An IPSec-based Host Architecture for Secure Internet Multicast R. Canetti, P-C. Cheng, F.Giraud, D. Pendarakis, J.R. Rao, P. Rohatgi, IBM Research D. Saha.

Slides:

Advertisements

Similar presentations

Advertisements

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

October 22, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint, Part II SOEN321-Information-Systems Security.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Implementing a Distributed Firewall

1 IP Multicasting. 2 IP Multicasting: Motivation Problem: Want to deliver a packet from a source to multiple receivers Applications: –Streaming of Continuous.

1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.

Multicast Security CS239 Advanced Network Security April 16 th, 2003 Yuken Goto.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Host Identity Protocol

Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, Secure Anycast Tunneling Protocol.

PSeries Technical Conference L19 Brian Dolan-Goecke Atlanta, GeorgiaOctober 8-12, 2001 Linux VPN.

Chapter 17 Networking Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William Stallings.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Virtual Private Networking with OpenVPN Wim Kerkhoff Fraser Valley Linux Users Group April 15, 2004.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

What is a Protocol A set of definitions and rules defining the method by which data is transferred between two or more entities or systems. The key elements.

An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Overlay Network Physical LayerR : router Overlay Layer N R R R R R N.

CSC 600 Internetworking with TCP/IP Unit 8: IP Multicasting (Ch. 17) Dr. Cheer-Sun Yang Spring 2001.

CSCE 715: Network Systems Security

Design and Implementation of a Multi-Channel Multi-Interface Network Chandrakanth Chereddi Pradeep Kyasanur Nitin H. Vaidya University of Illinois at Urbana-Champaign.

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014.

Karlstad University IP security Ge Zhang

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.

Anonymity - Background R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

Review of key networking techniques: –Reliable communication over unreliable channels –Error detection and correction –Medium access control –routing –Congestion.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Efficient Group Key Management in Wireless LANs Celia Li and Uyen Trang Nguyen Computer Science and Engineering York University.

Security Kim Soo Jin. 2 Contents Background Introduction Secure multicast using clustering Spatial Clustering Simulation Experiment Conclusions.

PAGE 1 A Firewall Control Protocol (FCON) draft-soliman-firewall-control-00 Hesham Soliman Greg Daley Suresh Krishnan

Chapter 25 Internet Routing. Static Routing manually configured routes that do not change Used by hosts whose routing table contains one static route.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Network Layer Security Network Systems Security Mort Anvari.

K. Salah1 Security Protocols in the Internet IPSec.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.

VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.

Virtual Private Networking with OpenVPN

Encryption and Network Security

Zueyong Zhu† and J. William Atwood‡

Chapter 18 IP Security  IP Security (IPSec)

IT443 – Network Security Administration Instructor: Bo Sheng

IPSec IPSec is communication security provided at the network layer.

Goals Introduce the Windows Server 2003 family of operating systems

Presentation transcript:

An IPSec-based Host Architecture for Secure Internet Multicast R. Canetti, P-C. Cheng, F.Giraud, D. Pendarakis, J.R. Rao, P. Rohatgi, IBM Research D. Saha Lucent Technologies

Motivation In today’s Internet the need for efficient and secure multicast communication is growing. Most works on designing secure multicast mechanisms concentrate on the global architecture and design of group control entities. We present a host architecture for a member in a secure multicast group.

In this talk: Background on secure IP multicast: –Some applications –Security requirements –Overall design of secure IP multicast groups (as developed in the IRTF) Basic design tenets of host architecture Overview of the design Outstanding issues

Multicast communication: Whenever there are multiple recipients Typical applications: –File and software updates –News-feeds –Video/audio broadcasts –Virtual conferences, town-hall meetings –Multiparty video games

Security requirements Limiting access to group communication: –Long-term secrecy –Ephemeral access restriction Authentication: –Group –Source Anonymity Availability ( against denial of service attacks)

Work done at the Secure Multicast Group (SMuG) of the IRTF: Set focus on prominent scenarios and issues Develop overall architecture for secure IP multicast and research for appropriate protocols that can be standardized

A prominent scenario: One-to-many communication Medium to large groups (10-100K) Centralized group management No trust in group members Need source authentication, ephemeral encryption Dynamic membership

Global architecture for secure multicast (I): Control communication Data communication Group center Group member (sender/receiver)

Global architecture for secure multicast (II): Control communication Data communication Group controllers Group member (sender/receiver)

Host architecture: Design tenets The security mechanism should be independent of the routing method. Separate key management from data handling Use existing components when possible (In particular, IPSec) Minimize changes to OS kernel Maintain ability to plug-in different crypto algorithms

An IPSec-based design Motivation: –Build on solid and (soon to be) ubiquitous protocol. –Provides security in kernel, minimal load on applications. Drawbacks: –Tie the design to existing protocols –Have to deal with compatibility

The architecture at a glance Control API Data API Multicast Internet Key Exchange Source Authentication Module AH/ESP (IPSEC) Multicast Secu- rity Association Line (group controller) Line (group members) OS kernel App. space

IPSEC transforms (AH/ESP): -Data encryption with group key -Group authentication with group key -Operates on individual packets (No state across packets)

SAM Signing data efficiently requires: -Signing data in large chunks -Keeping state across packets Therefore, SAM is in transport layer (UDP), operates on UDP frames. Possible realizations: [Wong-Lam 98], [Rohatgi 99], [C+ 99], [Perrig et.al. 00],...

MSA is a database that holds: - IPSec SA for AH/ESP (group key, algorithms, group address, etc.) - Information for SAM (Signing/verification keys, algorithms, etc.) - Re-keying information for MIKE (e.g. path in “LKH tree”) - Point-to-point SA with the center Note: MSA is periodically updated by MIKE.

MIKE: - Invoked by API to join/leave multicast group. Join/leave interaction done via standard point-to-point secure connection (such as IPSec, SSL) with the center. - Receives key updates from controller and updates MSA -Key updates assume a “reliable multicast shim”. (Can be implemented by any general RM protocol or by a special purpose protocol.)

Design of MIKE Secure 1-1 connection With center Registration and de-registration Use any secure channel prot. (IPSec/TLS/…) Reliable mcast From center Periodic key updates Create MSA Update MSA Intra-host Network

Outstanding issues Handling multi-user hosts: Need to provide intra-host access control. –MSA must list member applications/users –Allow only members to listen to group traffic. Can do either: In kernel. (More efficient, needs kernel modification) Using daemon process (Less efficient, no kernel modification).

Outstanding issues MSA identification and choice of SPI: –An IPSec SA is identified by receiver address, SPI, protocol. SPI is chosen by the receiver. –Here SPI cannot be chosen by receiver. –Instead it is chosen by the group center. Replay protection field: –In IPSec, increasing counter set by sender, receiver free to ignore. –Unchanged for single sender multicast. With multiple senders receiver must ignore.

Validation of architecture Implemented the architecture on Red Hat Linux 5.1, using Freeswan version 0.91 implementation of IPSec. Needed a “patch” to make Fswan work with IP-multicast (class D) packets. (Seems to be a pecularity of Fswan implementation.) Architecture works smoothly, with good performance.

Conclusion Described an IPSec-based host architecture for secure multicast. Architecture is compliant with global architecture as developed in the IRTF. Can be installed with little or no modification to OS k ernel, with good performance.