11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
CS 265 – Project IPv6 Security Aspects Surekha Shinde.
Internet Security CSCE 813 IPsec
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Guide to Network Defense and Countermeasures Second Edition
MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker : JET 3,1’2004.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Applied Cryptography for Network Security
Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.
Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.
Security Data Transmission and Authentication
1 ECE453 – Introduction to Computer Networks Lecture 19 – Network Security (II)
Shared success Outline What is network security? Why do we need security? Who is vulnerable? Common security attacks and countermeasures. How to secure.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Cryptography and Network Security
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Dennis Beard Sandra Murphy Yi Yang March 2003 Threats to Routing Protocols.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Csci5233 Computer Security1 Bishop: Chapter 11 An Overview of Cipher Techniques (in the context of networks) ( )
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Karlstad University IP security Ge Zhang
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Securing Network Communications Using IPSec Chapter Twelve.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University Australia.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Network Security Introduction
Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
1 Security Framework for MPLS and GMPLS Networks draft-fang-mpls-gmpls-security-framework-01.txt Luyuan Fang Michael Behringer Ross Callon Jean-Luis Le.
1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.
1 Use of PE-PE IP/GRE/IPsec for MPLS PWs draft-raggarwa-pwe3-pw-over-ip- 00.txt Rahul Aggarwal
IS3220 Information Technology Infrastructure Security
K. Salah1 Security Protocols in the Internet IPSec.
Security Data Transmission and Authentication Lesson 9.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
19 March 2003Page 1 BGP Vulnerabilities Draft March 19, 2003 Sandra Murphy
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-00.
Softwire Security Update Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota 67 IETF, San Diego.
IP Security
IPSec Detailed Description and VPN
Version B.00 H7076S Module 3 Slides
Chapter 18 IP Security  IP Security (IPSec)
Softwire Mesh Solution Framework
Softwire Security Update
Presentation transcript:

11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt

2 Outline Mesh Network Model Security Reference Model Defensive Techniques Security Threats Security Requirement Defensive Techniques on Control Plane Next Steps

3 Network Model of Softwire Mesh Peer Model –Softwire mesh network is peer model (PE based) as defined by Softwire Problem Statement document. –A dual stack AFBR is provided by a service provider –Mesh softwire is established by extended MP-BGP with tunnel SAFI. Overlay Model –Overlay model (CE based) is not applied to Softwire mesh to avoid the special dual stack device in access networks. PE CE Peer Model Overlay Model AFBR

4 Security Reference Model P CE PPP AFBR-1 AFBR-2 AFBR-N AF(j) Backbone AF(i) Route Reflector BGP Update DoS Intrusion Attack on Data Plane Attack on Control Plane PE Static Route or Routing Protocol PE Vulnerability to security threats for Control and Data Plane depends on whether AF(j) backbone is secure network or not The probability of threat depends on whether the transit network consists of a single service provider network or multiple network domains.

5 Use of Defensive Techniques Softwire Mesh MUST be able to prevent threat X. This means that the softwire protocol for control and data plane should be capable of preventing threat X. The features or defensive techniques that prevent threat X may or may not be used depending on the deployment and the operational issues. Reference: RFC4016

6 Counter Measures against Security Threats P CE PPP AFBR-1 AFBR-2 AFBR-N AF(j) Backbone AF(i) BGP Update PE Static Routing Packet Filtering IPsec TCP MD5 or IPsec IPsec tunnel supported by extended MP-BGP with Tunnel SAFI Static Route or Routing Protocol Route Reflector PE

7 Security Threats Unauthorized Observation of Data Traffic Modification of data traffic Insertion of Non- authentic data traffic for spoofing and replay Unauthorized deletion of data traffic Unathorized traffic pattern analysis Resource exhaution DoS Sniffing Spoofing Replay Modification Snooping Threat Level Degradation of service quality Service Theft Service Disruption Reference: RFC4111 First Step in other Attacks

8 Defensive Techniques Cryptographic Techniques and IPsec –Encryption is to protect privacy although additional computation burden. –IPsec needs to specify an encryption algorithm, key length etc. –Applicability of encription depends on the trust model among transit and access networks. PE(AFBR) – CE PE(AFBR) – PE (AFBR) End-to-end or CE-CE [user provisoned model is ouside the scope of softwire mesh] –At least, PE-PE IPsec is provisoned by a service provider Authentication –CE-PE authentication –PE-to-PE Authentication Access control techniques –CE packet access list and Filering in PE –Firewalls

9 Security Requirement Protection within the transit network –Control plane protection MP-BGP UPDATE may be authenticated by using TCP MD5 or IPsec. –Data plane protection IPsec provides encription of secure user data IPsec, L2TPv3 in IPsec, and mGRE in IPsec softwire mesh encapsulations are defined. (draft-nalawade-kapoor-tunnel-safi- 05.txt) Protection on the user access link –BGP MD5 authentication on PE-CE links using eBGP –Authentication/encryption mechanisms (i.e. IPsec) between ASes for inter-provider connection –Protection against spoofing

10 TCP MD5 or IPsec for MP-BGP UPDATE TCP MD5 (RFC2385) –Offering Authentication and integrity on a point-to-point basis –Protection from spoofing attacks and connection hijacking –Lack of an automated key distribution –Overly long-term use of symmetric keys IPsec –ESP protocol offers authentication, data integrity, and anti- replay between BGP speakers (i.e. AFBRs) –IKE protocol for automated key management in support of ESP –PKI requires a substatial amount of computation, compared with shared secret version of IKE. –Guidelines for mandating the use of IPsec is provided by draft-bellovin-useipsec-05.txt

11 Issues and Next Steps Automated key management for IPsec softwire mesh tunnel per RFC4107(Guidelines for Cryptograph Key Management): memo of 3/23/06 Consideration for transit network consisting of multi-domains. Because Inter AS-AS connection is in the scope of softwire mesh. Multicast case Document update

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.