1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis,

Slides:



Advertisements
Similar presentations
1 IETF KEYPROV WG Protocol Basis and Characteristics IEEE P April 11, 2007 Andrea Doherty.
Advertisements

Router Identification Problem Statement J.W. Atwood 2008/03/11
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.
OSPF Two-part Metrics Jeffrey Zhang Lili Wang Juniper Networks 88 th IETF, Vancouver.
Multicast Reconfiguration Protocol for Stateless DHCPv6 DHC 61 st IETF S. Daniel Park
11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.
RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.
OSPF WG – IETF 68 - Prague OSPF WG Document Candidates Acee Lindem/Redback Networks.
OSPF Two-part Metrics Jeffrey Zhang Juniper Networks 90 th IETF, Toronto.
Update to: The OSPF Opaque LSA Option draft-berger-ospf-rfc2370bis Lou Berger Igor Bryskin Alex Zinin
1 Behcet Sarikaya Frank Xia July 2010 Flexible DHCPv6 Prefix Delegation in Mobile Networks IETF 78
Draft-li-rtgwg-cc-igp-arch-00IETF 88 RTGWG1 An Architecture of Central Controlled Interior Gateway Protocol (IGP) draft-li-rtgwg-cc-igp-arch-00 Zhenbin.
Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov Jeb Linton, EarthLink
Host Identity Protocol
November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,
Draft-tarapore-mbone- multicast-cdni-05 Percy S. Tarapore, AT&T Robert Sayko, AT&T Greg Shepherd, Cisco Toerless Eckert, Cisco Ram Krishnan, Brocade.
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
DHCPv6 Route Option (draft-dec-dhcpv6-route-option-03.txt) IETF 77, March 2010 : Wojciech Dec Richard Johnson
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
Multicast Distribution Tree Extensions for IS-IS draft-yong-isis-ext-4-distribution-tree-02 Lucy Yong Donald Eastlake Andrew Qu July
ISIS Auto-Configuration (draft-liu-isis-auto-conf-01) Bing Liu Bruno Decraene
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV BOF IETF-67 San Diego November 2006 Andrea Doherty.
MPTCP – MULTIPATH TCP Interim meeting #3 20 th October 2011 audio Yoshifumi Nishida Philip Eardley.
Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.
Securing PIM-SM Link-Local Messages J.W. Atwood Salekul Islam Concordia University draft-atwood-pim-sm-linklocal-01.
RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.
XCON WG IETF-73 Meeting Instant Messaging Sessions with a Centralized Conferencing (XCON) System draft-boulton-xcon-session-chat-02 Authors: Chris Boulton.
1 82 nd IETF meeting NETCONF over WebSocket ( ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,
Routing Area Open Meeting Hiroshima, November 2009 Area Directors Ross Callon Adrian Farrel.
Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.
7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.
1 Virtual Router Redundancy Protocol (VRRP) San Francisco IETF VRRP Working Group March 2003 San Francisco IETF Mukesh Gupta / Nokia Chair.
1 Arkko, 57th IETF: SEND base protocol issue list Issues in the SEND base document draft-ietf-send-ipsec-01.txt
IETF-90 (Toronto) DHC WG Meeting Wednesday, July 23, GMT IETF-90 DHC WG1 Last Updated: 07/21/ :10 EDT.
Diameter NAPT Control Application: Discussion on naming of involved entities Frank Brockners.
1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.
PIM Extension For Tunnel Based Multicast Fast Reroute (TMFRR) draft-lwei-pim-tmfrr-00 IETF 76, Hiroshima.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04
1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,
OSPF WG Cryptographic Algorithm Implementation Requirements for OSPF draft-bhatia-manral-crypto-req-ospf-00.txt Vishwas Manral, IPInfusion Manav Bhatia,
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 draft-pillay-esnault-ospf-service-distribution-00.txt Padma Pillay-Esnault.
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
70th IETF Vancouver, December 2007 CCAMP Working Group Status Chairs: Deborah Brungard : Adrian Farrel :
BSR Spec Status BSR Spec authors 03/06. Status ID refreshed (now rev-07) Resolved remaining issues we had on our list Updated to reflect WG
1 Benchmarking Methodology WG (bmwg) 71st IETF – Philadelphia, PA USA Monday, March 10, 2008, 13:00-15:00 (Salon J) Chairs: –Al Morton
OSPF WG Security Extensions for OSPFv2 when using Manual Keying Manav Bhatia, Alcatel-Lucent Sam Hartman, Huawei Dacheng Zhang, Huawei IETF 80, Prague.
RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.
Draft-ietf-pim-port-03 wglc. WGLC responses Thomas suggested a long list of changes, mostly editorial –I believe I addressed all Dimitri also had comments.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/07/25
1 cellhost-ipv6-52.ppt/ December 13, 2001 / John A. Loughney Minimum IPv6 Functionality for a Cellular Host John Loughney, Pertti Suomela, Juha Wiljakka,
1 IETF 91, 10 Nov 2014draft-behringer-anima-reference-model-00.txt A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt.
1 Brian Carpenter Sheng Jiang IETF 85 November 2012 Next steps for 6renum work.
DHCPv4 option for PANA Authentication Agents draft-suraj-dhcpv4-paa-option-00.txt DHC/PANA WG IETF-63 France, Paris.
Draft-li-idr-cc-bgp-arch-00IETF 88 IDR1 An Architecture of Central Controlled Border Gateway Protocol (BGP) draft-li-idr-cc-bgp-arch-00 Zhenbin Li, Mach.
DHCP Privacy Considerations Tomek Mrugalski IETF90, Toronto IETF-90 DHC WG1.
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
Dhc WG 3/2/2004, IETF 59, Seoul. 3/2/2004dhc WG - IETF 59, Seoul2 Agenda Administrivia, Agenda bashing Ralph Droms 05 minutes DHCP Option for Proxy Server.
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines Philip Matthews Alcatel-Lucent.
Web Authorization Protocol WG Hannes Tschofenig, Derek Atkins.
IETF 67, MPLS WG, San Diego 11/08/2006
J.W. Atwood PIM WG 2010/03/23 The KARP Working Group J.W. Atwood PIM WG 2010/03/23
Distributed Keyservers
IP Router-Alert Considerations and usage
IETF80, Prague Diameter Maintenance and Extensions (DIME) WG
In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia
draft-ipdvb-sec-01.txt ULE Security Requirements
1 Guidelines for Autonomic Service Agents draft-carpenter-anima-asa-guidelines-00 Brian Carpenter Sheng Jiang IETF 97 November
IETF-104 (Prague) DHC WG Next steps
IETF 87 DHC WG Berlin, Germany Thursday, 1 August, 2013
Presentation transcript:

1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis, IETF 70, Dec 2007, Vancouver

2 Background Group security model is used in OSPFv3 IPsec and PIM-SM link-local security. –Please refer to RFC4552 and draft-ietf-pim-sm- linklocal for more details. Currently, only the manual keying method is proposed. –Manual method is neither scalable nor secure. It has been proposed to achieve automated group keying for OSPF and PIM using MSEC GKM protocols. –Please refer to draft-liu-ospfv3-automated-keying-req and draft-ietf-pim-sm-linklocal for more details. IETF 70, Dec 2007, Vancouver

3 A Chicken & Egg Issue MSEC GKM protocols fail in the OSPF case because they are based on a client/server model. This means these protocols rely on reachability between clients and servers for the clients to obtain the group SA from the key server. In the OSPF case, the GKM is providing protection for OSPF, which is an essential component in providing reachability between the clients and servers. Hence, the client/server model breaks down in this situation. PIM has no such issue. –Thus, the solution for OSPF also applies to PIM. IETF 70, Dec 2007, Vancouver

4 Possible Solutions Locally deploying GCKS –No extensions are needed. Separating GC/KS, and locally deploying KS while centrally deploying GC –For cost consideration, the KS can be logical. For example, a protocol (e.g., OSPF, PIM) speaking router works as the KS of its listeners. –An extension to specify the protocol between a centralized GC and the individual KS is needed. Locally deploying delegates, centrally deploying GCKS –An extension to relay group keying service between the centralized GCKS and local group members is needed. IETF 70, Dec 2007, Vancouver

5 Suggestion Choose one solution and standardize it. –If extensions to MSEC GKM protocols are necessary, such work SHOULD be done in MSEC. –Both OSPF WG and PIM WG need to write their own I-Ds to profile use of MSEC GKM protocols. –Optionally, MSEC WG may produce an guideline doc to introduce the use of MSEC GKM protocols in other control plane protocols, such as OSPF, PIM, RSVP, etc. IETF 70, Dec 2007, Vancouver

6 Comments? Thanks! IETF 70, Dec 2007, Vancouver