Security Issues in PIM-SM Link-local Messages <draft-atwood-pim-sm-linklocal-00.txt> J.W. Atwood, Salekul Islam {bill, Department.

Slides:



Advertisements
Similar presentations
IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Advertisements

Router Identification Problem Statement J.W. Atwood 2008/03/11
Internet Protocol Security (IP Sec)
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 4.2: IPsec.
IPSec.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Header and Payload Formats
Chapter 5 Network Security Protocols in Practice Part I
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Nov 11, 2004CS573: Network Protocols and Standards1 IP Routing: OSPF Network Protocols and Standards Autumn
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
© J. Liebeherr, All rights reserved 1 IP Multicasting.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
CSCE 715: Network Systems Security
TCP/IP Protocols Contains Five Layers
Securing PIM-SM Link-Local Messages J.W. Atwood Salekul Islam Concordia University draft-atwood-pim-sm-linklocal-01.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Karlstad University IP security Ge Zhang
© J. Liebeherr, All rights reserved 1 Multicast Routing.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IP Security.  In CERTs 2001 annual report it listed 52,000 security incidents  the most serious involving:  IP spoofing intruders creating packets.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
© J. Liebeherr, All rights reserved 1 IP Multicasting.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
Group Key Management for PIM-SM Routers J.W. Atwood, Salekul Islam Concordia University supplement to draft-ietf-pim-sm-linklocal-00.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/07/25
K. Salah1 Security Protocols in the Internet IPSec.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
IP Security (IPSec) Authentication Header (AH) Dr Milan Marković.
VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.
Chapter 5 Network Security Protocols in Practice Part I
UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture
Zueyong Zhu† and J. William Atwood‡
Chapter 18 IP Security  IP Security (IPSec)
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
Distributed Keyservers
In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia
IPSec IPSec is communication security provided at the network layer.
CSE565: Computer Security Lecture 23 IP Security
Virtual Private Networks (VPNs)
CSE 5/7349 – February 15th 2006 IPSec.
Presentation transcript:

Security Issues in PIM-SM Link-local Messages <draft-atwood-pim-sm-linklocal-00.txt> J.W. Atwood, Salekul Islam {bill, Department of Computer Science and Software Engineering Concordia University

1. PIM Link-local Messages  Protocol Independent Multicast-Sparse Mode (PIM-SM) is very widely used, due to its scalability and flexibility.  Most of the PIM-SM control messages (Hello, Join/Prune and Assert) fall into the link-local category  PIM link-local messages are sent to adjacent routers with  TTL = 1,  source address = a link-local address of the interface on which the message is being sent, and  destination address = ALL_PIM_ROUTERS (a multicast address)  If a forged link-local message is sent by an attacker, it may affect the construction of the distribution tree.  The effects vary from very severe to minor for different types of forged messages. Our goal is to protect the PIM link-local messages from all sorts of attacks

2. Security Issues in Present I-D  To authenticate PIM link-local messages, the PIM-SM I-D recommends - IP security (IPsec) transport mode - Authentication Header (AH) protocol.  The key features of this proposal are: 1. The IPsec and AH specifications do not permit the anti-replay option when a Security Association (SA) is identified by a multicast destin- ation address (i.e., ALL_PIM_ROUTERS). Therefore, the PIM-SM I-D recommends that the anti-replay option be disabled for these SAs. 2. SAs will be configured manually, although the I-D does not preclude the use of a negotiation protocol such as the Internet Key Exchange. 3. A router is permitted to activate an SA per interface to use a different authentication method for each link. Although the destination address is the same for all link-local PIM packets, the selected SA for an inbound PIM packet can vary depending on the inbound interface. 4. The SPI will be assigned zero in all cases.

3. Limitations of Present I-D Anti-replay is disabled SA lookup process for inbound packets 1. 1.Unable to differentiate an already received packet from a fresh one 2. 2.Wastage of receiver’s resources 3. 3.Vulnerable to DoS attack 4. 4.An attacker may change any Join, Prune, Assert or Hello state within a router 1. 1.Three parameters (Destination Address = ALL_PIM_ROUTERS, SPI = 0, Protocol used = AH) are used, and these are always fixed. It is not possible to distinguish an SA using the Security Association Database entries It is not possible to use a different authentication method for each router interface (assuming the rules of RFC 2402).

4. Our Proposal - Activating Anti-replay Notes: we must establish one SA per peer sender in the case where more than one sender is connected through the same interface (rather than one SA per interface). This is possible because the new AH Internet-Draft permits using the sender address in the SA lookup. Activate anti-replay mechanism & maintain a different sliding window for each peer R5 will maintain 3 sliding windows R7 will maintain 2 sliding windows R1 R3 R2 R6 R4 R5 R7

5. Our Proposal – Refine SA Lookup  This eliminates the errors present in the SA lookup process of the PIM – SM Internet-Draft.  For an incoming packet, the sender address is unique. In conjunction with the SPI, it becomes possible to determine a specific SA for that sender from the SAD entries.  Use of the sender address to index SA lookup has been accepted in a recent version of the AH Internet-Draft. Use (sender address, SPI) in the SA lookup process instead of (destination address, SPI, protocol) Note: SPI = 0 is forbidden by the AH Internet-Draft. A different value must be defined in the SIM-PM I-D.

6. Manual Key Config. & Use of ESN  Manual key configuration will be more feasible than automatic key configuration.  The Network Administrator will configure a router manually during its boot up process. He will configure a router with the SA that should be used to send link-local messages by creating the SAD and the SPD entries for each sender connected with this router.  In the AH Internet-Draft there is a provision for a 64-bit Extended Sequence Number (ESN) as the sequence number for the anti-replay mechanism.  If we use ESN, we can send up to packets. This number is so large that, if we consider it from a PIM router's point of view, a PIM router can never exceed this number in its lifetime.

7. Validation & Conclusions  Validation  We have formally validated the proposal.  Conclusions  We have proposed a very simple and complete solution to protect the PIM link-local messages.  It is possible to achieve protection once the new AH Internet-Draft is adopted.  We have been careful so that our solution does not add much overhead and is compatible with the original specification of PIM-SM.

8. Further Reading 1.Islam, S. “Security Issues in PIM-SM Link-Local Messages”. Masters Thesis, Department of Computer Science and Software Engineering, Concordia University, December Atwood, J.W., Islam, S. “ Security Issues in PIM-SM Link-local Messages “. Internet Draft,, Work in Progress, October Fenner, B., Handley, M., Holbrook, H., Kouvelas, I. “Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification (Revised)”. Internet Draft,, Work in Progress, October Kent, S. “IP Authentication Header”. Internet Draft,, Work in Progress, October 2004.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.