SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT)

Slides:

Advertisements

Similar presentations

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

PANA Requirements and Terminology - IETF54 -. PANA WG, IETF 54, Requirements and Terminology draft-ietf-pana-requirements-02.txt Changes Comments/questions.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

May 12, 2015IEEE Network Management Symposium Page-1 Requirements for Configuration Management of IP-based Networks Luis A. Sanchez Chief Technology Officer,

NS-H /11041 SNMP. NS-H /11042 Outline Basic Concepts of SNMP SNMPv1 Community Facility SNMPv3 Recommended Reading and WEB Sites.

1 Network Management and SNMP  What is Network Management?  ISO Network Management Model (FCAPS)  Network Management Architecture  SNMPv1 and SNMPv2.

SNMP for the PAA-EP protocol PANA wg - IETF 61 Washington DC Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-02.txt.

Network Protocols UNIT IV – NETWORK MANAGEMENT FUNDAMENTALS.

Issues to Consider w.r.t Protocol Solution - IETF54 -

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

IETF54 Charter Issues Dealt with since IETF53 PANA WG Meeting Basavaraj Patil.

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

1 Network Management: SNMP The roots of education are bitter, but the fruit is sweet. - Aristotle.

Network Management Security

IETF-71, Philadelphia PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt Lionel Morand France Telecom Alper Yegin Samsung Yoshihiro Ohba Toshiba.

Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.

SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel)

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

SNMPv3 1.DESIGN REQUIREMENTS 2.BIRTH & FEATURES of SNMPv3 3.ARCHITECTURE 4.SECURE COMMUNICATION - USER SECURITY MODEL (USM) 5. ACCESS CONTROL - VIEW BASED.

Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.

PANA Implementation in Open Diameter Victor Fajardo.

PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.

Summary of the SMIng WG The Next Generation Structure of Management Information.

Multi-hop PANA IETF Currently: –“For simplicity, it is assumed that the PAA is attached to the same link as the device (i.e., no intermediary IP.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

SNMP for the PAA-EP protocol PANA wg - IETF 62 Minneapolis Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-03.txt.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

ISMS IETF72 David Harrington. Status IETF72 Transport Subsystem for the Simple Network Management Protocol (SNMP) –IETF69: draft-ietf-isms-tmsm-09.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.

DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.

Slide 1 2/22/2016 Policy-Based Management With SNMP SNMPCONF Working Group - Interim Meeting May 2000 Jon Saperia.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,

PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.

7/24/2007IETF69 PANA WG1 PANA Issues and Resolutions draft-ietf-pana-pana-17.txt draft-ietf-pana-framework-09.txt Yoshihiro Ohba Alper Yegin.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-05.txt Bernard Aboba Microsoft IETF 62, Minneapolis, MN.

Network Management Security in distributed and remote network management protocols.

Convergence of Network Management Protocols

Instructor Materials Chapter 5: Network Security and Monitoring

<draft-ohba-pana-framework-00.txt>

Open issues with PANA Protocol

PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

PANA Issues and Resolutions

SNMP usage for PAA-EP PANA wg - IETF 63 Paris

PAA-EP protocol considerations PANA wg - IETF 57 Vienna

Chapter 5: Network Security and Monitoring

Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008

Protocol for Carrying Authentication for Network Access - PANA -

Chapter 8: Monitoring the Network

draft-ipdvb-sec-01.txt ULE Security Requirements

802.11i Bootstrapping Using PANA

Protocol for Carrying Authentication for Network Access - PANA -

PAA-2-EP protocol PANA wg - IETF 58 Minneapolis

Presentation transcript:

SNMP for the PAA-2-EP protocol PANA wg - IETF 59 Seoul -> Yacine El Mghazli (Alcatel) <- Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT)

Yacine El Mghazli — 2 All rights reserved © 2004, Alcatel Presentation Overview  Introduction PAA-2-EP basic principle PAA-2-EP within the PANA wg Back on the SNMP choice  SNMPv3 applicability against PAA-2-EP protocol reqs  SNMP usage for the PAA-2-EP Re-usable existing MIB modules additional PANA-specific MIB objects  Next Steps

Yacine El Mghazli — 3 All rights reserved © 2004, Alcatel Introduction PAA-2-EP functional basic principle PAA AAA backend EP PaCAR PANA auth AAA auth PAA-2-EP Install filter # PaC traffic One single IP subnet

Yacine El Mghazli — 4 All rights reserved © 2004, Alcatel Introduction PAA-2-EP within the PANA wg  PANA charter: The PANA working group must mandate one protocol The PANA wg will not design a new protocol design, it may involve the definition of extensions of an existing one  History: IETF55: PAA-2-EP topic introduction – draft-ietf-pana-requirements-0x.txt IETF57: PAA-2-EP protocol considerations – draft-yacine-pana-paa-ep-reqs-00.txt IETF58: PAA-2-EP protocols evaluation – draft-yacine-pana-paa2ep-eval-00.txt  Already a fair amount of discussions on the ML

Yacine El Mghazli — 5 All rights reserved © 2004, Alcatel Introduction Why SNMP ?  Consensus regarding the PAA-2-EP protocol within PANA wg: An existing protocol (no new protocol design) Basic configuration needs (no ‘disqualifying‘requirement), but – No disruptive choice – No immature solutions – Follow the IAB recommendations  SNMPv3 fully satisfies the above conditions v3 satisfies the security conditions widely spread for monitoring (« get » messages) « Set » messages allow simple configuration Lots of MIBs available  SNMP provides a simple solution with a high-level of re-use

Yacine El Mghazli — 6 All rights reserved © 2004, Alcatel PAA-2-EP protocol SNMPv3 applicability  One-to-many relation 1 SNMP manager (PAA) can relate simultaneously to several Agents (EPs)  Secure communication User-based Security Model (USM) provides authentication, confidentiality, integrity, replay attacks prevention, time windows for the validity of messages.  Notification of PaC presence SNMP can provide this feature using the SMIv2 traps  Accounting The PAA can poll its EPs and the counters considered good enough.

Yacine El Mghazli — 7 All rights reserved © 2004, Alcatel PAA-2-EP protocol SNMPv3 applicability (cont’d)  Peer liveness SNMP periodic polling sufficient for inactive EP detection  Rebooted Peer detection snmpEngineBoots MIB to detect rebooted EP  Authorization ACLs and keying material Re-use existing objects

Yacine El Mghazli — 8 All rights reserved © 2004, Alcatel SNMP for PAA-2-EP Re-use of existing IPSec configuration MIBs  IPSec configartion MIB recently splitted into 3 separate modules  IPSec SPD configuration MIB module (IPSP wg) Rule/Filter/Action Policy structure Various IP filters, including IP header filter Notification Variables re-usable for the PaC presence trap  IPSec IKE configuration MIB module (IPSP wg) For IP-based access control (draft-ietf-pana-ipsec-02) Pre-shared key configuration (PSK) – Derived at the PAA level ID_KEY_ID configuration (aggressive mode) – PANA session_id

Yacine El Mghazli — 9 All rights reserved © 2004, Alcatel SNMP for PAA-2-EP Additional PANA-specific MIB objects  PANA-specific objects extends the SPD-MIB Link-layer Filters PaC presence trap Keying material for L2 protection  Current version -02: IEEE 802 filters New PaC Notification  Browse the whole current MIB set at the following URL:

Yacine El Mghazli — 10 All rights reserved © 2004, Alcatel Next Steps  PANA context usage examples (section 6 TBD)  More Link-layer filters Might re-use existing e.g. ADSL ports open/close  Some additonal objects design might be needed L2 protection attributes: e.g i keys…  More ?  Gauge room consensus to accept this document as a PANA WG item

Yacine El Mghazli — 11 All rights reserved © 2004, Alcatel THANKS

Yacine El Mghazli — 12 All rights reserved © 2004, Alcatel PAA-2-EP protocol Requirements Summary  One-to-many PAA-EP relation: required. a given EP relate to multiple PAAs  Secure Communication: required. authentication, confidentiality, and integrity.  New PaC Notification: required. EP to notify unauthorized PaC presence to the PAA. optional (PANA can do that).  Inactive EP detection: not required. satisfied by other means. the architecture can take it into account with e.g. a request-response mechanism.

Yacine El Mghazli — 13 All rights reserved © 2004, Alcatel PAA-2-EP protocol Requirements Summary (cont’d)  Stateful approach: not required. the PAA does not maintain any EP state. the whole solution does (at application level). needed some implementation guidance.  Accounting/Feedback from the EPs: required. polling sufficient for the PANA needs  EP Configuration information: The PAA-2-EP protocol must push DI-based filters and keying material down to the EP.