802.1 AE/AF Platform considerations

Slides:



Advertisements
Similar presentations
Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Advertisements

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: IEEE r Fast BSS Transition – A Study Date Submitted: September 21, 2009 Present.
LinkSec Architecture Attempt 3
Doc.: IEEE xxx Submission May 10-14, 2004 Alan Carlton, Interdigital CommunicationsSlide 1 Defining Layer 2.5 Alan Carlton Interdigital Communications.
EPON Technology Team 2/9/2014 Key Management [802.1af - Issues] Jee-Sook Eun Electronics and Telecommunications Research Institute.
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Selecting the Right Network Access Protection (NAP) Architecture Infrastructure Planning and Design Published: June 2008 Updated: November 2011.
Extended Service Set (ESS) Mesh Network Daniela Maniezzo.
Doc.: IEEE r6 Submission July 2008 Charles Fan,Amy Zhang, HuaweiSlide 1 Authentication and Key Management of MP with multiple radios Date:
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—2-1 Extending Switched Networks with Virtual LANs Introducing VLAN Operations.
® IEEE 802.1ae & Legacy Technologies Ken Grewal. ® 2 Agenda  Problem Statement  Technologies Impacted  Recommendations.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
CAPWAP Architecture draft-mani-ietf-capwap-arch-00 Mahalingam Mani Avaya Bob O’Hara Airespace Lily Yang Intel.
Doc.: 802_Handoff_EC_Opening_Plenary_Report r2 Submission November David Johnston, IntelSlide Handoff ECSG EC Opening Plenary Report David.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
IEEE i IT443 Broadband Communications Philip MacCabe October 5, 2005
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
P Security Survey and Recommendations By: Ryon Coleman October 16, 2003.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Configure a Wireless Router LAN Switching and Wireless – Chapter 7.
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Introduction to Wireless Networking. Basic Wireless and Wired Network.
Jennifer Rexford Princeton University MW 11:00am-12:20pm SDN Software Stack COS 597E: Software Defined Networking.
Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Michal Rapco 05, 2005 Security issues in Wireless LANs.
Certified Wireless Network Administrator (CWNA) PW0-105 Chapter Network Security Architecture.
Common Devices Used In Computer Networks
CCNA Guide to Cisco Networking Fundamentals Fourth Edition
CN2668 Routers and Switches (V2) Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.
Doc.: IEEE /0981r1 TGs Reference Architecture Considerations September 6, 2004 Tricci So & W. Steven Conner.Slide 1 TGs ESS Mesh System Reference.
Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.
Chapter 8: Virtual LAN (VLAN)
Doc.: 802_Handoff_Linksec_Presentation Submission May David Johnston, IntelSlide Handoff LinkSec Handoff Issues? David Johnston
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
By Ramin Hedayatzadeh. “IEEE i or WPA2” Introduction Integrity of WEP to WPA (necessity) WPA and its second generation WPA2 concepts Definition.
Doc.: mes Submission 7 May 2004 Tricci SoSlide 1 Need Clarification on The Definition of ESS Mesh Prepared by Tricci So.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
IEEE MEDIA INDEPENDENT HANDOVER Title: An Architecture for Security Optimization During Handovers Date Submitted: September,
Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.
IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004
Doc.: IEEE 11-04/0319r0 Submission March 2004 W. Steven Conner, Intel Corporation Slide 1 Architectural Considerations and Requirements for ESS.
Omniran CF00 1 VLANs in relation to P802.1CF NRM Date: Authors: NameAffiliationPhone Max RiegelNokia Networks
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
Doc.: IEEE /657r0 Submission August 2003 N. Cam-WingetSlide 1 TGi Draft 5.0 Comments Nancy Cam-Winget, Cisco Systems Inc.
Doc.: IEEE /403r0 Submission July 2001 Albert Young, 3Com, et alSlide 1 Supplementary Functional Requirements for Tgi ESS Networks Submitted to.
Doc.: IEEE /1145r1 Submission August WG Slide 1 Mutual Authentication Date: Authors: Slide 1.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
J. Halpern (Ericsson), C. Pignataro (Cisco)
Port Based Network Access Control
History and Implementation of the IEEE 802 Security Architecture
Emerging Solutions in Network Time Synchronization Security
Wireless Ethernet Programming
History and Implementation of the IEEE 802 Security Architecture
Firewall Issues Research Group GGF-15 Oct Boston, Ma Leon Gommans - University of Amsterdam Inder Monga - Nortel Networks.
Wireless Protocols WEP, WPA & WPA2.
Wireless Network Security
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Mutual Authentication
Mutual Authentication
IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec
Overview of Improvements to Key Holder Protocols
Overview of Improvements to Key Holder Protocols
Presentation transcript:

802.1 AE/AF Platform considerations Ken Grewal ken.grewal@intel.com IEEE 802.1 Plenary, November 2004

Agenda Purpose Current Status Platform considerations Authentication Protocol Authorization Posture Policy Frame Format Other Considerations Conclusion

Purpose Clarify existing architecture, use cases, motives Introduce platform considerations Next steps…

Current Status 802.1AE Stable, but frozen until AF maturity 802.1AF concept stage Device Identity definition Not needed to complete this project If MK provisioned manually, no need for device identity at all

Group based security Rationale Key explosion / deployment considerations Multicast / broadcast considerations Others? Built on initial (undefined?) authentication Likely P2P – 802.1X based / other AE Shared symmetric key within group Prone to spoofing – no data origin authenticity Contrary to project PAR! Compromising a single node can cause havoc in the CA Node leaving the CA will force fresh master keys refresh everyone! Acceptable if every node implements TPM (TCG/TNC) like security – unlikely! AF Applicability to leaf nodes (platform / host) Group membership = 2 Redundancy in KSP negotiation fields for groups Live List, potential list, … Group membership > 2 KC is not authentic and may be spoofed – does it matter? Alternative AF protocol (manual / P2P) Group sharing attractive administratively, but does not offer all security services in claim => Likely to be deployed with misconceptions about security offerings

AE / AF Interdependencies No need for tight coupling AE useable without AF definition – OOB keys Different AF (like) protocols may be mapped to AE Leaf nodes Vs. core network / provider use cases Leaf nodes leverage P2P key derivation protocol Core leverages group based – if shared key acceptable Abstract group based architecture from AE Pure L2 encapsulation description Separate ‘context’ for environment

Platform Authentication Protocol Host has 1:1 (client-server) relationship with infrastructure device (e.g. switch) Mobility considerations Single (mobile) host will support wired and wireless media Consolidation of protocols / algorithms for ease of use / deployment single HW to service wired / wireless crypto requirements Requires a P2P authentication protocol E.g. 802.11i (like) or PSK with n=2 Simple 4-way handshake based on PMK to derive PTK

Platform Authentication Posture Authentication alone insufficient for applying policy Need platform configuration / state to ensure platform conformance to IT policy ‘posture’ Using authentication / posture, PDP can make better informed policy decision Posture carrier protocol – which layer? Post authentication mechanism (over controlled port) 802.1X extension EAPOL-Posture? 802.1AB TLVs extensions? Other? E.g. EAP extension If posture part of overall authentication / key derivation, then SAK can be used as a demux for policy!!!!!!!!

Platform Authentication Policy Result of authentication / posture evaluation PDP conveys policy to PEP Format? Single status Expanded status (specific filter rules) Granular policy Protocol Extension of 802.1X (EAPOL-Success)? Other (OOB / EAP extension)?

Data path considerations Frame format consolidation (Wired / Wireless) 802.1AE Vs. 802.11i Separation of media specific params from encapsulation After all – Frame encapsulation is Frame encapsulation is Frame encapsulation!!!! All require Key-ID, enc, auth, PN (IV), [media specific stuff] Algorithms GCM Vs. CCM (assuming CCMP) Shared HW

AE Frame Format

MIC is weak, hence encrypted 802.11i Frame Format MIC is weak, hence encrypted CCMP is Similar

Other Observations Aggregation Hub considerations in 802.1X Seen as multiple logical ports within 802.1X? Analogous to wireless VMs (next page)

More Observations VMs => Multi-core / multi-OS (vanderpool) Multiple identities for 802.1X to decipher Possibly over same Port / MAC! Multiple network stacks Single / multiple NICs One physical port per VM – OK One physical port per multiple VMs Proxy model at L2 Single Linksec entity representing all VMs Local PEP – for VMs What is ‘device identity / posture’ in this context?

Conclusion De-couple AE / AF Authentication protocol Remove group based constraints from AE – this is really pertinent to usage model and could be an opaque context Multiple AFs map to a single AE based on usage Authentication protocol Can leverage existing work 802.1X / EAP Session key may be associated with posture / privilege and transparently used for policy Create synergies between wired & wireless Assists in implementation: common algorithms / protocols for wired / wireless Inherent value in adoption Convergence of algorithms (GCM  CCM) over AES? Considerations of VMs for identity / authentication / authorization

Feedback?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.