authentication Server and Provider components Subscriber components Targeted Trust is Between Attached devices and Network Between 2 attached devices in specific situations Established Trust Authentication Server Rest of the network Network Attachment Point Network Attachment Point Networked Device Networked Device Networked Device Networked Device Target Trust

Provider View Of LinkSec Support billing No money, no network Binary, no provisioning implied Subscriber and cross-provider Legal obligations Subscriber expectations Legal intercept function of deployment, not protocols Control access to Network Attachment Points Know your Subscriber (i.e. link termination)

Subscriber View of LinkSec Network exists to service Subscribers LinkSec exists to protect subscribers from other subscribers Trust in Network Authenticate the Provider Restriction of exposure Asynchronous: Subscriber assumes no attack from Provider, but Provider assumes attack from Subscriber Trust in billing Only charged for real usage

Peer View of LinkSec 2 Peer systems control the link Bi-directional control Either can initiate authentication Both play an equal role in controlling the authentication process One system may take control of the link Typically based on link ownership e.g. 802.1ad Provider Bridge might always be the Responder, even if it initiated the authentication

Business-Driven Requirements Provider Network centric IEEE 802 networks only Provider link protection Intra-Provider, Inter-Provider, Subscriber to NAPs Authentication always needed Helps limit mis-use of network Detects mis-wiring Privacy and Integrity protection Data confidentiality

More Business-Driven Requirements Provider Bridge (802.1ad) transparency Customer data private from provider Including bridge management traffic Multiple subscribers to one physical port e.g. 802.3ah and 802.11

Business-Driven Requirements Not Included Link Transparency Virtual, trusted links across hostile bridges Exception is 802.1ad Provider bridges Impact on multi-party Adhoc networks Multiparty links E.G. 2 bridges on 802.3 with device ignorant of which is active Legal Intercept Solved by deployment methodology not provisions in LinkSec

Requirements Details Multi-link model per network component Each network component (or node) has N points of connection to the network N = 1 is the degenerate case Consider all links as ephemeral “permanent links” are just long-lived ephemeral links links change state as soon as link is lost

More Requirements Details Peer nature of Authentication Both ends of the link control the authentication process, even though one side starts the authentication The peers SHOULD be mutually authenticated (this is a function of a higher level service) One end may force a role of Initiator or Responder There should never be a race condition If both peers start authentication at the same time, one is gracefully terminated

More Requirements Details Layer Signalling of LinkSec Support for Handoff between NAPs No direct support of Handoff mechanisms in LinkSec. I.E. Transparency to handoff at layer 3 Confidentiality of Data frames Integrity of Management frames These are specific media management frames not carried in data frames (e.g. 802.11 DISASSOCIATE) Minimally only accept control packets from authenticated links