Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs.

Slides:

Advertisements

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

Advertisements

The Role of a Registry Certificate Authority Some Steps towards Improving the Resiliency of the Internet Routing System: The Role of a Registry Certificate.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

Implementing IPv6 Module B 8: Implementing IPv6

 Reference:  Vehicle has 2 MANET routers, interconnected via Ethernet  Vehicle has access to 3 wireless networks  Applications on MANET Routers use.

1 Address Selection, Failure Detection and Recovery in MULTI6 draft-arkko-multi6dt-failure-detection-00.txt Multi6 Design Team -- Jari Arkko, Marcelo Bagnulo,

IETF 651 Issues With Protocols Proposing Multilink Subnets draft-thaler-intarea-multilink-subnet-issues-00.txt Dave Thaler

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

A Survey of Secure Wireless Ad Hoc Routing

DNAv6 Goals JinHyeock Choi, Samsung AIT

What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

Instructor & Todd Lammle

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

Doc.: IEEE /1183r0 Submission September 2011 Masataka Ohta, Tokyo Institute of TechnologySlide 1 IP over Congested WLAN Date: Authors:

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

© Mobile Platform Laboratory | SAMSUNG Electronics IPv6 DAD Optimization Goals and Requirements Soohong Daniel Park / Youn-Hee Han / Greg Daley

A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs

1 Arkko et al, DIMACS Workshop Nov ‘04 Secure and Efficient Network Access DIMACS Workshop, November 3 rd, 2004, Piscataway, NJ, USA Jari Arkko Ericsson.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.

Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 1.

بسم الله الرحمن الرحیم. Why ip V6 ip V4 Addressing Ip v4 :: 32-bits :: :: written in dotted decimal :: :: ::

APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)

Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.

7 IPv6: transition and security challenges Selected Topics in Information Security – Bazara Barry.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration IPv6.

Ahmad Alsadeh, Augmented SEND: Aligning Security, Privacy, and Usability Dr. Ahmad Alsadeh Birzeit University Palestine.

1 November 2006 in Dagstuhl, Germany

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

Karlstad University IP security Ge Zhang

Network Security David Lazăr.

Privacy Extensions for Stateless Address Autoconfiguration in IPv6(RFC 3041) 1.

Engineering Workshops Purposes of Neighbor Solicitation.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

1 Arkko, 57th IETF: SEND base protocol issue list Issues in the SEND base document draft-ietf-send-ipsec-01.txt

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.

CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt Margaret Wasserman IETF 78, Maastricht July 2010.

IETF 61 – Washington D.C.1 Detecting Network Attachment Best Current Practices draft-narayanan-dna-bcp-01.txt Sathya Narayanan Panasonic Greg Daley Monash.

Duplicate Address Detection Proxy (draft-costa-6man-dad-proxy-00)

A Source Address Validation Architecture (SAVA) and IETF SAVI Working Group Jun Bi Tsinghua University/CERNET Oct 20, 2008.

Update on SEND Keys Draft draft-kempf-mipshop-handover-key-00.txt James Kempf DoCoMo Labs USA Rajeev Koodli Nokia

Module 6: IPv6 Fundamentals. Introduction to IPv6 Unicast IPv6 Addresses Configuring IPv6.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

V6OPS WG – IETF #85 IPv6 for 3GPP Cellular Hosts draft-korhonen-v6ops-rfc3316bis-00 Jouni Korhonen, Jari Arkko, Teemu Savolainen, Suresh Krishnan.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

ICMPv6 Error Message Types Informational Message Types.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

1 Extreme Networking at Home Jari Arkko, Ericsson.

Mobile IPv6 for Windows XP (.NET Server) and Windows CE 4.0 Greg O’Shea, MSRC Joint with Lancaster University And Ericsson Research.

PAGE 1 A Firewall Control Protocol (FCON) draft-soliman-firewall-control-00 Hesham Soliman Greg Daley Suresh Krishnan

OSPFv3 Auto-Config IETF 83, Paris Jari Arkko, Ericsson Acee Lindem, Ericsson.

英文标题 :40-47pt 副标题 :26-30pt 字体颜色 : 反白内部使用字体 : FrutigerNext LT Medium 外部使用字体 : Arial 中文标题 :35-47pt 字体 : 黑体副标题 :24-28pt 字体颜色 : 反白字体 : 细黑体.

2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG.

IETF-53-IPv6 WG- Cellular host draft 1 Minimum IPv6 Functionality for a Cellular Host Jari Arkko Peter Hedman Gerben Kuijpers Hesham Soliman John Loughney.

©Richard L. Goldman Public Key Policies for Windows 2000 ©Richard Goldman December 5, 2001.

CSI WG / IETF741/12 Implementation of SeND/CGA and Extensions Beijing University of Posts and Telecommunications HUAWEI.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

IPV6: CURRENT DEPLOYMENT AND MIGRATION STATUS AND SECURITY CHALLENGES Presenters Lepe Khanum Tor Håvard Karlsen Date:

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

DoCoMo's Open Source SEND Status CSI BoF Julien Laganier, James Kempf,

Fundamentals of Network Security Ravi Mukkamala SCI 101 October 6, 2003.

Sheng Jiang (Speaker) Xu Chen Xuan Song Huawei Neighbor Cache Protection in Neighbor Discover Protocol draft-jiang-v6ops-nc-prtection-01 IETF 77 V6OPS.

03 Jun 2011There's no place like ::1 Introduction to IPv6 Protocol part 2 George Kargiotakis oss-unipi: Event #27.

Suresh Krishnan Secure Proxy ND Suresh Krishnan

ND-Shield: Protecting against Neighbor Discovery Attacks

Instructor & Todd Lammle

Presentation transcript:

Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs

Neighbor and Router Discovery Security Router Host RD NUD Host ND DAD Host Vulnerabilities: Routers could be spoofed Neighbors could be spoofed Blocking address allocation Secure upper layers help, but do not prevent all attacks Problems with “just use IPsec” Number of SAs very high 2*N+2 per node Chicken-and-egg problem Does not help with authorization

SEND WG Approach BOF in 2002 Final RFCs out this week (we hope) Solution consists of Securing router discovery Securing operations on hosts’ addresses, such as DAD, or responses to solicitations

Solution - Router Discovery Every router has a certificate from a trust anchor Clients know what trust anchor they trust Hosts pick routers that can show a certificate chain to trust anchor (During a transition hosts can still allow non-secure routers if no secure routers are present.)

Solution - Operations on Addresses Host A Address A = prefix | hash(public key A) Approach based on “zero config” security Cryptographically Generated Addresses (CGAs): In verifying a response to neighbor discovery, duplicate address detection, and so on, check that: 1) Responder’s address is a hash of a public key 2) There is a signature from the associated private key Attackers can come up with new addresses, but they can not take over an address of an existing host or router -- they do not have the private key! (IPR -- but with friendly licenses)