Transport Layer Security (TLS) in TWAMP ? New Mode for Control Protocol Al Morton November 9, 2008.

Slides:

Advertisements

Similar presentations

Crash course on SSL/TLS Ran Canetti December 2009 ( Based on slided by Jörg Schwenk)

Advertisements

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Establishing Host Identity Protocol Opportunistic Mode with TCP Option draft-lindqvist-hip-opportunistic-01.txt Janne.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

CCNA – Network Fundamentals

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

1 Reading Log Files. 2 Segment Format

Chapter 7 – Transport Layer Protocols

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Network Services Networking for Home and Small Businesses – Chapter 6.

TWAMP Features – Reflect OCTETS draft draft-ietf-ippm-reflect-octets-01 Al Morton and Len Ciavattone March, 2009.

Small(er) Footprint for TLS Implementations Hannes Tschofenig Smart Object Security workshop, March 2012, Paris.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

© 2004, The Technology Firm SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.

IEEE Wireless Local Area Networks (WLAN’s).

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

Metrics integration in architecture: proposals overview Document Number: IEEE R0 Date Submitted: Source: Antonio.

CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.

Session-based Security Model for SNMPv3 (SNMPv3/SBSM) David T. Perkins Wes Hardaker IETF November 12, 2003.

Secure Sockets Layer 1 / 99  SSL is perhaps the widest used security protocol on the Internet today.  Together with DC enables secure communication.

SSH Secure Login Connections over the Internet

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

Two-Way Active Measurement Protocol RFC 5357

Michal Rapco 05, 2005 Security issues in Wireless LANs.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

TWAMP Features – Reflect OCTETS draft draft-ietf-ippm-reflect-octets-03 Al Morton and Len Ciavattone November, 2009.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

TCP: A Closer Look Transmission Control Protocol.

Proposed Transport Layer Security (TLS) Evidence Extensions Russ Housley IETF 67 – TLS WG Session.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Cryptography and Network Security (SSL)

Chapter 6-2 the TCP/IP Layers. The four layers of the TCP/IP model are listed in Table 6-2. The layers are The four layers of the TCP/IP model are listed.

Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

The Transport Layer application transport network data link physical application transport network data link physical application transport network data.

1 Cisco Unified Application Environment Developers Conference 2008© 2008 Cisco Systems, Inc. All rights reserved.Cisco Public Introduction to Etch Scott.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

Teacher:Quincy Wu Presented by: Ying-Neng Hseih

Michael G. Williams, Jeremey Barrett 1 Intro to Mobi-D Host based mobility.

IETF sec - 1 Security Work in the IETF Scott Bradner Harvard University

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

© 2002, Cisco Systems, Inc. All rights reserved..

Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

5/21/20081 TWAMP (Two Way Active Measurement Protocol) Internet-Draft Overview & Drill Down for PE b AGN+CORE-Predictive, Proactive, Preventive.

TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.

Establishing Host Identity Protocol Opportunistic Mode with TCP Option

Chapter 9: Transport Layer

MQTT-255 Support alternate authenticaion mechanisms

Instructor Materials Chapter 9: Transport Layer

Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)

TCP Protocol Analysis Access UMKC Home Page.

TLS Encryption and Decryption

Presentation transcript:

Transport Layer Security (TLS) in TWAMP ? New Mode for Control Protocol Al Morton November 9, 2008

Background Security measures were controversial for OWAMP and (quickly revisited for) TWAMP A compromise was reached (AES in CBC and ECB modes with HMAC for integrity protection). Key aspect of the “ *WAMPs” packet loss possible in Test protocol, no retransmit OWAMP Security Considerations discuss why TLS is unsuitable in TEST protocol RFC 4656 OWAMP requires TEST protocol mode to inherit the CONTROL protocol mode.

Enter TWAMP Desire to add Mixed-Security Mode Encrypted Control, Unauthenticated Test Uses current methods AES-CBC & HMAC draft-ietf-ippm-more-twamp-00 @ WGLC? Running TWAMP Test in clear frees resources, Encrypted Control still valuable Question: Do implementers see value in adopting TLS for the TWAMP-Control protocol? (With TWAMP-Test in the clear)

TLS Mode Investigation The NETCONF wg has reached consensus on a similar effort NETCONF over TLS draft-ietf-netconf-tls Requests a new TCP well-known port NETCONF Manager acts as TLS client NETCONF Agent listens as TLS server TLS Handshake (HS) begins with Manager/client sending TLS ClientHello After TLS HS, exchange NETCONF data

Modes Allowed with TLS ---------------------------------------------------- Protocol | Permissible Mode Combinations Control | Unauth. | Encrypted | TLS | Unauth. | Unauth. | Unauth. ------------------------------------------- Test | | Auth. | | | Encrypted |

TLS Mode Feature (w-k port) C-C Server |---------->| TCP SYN (862) |<----------| SYN-ACK |---------->| ACK |<----------| Server Greeting TLS-Mode Feature, bit ? set |---------->| Set-Up-Response (mod) |<--------->| TLS Handshake |<----------| Server Start (mod)

Modes Field Assignment for TLS Value Description Reference/Explanation 0 Reserved 1 Unauthenticated RFC4656, Section 3.1 2 Authenticated RFC4656, Section 3.1 4 Encrypted RFC4656, Section 3.1 8 Unauth. TEST protocol, more-twamp memo (3) Encrypted CONTROL ------------------------------------------------------- ? TLS CONTROL protocol, new bit position (?) Unauth. TEST protocol

TLS Mode Feature (new port) C-C Server |---------->| TCP SYN (86x) |<----------| SYN-ACK (TLS Mode) |---------->| ACK |---------->| TLS ClientHello |<--------->| TLS Handshake |<----------| Server Greeting Only New Features, bits Y,Z set |---------->| Set-Up-Response (mod) |<----------| Server Start (mod)

Summary A way to use TLS on TWAMP-Control protocol is “out there” can probably count on SEC community to help But do we start on this n-year mission? Many issues raised in section 6.6 of OWAMP Will implementers/users see this as a valuable alternative to what we have now? Is this anybody’s “Ideal TWAMP” ? Are there other questions we should ask? Let’s talk about it, now and on the list…

Backup

Security Modes MUST Match RFC4656 OWAMP requires TEST to match the CONTROL protocol. “All OWAMP-Test sessions that are spawned by an OWAMP-Control session inherit its mode.” Maybe clarify with a MUST in Errata…