1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,

Slides:

Advertisements

Similar presentations

Oct, 26 th, 2010 OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Status update

Advertisements

Router Identification Problem Statement J.W. Atwood 2008/03/11

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

OSPF Two-part Metrics Jeffrey Zhang Lili Wang Juniper Networks 88 th IETF, Vancouver.

Secure Network Bootstrapping Infrastructure May 15, 2014.

NORM PI Update draft-ietf-rmt-pi-norm-revised-04 68th IETF - Prague Brian Adamson NRL.

11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.

OSPF WG – IETF 68 - Prague OSPF WG Document Candidates Acee Lindem/Redback Networks.

Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA

Using Digital Credentials On The World-Wide Web M. Winslett.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

RFC 2131 DHCP. Dynamic Host Configuration Protocol.

Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov Jeb Linton, EarthLink

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Host Identity Protocol

IPv6 Site Renumbering Gap Analysis draft-liu-6renum-gap-analysis-01 draft-liu-6renum-gap-analysis-01 Bing Liu Sheng Jiang IETF July

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Adjust and Troubleshoot Single- Area OSPF Scaling Networks.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

EAP Bluetooth Extension Draft-kim-eap-bluetooth-00 Hahnsang Kim (INRIA), Hossam Afifi (INT), Masato Hayashi (Hitachi)

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.

Dynamic Host Configuration Protocol Engr. Mehran Mamonai.

1 IPv6 Deployment Scenarios in (e) Networks draft-ietf-v6ops deployment-scenarios-01 Myung-Ki Shin, ETRI Youn-Hee Han, KUT Sang-Eon Kim, KT.

Using DHCPv6 for DNS Configuration in Hosts draft-ietf-droms-dnsconfig-dhcpv6-00.txt Ralph Droms.

ISIS Auto-Configuration (draft-liu-isis-auto-conf-01) Bing Liu Bruno Decraene

Prefix Delegation Protocol Selection T.J. Kniveton MEXT Working Group IETF 70 - December ’07 - Vancouver.

Extensions to OSPF-TE for Inter-AS TE draft-ietf-ccamp-ospf-interas-te-extension-01.txt Mach Renhai

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.

1 Policy-based architecture. 2 Policy management view of the architecture IP MMed domain is a converged services domain where voice, video, data are provided.

1 Integrating security in a quality aware multimedia delivery platform Paul Koster 21 november 2001.

Doc.: IEEE /0617r0 Submission May 2008 Tony Braskich, MotorolaSlide 1 Refining the Security Architecture Date: Authors:

IETF67 DIME WG Towards the specification of a Diameter Resource Control Application Dong Sun IETF 67, San Diego, Nov 2006 draft-sun-dime-diameter-resource-control-requirements-00.txt.

Some use cases and requirements for handover Information Services Greg Daley MIPSHOP Session IETF 64.

Terminology and Models for Control of Traffic Engineered Networks with Provider- Customer Relationship CCAMP WG, IETF 89th, London draft-dios-ccamp-control-models-customer-

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis,

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.

MSEC Montreal, July 26 Ran Canetti and Lakshminath Dondeti

Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04

OSPFv3 Auto-Config IETF 83, Paris Jari Arkko, Ericsson Acee Lindem, Ericsson.

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

Michael G. Williams, Jeremey Barrett 1 Intro to Mobi-D Host based mobility.

San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.

RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.

1 GDOI Changes to Update Draft draft-ietf-msec-gdoi-update-01 Sheela Rowles Brian Weis.

Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/07/25

1 IETF 91, 10 Nov 2014draft-behringer-anima-reference-model-00.txt A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt.

1 Brian Carpenter Sheng Jiang IETF 85 November 2012 Next steps for 6renum work.

PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.

San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.

Dhc WG 3/2/2004, IETF 59, Seoul. 3/2/2004dhc WG - IETF 59, Seoul2 Agenda Administrivia, Agenda bashing Ralph Droms 05 minutes DHCP Option for Proxy Server.

I2RS Overlay usecase 1 Fangwei hu Bhumip Khasnabish.

Port Based Network Access Control

Constraints on Automated Key Management for Routing Protocols

Group Key Management Architecture

Brian Weis IETF-62, Minneapolis, MN Mar 10, 2005

IETF 67, MPLS WG, San Diego 11/08/2006

An IPv6 Distributed Client Mobility Management approach using existing mechanisms draft-bernardos-mext-dmm-cmip-00 Carlos J. Bernardos – Universidad Carlos.

RPSEC WG Issues with Routing Protocols security mechanisms

Distributed Keyservers

In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia

ISIS Flooding Reduction in MSDC

draft-ipdvb-sec-01.txt ULE Security Requirements

IEEE MEDIA INDEPENDENT HANDOVER

IEEE MEDIA INDEPENDENT HANDOVER DCN:

PIM Backup DR Mankamana Mishra IETF-102

IEEE MEDIA INDEPENDENT HANDOVER

Presentation transcript:

1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White, Brian Weis, Michael Barnes, IETF 69, 22th Jul 2007, Chicago

2 Problem Statement GSA (Group SA) is used to provide the multicast security for OSPFv3 broadcast interfaces, e.g., Ethernet interfaces, to achieve the best scalability. However, only Manual Keying method is recommended. This method is neither scalable nor secure. –Please refer to RFC4552 for more details. On the other hand, it is feasible to implement automated group keying for OSPFv3 IPsec using standard MSEC GKM protocols. –Please refer to IETF MSEC WG for more details. IETF 69, 22th Jul 2007, Chicago

3 Aspects to Think About … Common requirements include authorizations & authentication of routers, secure distribution of GSA, storing capability of GSA context, etc. The most important issue is how to set up the GC/KS. –MSEC GKM protocols, such as GSAKMP and GDOI, are based on a client/server model. This means these protocols rely on reachability between clients and servers for the clients to obtain the group SA from the key server. In this case, the GKM is providing protection for OSPF, which is an essential component in providing reachability between the clients and servers. Hence, the client/server model breaks down in this situation. –To overcome this problem, the group SA must be locally available to each group member (each OSPFv3 router). –Possible deployment scenarios and their specific requirements are presented in following slides. IETF 69, 22th Jul 2007, Chicago

4 Scenario 1: Decentralized Physical GCKSs A physical GCKS is deployed on every multicast network, and provides group keying service for only its local neighbors. Issues: –It is cost expensive. –It suffers from single point of GCKS failure. –It is hard to manage. –It suffers from new joiner issue. GCKS IETF 69, 22th Jul 2007, Chicago

5 Scenario 2: Decentralized Logical GCKSs The GCKS is hosted by a router and provides group keying service for only its local neighbors. Issues: –It is hard to manage. –A GCKS selection mechanism is necessary here. –Authentication & authorization of GCKS. –It suffers from new joiner issue. GCKS IETF 69, 22th Jul 2007, Chicago

6 Scenario 3: Decentralized KSs, Centralized GC The logical KS is hosted by a router and provides group keying service for only its local neighbors. A single GC (Group Controller) is used for pushing policy and authorization to each KS Issues: –It suffers from bootstrapping issue. –A KS selection mechanism is necessary here. –Authorization and Authentication of KS. –It suffers from new joiner issue. GC KS IETF 69, 22th Jul 2007, Chicago

7 Scenario 4: Decentralized Delegates, Centralized GCKS Delegate is a logical role. it is deployed on every multicast network, and is responsible for relaying GSA messages between the GCKS and local group members. Issues: –It suffers from bootstrapping issue. –A delegate selection mechanism is necessary here. –Authorization and Authentication of delegate. –It suffers from new joiner issue. GCKS … Delegate IETF 69, 22th Jul 2007, Chicago

8 Next Step Need more comments and feedback from OSPF, RPSEC, and MSEC WGs. Accept this draft as a WG I-D? IETF 69, 22th Jul 2007, Chicago

9 Comments? Thanks! IETF 69, 22th Jul 2007, Chicago