Dynamic Virtual Networks (DVNE) Margaret Wasserman & Paddy Nallur November 11, 2010 IETF 79 -- Beijing, China.

Slides:

Advertisements

Similar presentations

Encrypting Wireless Data with VPN Techniques

Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Module 5: Configuring Access for Remote Clients and Networks.

Virtual Private Networks. Why VPN Fast, secure and reliable communication between remote locations –Use leased lines to maintain a WAN. –Disadvantages.

SCSC 455 Computer Security Virtual Private Network (VPN)

Module 1: Microsoft Windows 2000 Networking Services Infrastructure Overview.

Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT

1 Configuring Virtual Private Networks for Remote Clients and Networks.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.

Virtual Private Network

Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov Jeb Linton, EarthLink

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

WSV404 DirectAccess Server (Server 2008 R2) DirectAccess Client (Windows 7) Internet Native IPv6 6to4 Teredo IP-HTTPS Tunnel over IPv4 UDP, HTTPS,

Host Identity Protocol

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

11 KDDI Trial Hub & Spoke Shu Yamamoto Carl Williams Hidetoshi Yokota KDDI R&D Labs.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Module 11: Remote Access Fundamentals

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.

Dynamic Host Configuration Protocol Engr. Mehran Mamonai.

Module 5: Configuring Access for Remote Clients and Networks.

Module 11: Implementing ISA Server 2004 Enterprise Edition.

C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.

1 實驗九：建置網路安全閘道器教師：助教：. 2 Outline  Background  Proxy – Squid  Firewall – IPTables  VPN – OpenVPN  Experiment  Internet gateway  Firewall  VPN.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

Virtual Private Ad Hoc Networking Jeroen Hoebeke, Gerry Holderbeke, Ingrid Moerman, Bard Dhoedt and Piet Demeester 2006 July 15, 2009.

Wavetrix Changing the Paradigm: Remote Access Using Outbound Connections Remote Monitoring, Control & Automation Orlando, FL October 6, 2005.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

Network Virtualization Overlays Use Cases draft-timy-nvo3-use-case-01 Lucy Yong Mehmet Toy Aldrin Isaac Vishwas Manral Linda Dunbar Vancouver July 31,

Network Access Control

/ Jonne Soininen v6ops-3GPP Design Team IETF#55, v6ops wg Atlanta, USA Jonne Soininen / Juha Wiljakka

1/13 draft-carpenter-nvo3-addressing-00 Brian Carpenter Sheng Jiang IETF 84 Jul/Aug 2012 Layer 3 Addressing Considerations for Network Virtualization Overlays.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 27 November 23, 2004.

Securing Access to Data Using IPsec Josh Jones Cosc352.

VPN Alex Carr. Overview  Introduction  3 Main Purposes of a VPN  Equipment  Remote-Access VPN  Site-to-Site VPN  Extranet Based  Intranet Based.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.

1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

Virtual Private Networks

Virtual Private Networks

NETW 208 RANK The power of possibility/netw208rank.com

Logo here Module 8 Implementing and managing Azure networking 1.

Chapter 10: Advanced Cisco Adaptive Security Appliance

Computer Networks Protocols

Presentation transcript:

Dynamic Virtual Networks (DVNE) Margaret Wasserman & Paddy Nallur November 11, 2010 IETF Beijing, China

Two Drafts DVNE Framework – –Explains how Dynamic Virtual Networks are constructed DVNE Protocol – –Describes a provisioning protocol to dynamically provision a Dynamic Virtual Networks

Static Virtual Networks B2 A1 Internet NAT B1 A2 A4 A3 B3 CGN B4 NATNAT

Issues to Address Node-to-Node Virtual Networks –Connectivity can be hard to establish due to NATs, IPv4-to- IPv6 coexistence technologies, firewalls, etc. –Large Virtual Networks are unmanageable due to need to configure virtual network parameters on every node. Remote endpoint addresses, credentials, etc. –Each node maintains state for every other node in the network, even if they never communicate Site-to-Site Virtual Networks –No consistent end-to-end security –Security depends on physical topology No support for flexible, centralized administration and provisioning

Functional Elements B2 DVNE Mediator VN Node Edge Network

Basic Operation of Mediator Client desires DVNE connection to another host in the VN, asks mediator Mediator authenticates client Mediator provisions both end of the connection –Local IP addrss, address list for peer, STUN server address, credentials for secure tunnel, etc. VPN connection is established by endpoints –Using IPsec tunnel or DTLS –May use ICE, STUN or other mechanisms as needed to establish connectivity

Dynamic, On-Demand Connection B2 DVNE Mediator Node B Node A VN Node Edge Network - Node A requests connection to Node B - Mediator provisions Node A & Node B - Secure connection from Node A to Node B

Dynamic Virtual Network A1 Internet NAT B1 A2 A4 A3 B3 CGN B4 NA T B2

Current IETF Solutions Used Various VPN/secure tunnel solutions –Such as IPsec or DTLS TLS for authentication ICE/STUN for NAT traversal The DVNE protocol does not replace these technologies, it provisions nodes with the information to use them

Missing Piece IETF has no generic service provisioning protocol to use for Client-to-Mediator communication Existing management protocols have different model –“Configure yourself”, rather than “provision me” –No ability to trigger provisioning of service across multiple nodes Existing data models (MIBs, Yang modules) could be used to hold data

Status of DVNE Work Current work focuses on a DVNE protocol for network authentication and DVNE service provisioning and virtual network set-up Work underway on national Standard in China for DVNE Framework –Combined work of Huawei Symantec, ZTE, and China Mobile Prototype code up and running

Specific vs. General in IETF Specific need for a Dynamic Virtual Network provisioning protocol IETF may have more general need for a generic Service Provisioning protocol that could be applied to this space and others. Which should we pursue in the IETF?

Questions Should we work on this topic in the IETF? Should we pursue a specific or general solution? –Specific: DVNE protocol to provision VNs –Generic: Generic service provisioning protocol, PLUS data model for provisioning VNs. Should we do the work here in the Ops Area WG? In separate Ops/NM WG? Elsewhere?