Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04

Slides:



Advertisements
Similar presentations
Router Identification Problem Statement J.W. Atwood 2008/03/11
Advertisements

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
1 May, 2007: American Registry for Internet Numbers (ARIN) “advises the Internet community that migration to IPv6 numbering resources is necessary for.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
Dead Reckoning Objectives – –Understand what is meant by the term dead reckoning. –Realize the two major components of a dead reckoning protocol. –Be capable.
Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.
Computer Science 6390 – Advanced Computer Networks Dr. Jorge A. Cobb How to provide Inter-domain multicast routing? PIM-SM MSDP MBGP.
History Since created in 1995, RADIUS has been used to provide authentication, authorization and generate accounting information for dial-in users. However,
1 Pertemuan 7 Communication Protocols for E-Business Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
IGP Multicast Architecture Lucy Yong, Weiguo Hao, Donald Eastlake Andrew Qu, Jon Hudson, Uma Chunduri February 2015 NVO3 Interim Meeting draft-yong-rtgwg-igp-mutlicast-arch-01.
Layering and the TCP/IP protocol Suite  The TCP/IP Protocol only contains 5 Layers in its networking Model  The Layers Are 1.Physical -> 1 in OSI 2.Network.
Protocol Headers Pre DA SA 0800h … version H L 6 TCP Header Data FCS
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Study of the Relationship between Peer to Peer Systems and IP Multicasting From IEEE Communication Magazine January 2003 學號 :M 姓名 : 邱 秀 純.
CSIS 4823 Data Communications Networking – IPv6
1 Chapter 27 Internetwork Routing (Static and automatic routing; route propagation; BGP, RIP, OSPF; multicast routing)
Chapter 4: Managing LAN Traffic
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Multicast routing.
M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.
Submission doc.: IEEE 11-12/0589r2 July 2012 Donald Eastlake 3rd, Huawei R&D USASlide 1 General Links Date: Authors:
Brett Neely IP Next Generation. To boldly go where no network has gone before...
CSC 600 Internetworking with TCP/IP Unit 8: IP Multicasting (Ch. 17) Dr. Cheer-Sun Yang Spring 2001.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved. © The McGraw-Hill Companies, Inc. IP version 6 Asst. Prof. Chaiporn Jaikaeo,
Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.
Securing PIM-SM Link-Local Messages J.W. Atwood Salekul Islam Concordia University draft-atwood-pim-sm-linklocal-01.
Multicast Routing Protocols. The Need for Multicast Routing n Routing based on member information –Whenever a multicast router receives a multicast packet.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt Simple DNA draft-krishnan-dna-simple-03 Suresh Krishnan Greg Daley.
Interdomain multicast routing with IPv6 Stig Venaas University of Southampton Jerome Durand RENATER Mickael Hoerdt University Louis Pasteur - LSIIT.
Interdomain IPv6 multicast Stig Venaas UNINETT. PIM-SM and Rendezvous Points Interdomain multicast routing is usually done with a protocol called PIM-SM.
IPv6 Site Renumbering Gap Analysis draft-ietf-6renum-gap-analysis-01 draft-ietf-6renum-gap-analysis-01 Bing Liu(speaker), Sheng Jiang, Brian.E.Carpenter.
Doc.: IEEE 11-04/0319r0 Submission March 2004 W. Steven Conner, Intel Corporation Slide 1 Architectural Considerations and Requirements for ESS.
Base Specification for Multicast in BGP/MPLS VPNs draft-raggarwa-l3vpn-2547-mvpn-00.txt Rahul Aggarwal Juniper Networks.
1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis,
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
Shivkumar KalyanaramanRensselaer Q3-1 Internet Protocols: Quiz 3 q This quiz consists of true/false questions for 20 pts and three short answers problems.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
Chapter 21 Multicast Routing
Introduction to Active Directory
1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,
1 ipv6-node-02.PPT/ 18 November 2002 / John Loughney IETF 55 IPv6 Working Group IPv6 Node Requirements draft-ietf-ipv6-node-requirements-02.txt John Loughney.
Group Key Management for PIM-SM Routers J.W. Atwood, Salekul Islam Concordia University supplement to draft-ietf-pim-sm-linklocal-00.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
BSR Spec Status BSR Spec authors 03/06. Status ID refreshed (now rev-07) Resolved remaining issues we had on our list Updated to reflect WG
OSPF WG Security Extensions for OSPFv2 when using Manual Keying Manav Bhatia, Alcatel-Lucent Sam Hartman, Huawei Dacheng Zhang, Huawei IETF 80, Prague.
RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.
1 GDOI Changes to Update Draft draft-ietf-msec-gdoi-update-01 Sheela Rowles Brian Weis.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/07/25
IETF 80: NETEXT Working Group – Logical Interface Support for IP Hosts 1 Logical Interface Support for IP Hosts Telemaco Melia, Sri Gundavelli, Carlos.
Mohssen Mohammed Sakib Pathan Building Customer Trust in Cloud Computing with an ICT-Enabled Global Regulatory Body Mohssen Mohammed Sakib Pathan.
Multicasting EECS June Multicast One-to-many, many-to-many communications Applications: – Teleconferencing – Database – Distributed computing.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Network Layer IP Address.
Chapter 21 Multicast Routing
Dynamic Routing Protocols II OSPF
Zueyong Zhu† and J. William Atwood‡
Distributed Keyservers
IETF 55 IPv6 Working Group IPv6 Node Requirements
Module 8: Concepts of a Network Load Balancing Cluster
ECSE-6600: Internet Protocols
Group Key Management for PIM-SM Routers
Migration-Issues-xx Where it’s been and might be going
CS 4594 Broadband PNNI Signaling.
Multicasting Unicast.
Presentation transcript:

Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04

Draft-ietf-pim-sm-linklocal-02 Minor changes Title: Authentication and Confidentiality … Some housekeeping New Stuff Enlarged section on “Communications Patterns”

Recent activity (Not yet reflected in the draft) Discussion with Brian Weis and Ya Liu about common features among OSPF, PIM-SM and RSVP  an idea for extending GDOI for our use Development of ideas on controlling adjacency

An Example Network Useful to explore the management of keys and SAs

Basic Network R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R1 R14 R13 R12

R1 as Sender R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R1 R14 R13 R12

R9 as Sender R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R1 R14 R13 R12

R1 as Receiver R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R1 R14 R13 R12

Communications among peers The previous slides illustrate that the communication is, effectively, N little groups, each of which has a single sender, and a receiver set consisting of all of its immediate neighbors. Even though all these groups share one (multicast) address, the Source Address can be used to distinguish them.

..2 To manage this, we can mandate one of the following: A single key for the entire administrative region A key per “speaking router” This will be an element of “policy” for the routers

Key management architecture For the first case, the GC/KS needs to distribute the (shared) key to all routers For the second case, each speaking router needs to distribute its key to all adjacent routers Overall control of the adjacencies should be centralized, for network operator convenience We can model this as a central Group Controller (GC) and N distributed Key Servers (KS) (one per router)

..2 Each KS is initialized with its adjacencies at installation time, along with the address of the group controller for the PIM-SM “control plane key management group” On startup, the last known configuration of adjacencies is used, and then refreshed from the GC after an appropriate interval.

..3 Only the GC needs to be replicated for reliability (if an individual router is down, it is not needed as a key server)

Management of the “key management” group The GDOI GC/KS is formulated as a centralized entity. An extension needs to be specified To specify the protocol between a centralized GC and the (thousands of) individual KS  ask MSEC to host this work

Similarities to OSPF work OSPF has the same (link-local) problem, except that they cannot assume unicast connectivity to the central KS when they boot up, so they “really need” the local key server to retain its last configuration across restarts

Similarities to other work that could be done RSVP does next-hop (almost link-local) communication; at least some of the ideas here will map to their requirements Other protocols surely exist that could use this kind of “near-neighbor” communication

Suggestion Extract this common problem Generate a separate Internet Draft to describe and solve it. For now, we will use “key management for control planes” as a label for this sub-problem.

Adjacency Lists in GCKS Question of deciding which router(s) are entitled to receive keys from a “speaking router” To ensure that rogue routers do not “appear” as neighbors of a particular router, the GC can maintain an “adjacency matrix” or adjacency lists, and only authorize true neighbors to receive the key for a particular “speaker” router

Alternate Views of “Validity of the Adjacency” For IPv6 May be able to use the “Neighbor Discovery” functionality in IPv6 to certify the validity of a particular neighbor. Alternatively, a local KS may refer to the central GC to approve the distribution of a key

..2 For IPv4 Need to use the central GC to approve the distribution of a key Alternatively, need to create an IPv4 equivalent for neighbor discovery and certification

Plans Complete the exploration of the adjacency control issues Define the extensions to GDOI (in MSEC wg) and create an Internet Draft Create an Internet Draft on the (sub-) problem of “key management for control planes” (with others) Rewrite the link-local Internet Draft to use the GDOI extensions (in PIM wg)

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.