WESP Extensions 76 IETF Nov 2009 IPsecme WG Meeting 12-Nov-2009 Gabriel Montenegro Ken Grewal.

Slides:

Advertisements

Similar presentations

Ch 20. Internet Protocol (IP) Internetworking PHY and data link layers operate locally.

Advertisements

Chapter 20 Network Layer: Internet Protocol

® IEEE 802.1ae & Legacy Technologies Ken Grewal. ® 2 Agenda  Problem Statement  Technologies Impacted  Recommendations.

© 2006 The MITRE Corporation. All rights reserved Carrying IPSEC Authentication and ESP Headers Across SCPS-NP Networks Keith Scott.

CS 265 – Project IPv6 Security Aspects Surekha Shinde.

The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.

IPv6. Major goals 1.support billions of hosts, even with inefficient address space allocation. 2.reduce the size of the routing tables. 3.simplify the.

IPv6 Tutorial Module 1: IPv6 Protocol Structure Dan Campbell, President Millennia Systems, Inc.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

Engineering Workshops IPv6 “Under the Hood”. Engineering Workshops IPv6 Tutorial/Workshop Rick Summerhill Executive Director, Great Plains Network Dale.

Header and Payload Formats

1 IPv6 Packet Format. 2 Objectives IPv6 vs IPv4 IPv6 Packet Format IPv6 fields IPv6 and data-link technologies.

Chapter 5 Network Security Protocols in Practice Part I

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Network Layer Packet Forwarding IS250 Spring 2010

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

IPv6 Fundamentals Chapter 2: IPv6 Protocol

Internet Protocol (IP)

6/21/01Team 2 DCS 835 Rev 6/22/011 IP Security (IPSec)  Background –The internet has no centralized technical support. What makes it work is an agreed.

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

1 Network Security Lecture 8 IP Sec Waleed Ejaz

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

The New Internet Protocol

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Lecture 6 W.Lilakiatsakun.  Internet Protocol  IPv4 /IPv6  IPsec  ICMP  Routing Protocol  RIP/OSPF  BGP  Attack on Layer3 Layer 3 Technology.

Covert Channels in IPv6 Norka B. Lucena, Grzegorz Lewandowski, and Steve J. Chapin Syracuse University PET 2005, Cavtat, Croatia May 31 st, 2005.

THE CLASSIC INTERNET PROTOCOL (RFC 791) Dr. Rocky K. C. Chang 20 September

1 Figure 3-5: IP Packet Total Length (16 bits) Identification (16 bits) Header Checksum (16 bits) Time to Live (8 bits) Flags Protocol (8 bits) 1=ICMP,

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

Network Layer Protocols COMP 3270 Computer Networks Computing Science Thompson Rivers University.

IP Security (IPSec) Authentication Header (AH) Dr Milan Marković.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.

IPSec Detailed Description and VPN

Ken Grewal Gabriel Montenegro Manav Bhatia

Chapter 5 Network Security Protocols in Practice Part I

Chapter 3 TCP and IP Chapter 3 TCP and IP.

Chapter 19 Network Layer Protocols

Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460

IT443 – Network Security Administration Instructor: Bo Sheng

The New Internet Protocol

Carrying IPSEC Authentication and ESP Headers Across SCPS-NP Networks

IPv6 / IP Next Generation

IPSec IPSec is communication security provided at the network layer.

The New Internet Protocol

Internet Protocol (IP)

Guide to TCP/IP Fourth Edition

Chapter 15. Internet Protocol

Virtual Private Networks (VPNs)

Extended BFD draft-mirmin-bfd-extended

Presentation transcript:

WESP Extensions 76 IETF Nov 2009 IPsecme WG Meeting 12-Nov-2009 Gabriel Montenegro Ken Grewal

Motivation WESP enables extra capabilities for traffic visibility to IPsec At the same time: versioning and extensibility is now possible Some mailing list discussions have pointed out that this is almost as useful as the base capabilities Proposal: define the extensibility via options along the lines of IPv6 options 12-Nov IETF IPSECME WG2

Some potential applications Caveat: Just for illustration, main point is to request the WG to work on the extensibility capability for WESP Padding Option (the hello world of extensibility) Operations and Management –connectivity verification (in-band) –error notification –SA monitoring option Encryption offset To carry security labels in labeled IPsec? Main point: define the extensibility for any of the above and others 12-Nov IETF IPSECME WG3

4 WESP Extension (1) | WESP Header | | WESP Extension Payload | | ESP Encapsulation | ~ ~ | | Nov IETF IPSECME WG

5 WESP Extension (2) | Next Header | HdrLen | TrailerLen |V|V|E|P|X|Flags| | Type | Length | Data (variable) | | Data (variable) | ~ ~ | | | ESP Encapsulation | ~ ~ | | Type: per IPv6 (RFC2460) High order 2 bits specify behavior when the option is not recognized: 00 - silently skip the option 01 - silently discard the packet 10 - discard and send ICMP parameter error 11 - discard and send ICMP parameter error if not multicast Next bit specifies mutability of the option: 0 – immutable option (included in WESPs ICV) 1 - mutable option (NOT included in WESPs ICV) Length: in octets, excluding Type and Length fields 12-Nov IETF IPSECME WG

Other Considerations IKE negotiation similar to WESP: –notification USE_WESP_EXTENSIONS Flag versus new version number? –If new version number, we dont need another flag 12-Nov IETF IPSECME WG6