Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

Slides:

Advertisements

Similar presentations

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Advertisements

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

Next Step In Signaling (NSIS) and Internet Routing Dynamics Charles Shen and Henning Columbia University in the City of New York Internet.

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

CASP – Future Work Plans and Ideas Henning Schulzrinne & LQS team August 27, 2002.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Trade-offs and open issues with path discovery and transport or not all requirements are orthogonal… Henning Schulzrinne Columbia University

Internet Protocol Security (IPSec)

E J B J A V A X M L C O R B A M P L S D i f f S e r v I P V P N Q o S I P v 6 G P R S U M T S An Analysis.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Can SIP benefit from HIP (or vice versa)? Exchanging Host Identities in SIP Hannes Tschofenig, Vesa Torvinen, Joerg Ott, Henning Schulzrinne, Tom Henderson,

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,

Chapter 13 – Network Security

Common Devices Used In Computer Networks

Windows 7 Firewall.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

IETF54 Charter Issues Dealt with since IETF53 PANA WG Meeting Basavaraj Patil.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

Dynamic Virtual Networks (DVNE) Margaret Wasserman & Paddy Nallur November 11, 2010 IETF Beijing, China.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

Module 5: Designing Security for Internal Networks.

Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.

InterDomain-QOSM: The NSIS QoS Model for Inter-domain Signaling J. Zhang, E. Monteiro, P. Mendes, G. Karagiannis, J. Andres-Colas 66 th IETF – Montreal,

NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF.

Controlled Load Service QoS Model draft-kappler-nsis-controlledload-qosm-03.txt Cornelia Kappler, Xiaoming Fu (Robert Hancock presenting) IETF#65 – Dallas.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

PAGE 1 A Firewall Control Protocol (FCON) draft-soliman-firewall-control-00 Hesham Soliman Greg Daley Suresh Krishnan

17 February 2016 SIPPING - IEPREP Joint Meeting Fred Baker - IEPREP co-chair Rohan Mahy - SIPPING co-chair.

1 3gpp_trans/ / IPv6 Transition Solutions for 3GPP Networks draft-wiljakka-3gpp-ipv6-transition-00.txt Juha Wiljakka,

0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

NSIS QoS NSLP Authorzation Issues Hannes Tschofenig.

IETF 62 NSIS WG1 Porgress Report: Metering NSLP (M-NSLP) Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen.

59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

IETF 58 PANA WG PANA Implementation Report Hannes Tschofenig Marcus Tegnander Srinath Thiruvengadam.

PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.

Securing Access to Data Using IPsec Josh Jones Cosc352.

I2RS Overlay usecase 1 Fangwei hu Bhumip Khasnabish.

Peer-to-Peer Solutions Between Service Providers David A. Bryan CTO, Jasomi Networks October 10, 2002 – Fall VON, Atlanta, GA.

Thoughts on Bootstrapping Mobility Securely Chairs, with help from James Kempf, Jari Arkko MIP6 WG/BOF 57 th IETF Vienna Wed. July 16, 2003.

1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

Carrying Location Objects in RADIUS

Server-to-Client Remote Access and DirectAccess

Securing the CASP Protocol

Authors: Hannes Tschofenig Henning Schulzrinne Maarten Buechli

Presentation transcript:

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne

Scope NSIS also aims to signaling non-QoS information Signaling NAT and firewall information is a possible NSIS application. Draft focus: Security issues for signaling in-path NAT/firewall information. Builds on previous TIST activities

Peer-to-Peer Security only Administrative Domain A Administrative Domain B Node ANode B Core Network Security protection between end hosts and networks depends on scenario (=> Secure Network Access)

Administrative Domain A Intra-domain Trust Relationship PDP Edge routers must receive particular attention Intra-domain signaling message protection is still required to “separated” NSIS nodes from non-NSIS nodes (by signaling message protection) Edge Router A Edge Router B Router

Administrative Domain B End-to-Middle Authentication Administrative Domain A Node ANode B Core Network In a firewall traversal environment user authentication might also be required to intermediate networks. Firewalls are distributed sparsely. User Credentials

Missing Trust Node ANode B Core Network Without protection of signaling messages between the two networks a signaling message exchange might not be possible. Alternatives: Authorization Tokens Signaling only at the local access network Receiver-initiated signaling No Trust / No Security Protection Administrative Domain B Administrative Domain A

Differences Difference QoS and Firewall signaling? Trust relationships and authorization are different For QoS signaling accounting and charging is a very important issue (for firewall signaling probably not) Firewall signaling is seen as more security sensitive Lower number of devices need to store state / are affected by a firewall signaling protocol (discovery)

Network Address Translation NAT handling Does not need to be combined within firewall signaling as an application. Must be addressed by NSIS to let the protocol operate correctly. Double-NAT handling makes a solution quite complex

Some IETF working groups also create protocols which allow firewall traversal or policy rule establishment: MIDCOM WG — Establishment of policy rules at middleboxes in an off-path nature IPSec WG — IPSec protocols would allow only authenticated data traffic to pass security gateways IPSRA WG — IPSec + legacy authentication + provisioning of configuration parameters. PANA — Secure network access based on EAP Additionally of interest: Authorization tokens exchanged with other protocols (e.g. HTTP or SIP) to restrict end host to create firewall rules Relationship to other protocols and working groups