Securing PIM-SM Link-Local Messages J.W. Atwood Salekul Islam Concordia University draft-atwood-pim-sm-linklocal-01.

Slides:



Advertisements
Similar presentations
Router Identification Problem Statement J.W. Atwood 2008/03/11
Advertisements

Internet Protocol Security (IP Sec)
IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.
Internet Security CSCE 813 IPsec
Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536) Prepared by Dr.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
IP Security. n Have a range of application specific security mechanisms u eg. S/MIME, PGP, Kerberos, SSL/HTTPS n However there are security concerns that.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
IP Security. IPSEC Objectives n Band-aid for IPv4 u Spoofing a problem u Not designed with security or authentication in mind n IP layer mechanism for.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
CCSDS IPsec Compatibility Testing 10/28/2013 OKECHUKWU MEZU CHARLES SHEEHE CCSDS GRC POC.
1 IPsec High Availability Extensions to IKE & IPsec for Support of High Availability and Load Balancing Solutions Yoav Nir November 2009.
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
Automatic VPN Client Recovery from IPsec Pass-through Failures Dr. José Brustoloni Dept. Computer Science, University of Pittsburgh 210 S. Bouquet St.
CSCE 715: Network Systems Security
Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
8-1 Chapter 8 Security Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 part 4: Securing IP.
Multicast Routing Protocols. The Need for Multicast Routing n Routing based on member information –Whenever a multicast router receives a multicast packet.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.
© 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 4: Configuring Site to Site VPN with Pre-shared keys.
1 Virtual Private Networks (VPNs) and IP Security (IPSec) G53ACC Chris Greenhalgh.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Virtual Private Network Configuration
Internet Security CSCE 813 IPsec. CSCE813 - Farkas2 TCP/IP Protocol Stack Application Layer Transport Layer Network Layer Data Link Layer.
Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04
1 IPSec: Security at the IP Layer Rocky K. C. Chang 15 March 2007.
Group Key Management for PIM-SM Routers J.W. Atwood, Salekul Islam Concordia University supplement to draft-ietf-pim-sm-linklocal-00.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Network Layer Security Network Systems Security Mort Anvari.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/07/25
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
8/02/2005IETF-63 MSEC IPsec extensions page 1 Brian Weis, Cisco Systems George Gross, IdentAware ™ Security Dragan Ignjatic, Polycom IETF-63, Paris, France,
Zueyong Zhu† and J. William Atwood‡
Chapter 18 IP Security  IP Security (IPSec)
Internet and Intranet Fundamentals
IT443 – Network Security Administration Instructor: Bo Sheng
Distributed Keyservers
In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia
Group Key Management for PIM-SM Routers
Presentation transcript:

Securing PIM-SM Link-Local Messages J.W. Atwood Salekul Islam Concordia University draft-atwood-pim-sm-linklocal-01

Problem Statement PIM-SM draft says Recommend AH Assume manual keying, but allow automatic If IPsec, MUST authenticate all Anti-replay SHOULD be enabled AH says SHOULD NOT offer anti-replay when manually keyed

cont IPsec says Security Policy Database (SPD) cannot represent a creation policy for a multicast SA Therefore, only manually-configured SAD entries are possible Apparent conclusion We should not activate anti-replay for PIM Link- local messages Actual conclusion We can, it’s just harder…

Per-interface or per-sender? PIM-SM says Per-interface may be useful IPsec says No (longer) need to support per-interface AH says Use SPI + destination + source for SSM Use SPI + destination for ASM

Who talks to whom? Link-local messages go from one router to all its peer routers Since all routers use ALL_PIM_ROUTERS, it looks like an ASM group In fact, this is a collection of SSM groups Therefore All the counsel against anti-replay for multi-sender multicast groups does not apply Link-local SA SHOULD be established as an SSM group

Choices Declare that ALL_PIM_ROUTERS operates as an SSM group when IPsec is enabled This may be hard, because ALL_PIM_ROUTERS is used for BSR communication Define LINK_LOCAL_PIM_ROUTERS or SECURE_PIM_ROUTERS to be in the SSM address range But, we will need to secure BSR communication as well

Manual Key Configuration Number of peers will be small AH says Anti-replay SHOULD NOT be provided if SAs are manually keyed Choices Override AH (RFC 4302) Define a negotiation protocol to ensure key generation and SA refresh on counter overflow

Counter Overflow If Extended Sequence Number is specified, 2 64 control packets can be sent This may justify overriding the AH prohibition. Otherwise, we are prepared to work on defining the necessary negotiation protocol

Validation This proposal was formally validated, as part of the Master’s Thesis of Salekul Islam, using PROMELA and the SPIN tool. Salekul Islam and J. William Atwood, "Security Issues in PIM-SM Link-local Messages", Proceedings of IEEE LCN 2004, Tampa, FL, 2004 November , pp

Contact Information PPT/PDF of these slides are at IETF66-LinkLocal-01.ppt or IETF66-LinkLocal-01.pdf addresses

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.