SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

Slides:

Advertisements

Similar presentations

ID / LOC Split - Basic Approach Sender A Receiver B src = ULID(A) dst = ULID(B) src = ULID(A) dst = ULID(B) src = Loc(A) dst = Loc(B) src = Loc(A) dst.

Advertisements

Approaches to Multi-Homing for IPv6 An Architectural View of IPv6 MultiHoming proposals Geoff Huston 2004.

SHIM6 Update Geoff Huston Kurtis Lindqvist SHIM6 co-chairs.

1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Multihoming in IPV6 Habib Naderi Department of Computer Science University of Auckland.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

1 Address Selection, Failure Detection and Recovery in MULTI6 draft-arkko-multi6dt-failure-detection-00.txt Multi6 Design Team -- Jari Arkko, Marcelo Bagnulo,

Network Localized Mobility Management using DHCP

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Internet Security CS457 Seminar Zhao Cheng. Security attacks interruption, interception, modification, fabrication passive attack, active attack.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Host Identity Protocol

Made with OpenOffice.org 1 TCP Multi-Home Options Arifumi Matsumoto Graduate School of Informatics, Kyoto University, Japan

Overview of SHIM6 Multihoming Protocol Fuad Bin Naser Std. No A presentation for CSE6806: Wireless & Mobile Communication Networks.

Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

TCP/IP Protocols Contains Five Layers

Karlstad University IP security Ge Zhang

GBUTtem 机密此报告仅供 NGN 实验室内部使用。未经 NGN 实验室的书面许可，其它任何机构不得擅自传阅、引用或复制。 sando 09/10/2005 Site-Multihoming over IPv6.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG

1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.

IETF 81: V6OPS Working Group – Proxy Mobile IPv6 – Address Reservations 1 Reserved IPv6 Interface Identifier for Proxy Mobile IPv6 Sri Gundavelli (Cisco)

Node Information Queries July 2002 Yokohama IETF Bob Hinden / Nokia.

Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91

An Update on Multihoming in IPv6 Report on IETF Activity RIPE IPv6 Working Group 22 Sept 2004 RIPE 49 Geoff Huston, APNIC.

Approaches to Multi6 An Architectural View of Multi6 proposals Geoff Huston March 2004.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

IETF-90 (Toronto) DHC WG Meeting Wednesday, July 23, GMT IETF-90 DHC WG1 Last Updated: 07/21/ :10 EDT.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-01.txt Magnus Westerlund.

Shim6 Architecture Geoff Huston IETF-63 August 2005.

Site Multihoming for IPv6 Brian Carpenter IBM TERENA Networking Conference, Poznan, 2005.

NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.

MPTCP Threat analysis draft-bagnulo-mptcp-threat-00 marcelo bagnulo IETF76 – MPTCP WG.

IETF #58 in Minneapolis1 IPv6 Address Assignment and Route Selection for End-to-End Multihoming Kenji Ohira Kyoto University draft-ohira-assign-select-e2e-multihome-02.txt.

Cryptography CSS 329 Lecture 13:SSL.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

Dhc WG 3/2/2004, IETF 59, Seoul. 3/2/2004dhc WG - IETF 59, Seoul2 Agenda Administrivia, Agenda bashing Ralph Droms 05 minutes DHCP Option for Proxy Server.

Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.

TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.

PANA Issues and Resolutions

Instructor Materials Chapter 9: NAT for IPv4

Routing and Switching Essentials v6.0

Multi-addressed Multipath TCP

* Essential Network Security Book Slides.

Network Virtualization

Instructor Materials Chapter 9: NAT for IPv4

ID / LOC Split - Basic Approach

An Update on Multihoming in IPv6 Report on IETF Activity

Chapter 11: Network Address Translation for IPv4

Review of Internet Protocols Network Layer

Presentation transcript:

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark

The Multi6 Problem how to support IPv6 end-site configurations that have multiple external connections to support application-level session resiliency across connectivity failure events how to use IPv6 multi-addressing and connection-based address aggregates to avoid overloading the routing system with site-based specific address advertisements

The SHIM6 Approach host-based solution (rather than host / router interaction) network layer approach – per host pair (rather than transport – per session) discoverable negotiated capability (rather than a new protocol service) no new identifier space

Shim6 From

Transport IP LOCATORS IDENTIFIERS SHIM Initial Contact No SHIM state active Locator Selection using RFC3484 Locators and Identifiers are Equivalent

Transport IP LOCATORS IDENTIFIERS SHIM SHIM6 Activation SHIM active Current Locator Sets exchanged Locators and Identifiers are Equivalent [context]

Transport IP LOCATORS IDENTIFIERS SHIM SHIM6 Locator Failure and Recovery Detect locator failure Explore for functioning locator pair Use new locator pair – preserve identifier pair Reachability Exchange [context]

SHIM6 Control Elements initial handshake (4-way) and locator set exchange locator list updates explicit locator switch request keepalive reachability probe exchange No-Context error exchange

SHIM6 Proto Issues Interaction with IPSEC BITW –Case where IPSEC is applied at the interface –Solution: implement part of shim6 proto in the BITW Is this an extension to SHIM6 decoders allowing variable Shim6 / IPsec header processing depending on header ordering? –It is possible to put shim6 on top of IPSec, maybe suboptimal (IKE for each locator pair) IPSec Transport mode vs. IPSec Tunnel mode This is not IPSec security for shim6 signalling

SHIM6 Proto Issues Provide shim6 security based on IPSec SAs –Option 1: use certificates with ULIDs in them How do you issue this certificates –Address autoconf, DHCP, Revocation –Option 2: use pre-existent IPSec trust relationships Still need to change IPSec so that SAs are dynamically created when a locator pair changes This is functionally what mobike does…

SHIM6 Proto Issues Support for multiple ULID security mechanisms –Already have HBA, CGA HBA/CGA hybrids –Is the protocol spec already sufficiently modular wrt ULID security? –Do we need to support other security mechanisms DNS SSL certificates –Do we need to support different security for client and server? –Do we need error messages to express no support for a sec mechanism? See key length section… DoS attacks based on exhausting the 2^47 context tag space –Would the 4-way handshake enough to protect this?

SHIM6 Proto Issues About forking –The whole point of shim6 is to make locator transparent to ULP, then why forking? –Examples of apps using forking –Transport Area AD request for support for different transports Allowing a shim6 host to continue using a renumbered prefix may create confusion and security issues –Proposal: remove recommendation about keeping shim6 context even if the prefix was renumbered Shim6 protocol should define minimum CGA key length? –What would be the minimum length? –Do we need to define an error message for different security mechanisms/key lengths? Currently ICMP parameter problem in the UPDATE case and silent discard in I2/R2 case Define the BROKEN flag

SHIM6 HBA Issues IPR Concerns –IPR statements on CGA with potential HBA relevance have been clarified to the WG Use of protocol structures that are compatible with CGA –Is this acceptable to the WG? IANA Considerations –Is “CGA Extension Type” a new IANA registry? RFC 4581 creates the CGA Extension type registry Security Considerations –Is the “Interaction with ISPEC” section finished? –Is the “SHA-1 Dependency” section finished? –draft-bagnulo-multiple-hash-cga-00 SECDIR review: added motivation, overview and threat model section Other Issues?

SHIM6 Failure Detection Issues Have all the identified issues been addresses in the -06 version of this draft?

Shim6 WG Last Call Is the WG ready to pass these 3 base drafts to the IESG for publication as Proposed Standard?