Stein-64 Slide 1 PW security requirements PWE3 – 64 th IETF 10 November 2005 Yaakov (J) Stein.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

Chris Karlof and David Wagner
Mobile Networking through Mobile IP
Chapter 14 – Authentication Applications
Everything about TDMoIP PWE3 – 52 nd IETF 12 December 2001.
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
Old Dog Consulting Multi-Segment Pseudowires: Recognising the Layer Network Adrian Farrel Old Dog Consulting.
1 Why Carriers Like Pseudowires… Payload (IP, L2 data, voice) PseudoWires Layer-2 (Ethernet, ATM…) Physical (Optical, Wireless) User Applications Payload.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.
A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.
The Shared Channel Model for DoS Carl A. Gunter With Sanjeev Khanna, Kaijun Tan, and Santosh Venkatesh.
Domain Name System Security Extensions (DNSSEC) Hackers 2.
RTP/RTCP(RFC 1889) Real-time transport protocol (RTP) is the de facto standard media transport protocol in the Internet Media transport: audio, vedio,
STPP Slide 1 UDP Issues PWE3 – 61 th IETF Yaakov (J) Stein.
A Security Analysis of the Network Time Protocol (NTP) Presentation by Tianen Liu.
1 © 2002, Cisco Systems, Inc. All rights reserved. draft-nadeau-pwe3-vccv-00.txt IETF #56 San Francisco, CA USA Thomas D. Nadeau Monique.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
Security in MobileIP Fahd Ahmad Saeed. Wireless Domain Problem Wireless domain insecure Data gets broadcasted to everyone, and anyone hearing this can.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
VoIP Packets In the Air and Over the Wire J. Scott Haugdahl CTO
Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
TDMoIP-LE Slide 1 TDMoIP-LE Using TDMoIP Loop Emulation for congestion control PWE3 – 56 rd IETF 19 Mar 2003 Yaakov (J) Stein.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
1 PWE3 Architecture PWE3 IETF March 2003 Stewart Bryant.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
TDM over PSN-MIB Orly Nicklass IETF 59 RAD Data Communications.
Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
PWE3 Agenda – Monday 8 th Nov 15 min - Agenda bash, WG Agenda and Status - Andy Malis and Matthew Bocci 5 min - Dynamic Placement of Multi Segment Pseudo.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Setup and Maintenance of Pseudo- Wires Using RSVP-TE Draft-raggarwa-rsvpte-pw-01.txt.
Stein-65 Slide 1 PW security measures PWE3 – 65 th IETF 10 November 2005 Yaakov (J) Stein.
Application of PWE3 to MPLS Transport Networks
Stein-67 Slide 1 PWsec draft-stein-pwe3-pwsec-00.txt PWE3 – 67 th IETF 7 November 2006 Yaakov (J) Stein.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Congestion Issues Stewart Bryant
DetNet Data Plane using PseudoWires Jouni Korhonen Shahram Davari Norm Finn IETF#94, Yokohama.
Muhammad Mahmudul Islam Ronald Pose Carlo Kopp School of Computer Science & Software Engineering Monash University Australia.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 Multicast in VPLS draft-raggarwa-l2vpn-vpls-mcast-00.txt Rahul Aggarwal.
Encapsulation Methods for Transport of Fibre Channel Over MPLS draft-roth-pwe3-fc-encap-01.txt PWE3 IETF-64 November 2005 Ronen Solomon
I E T F 6 3, 3 rd. A U G U S T draft-frost-pwe3-timing-pw-reqs-00 IETF 63 PWE3 Working Group Paris, August 2005.
PWE3 Congestion Considerations draft-stein-pwe3-congcons-01.pdf Yaakov (J) Stein David Black Bob Briscoe.
IP Pseudowire Florin Balus August, PG 1Florin BalusIETF60 – San Diego Requirements - Existing topology FR/ATM VPNs ATM Network Frame Relay Access.
Pseudo Wire (PW) Virtual Circuit Connection Verification (VCCV) Update Thomas D. Nadeau Cisco Systems, Inc Rahul Aggarwal (Presenter) Juniper Networks.
Building A Network: Cost Effective Resource Sharing
7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.
Pseudo-Wire Protection Ping Pan IETF 65.
IETF 57, July 16, 2003Mustapha AïssaouiSlide 1 Extended MPLS/PW PID Mustapha Aïssaoui, Matthew Bocci, David Watkinson, Alcatel Andrew G. Malis, Tellabs.
Precision Time Protocol over MPLS draft-ronc-ptp-mpls-00.txt PWE3 WG IETF Chicago 2007 Ron Cohen
K. Salah1 Security Protocols in the Internet IPSec.
Establishing P2MP MPLS TE LSPs draft-raggarwa-mpls-p2mp-te-02.txt Rahul Aggarwal Juniper Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
1 MPLS Source Label Mach Chen Xiaohu Xu Zhenbin Li Luyuan Fang IETF87 MPLS Aug Berlin draft-chen-mpls-source-label-00.
draft-jounay-pwe3-dynamic-pw-update-00.txt IETF 70 PWE3 Working Group
Pseudowire Performance and Timing Measurement draft-nadeau-pwe3-perf-timing-measure-00.txt Tom Nadeau Yaakov Stein tom.
PW MUX PWE – 71st IETF 10 March 2008 Yaakov (J) Stein.
DetNet Data Plane Discussion
IETF 96 (MPLS WG) Abhishek Deshmukh Kireeti Kompella (presenting)
DetNet Data Plane Discussion
TDMoIP Updates PWE3 – 53rd IETF 21 March 2002 Yaakov (J) Stein.
Building A Network: Cost Effective Resource Sharing
PW-CE2 E PWE3 – 58th IETF 10 November 2003 Yaakov (J) Stein.
PW security measures PWE3 – 65th IETF 21 March 2005 Yaakov (J) Stein.
Presentation transcript:

Stein-64 Slide 1 PW security requirements PWE3 – 64 th IETF 10 November 2005 Yaakov (J) Stein

Stein-64 Slide 2 the time has come the time has come to address PW security PWs are being deployed – no longer only on paper attacks on PWs can impact numerous end-users PWs have special features that may be exploited by hackers

Stein-64 Slide 3 Some threats on PWs accidental connection to untrusted network, compromising user traffic maliciously setting up a PW to gain access to a customer network forking of a PW to snoop PW packets malicious rerouting of a PW to snoop or modify PW packets unauthorized tearing down of a PW unauthorized snooping of PW packets traffic analysis of PW connectivity unauthorized deletion of PW packets unauthorized modification of PW packets unauthorized insertion of PW packets replay of PW packets denial of service or significantly impacting PW service quality

Stein-64 Slide 4 Out of scope customer networks security attachment circuit security considerations common to all MPLS networks L2TPv3 PWs (should be done in L2TPEXT WG) considerations specific to multisegment PWs

Stein-64 Slide 5 PW security weaknesses PW label is the only identifier in packet no verifiable source address, cookies, etc. relatively easy to introduce seemingly valid foreign packets CW sequence number can be used for DoS attack SN processing allows dropping late packets so by inserting a future packet, legitimate packets are lost even if re-ordering is performed, QoS may be impacted PWE control protocol doesn’t mandate authentication can use LDP-MD5 or secure TCP connection should provide ingress filtering on LDP messages VPLS, autodiscovery, and MS-PWs all introduce new problems will not be treated here

Stein-64 Slide 6 PW security strength most attacks require compromising PE or P LSRs although not necessarily those along PW path adequate protection of control plane messaging can be sufficient can’t insert a packet with proper format from outside SP network MPLS label S=0 PW label S= control word L2TPv3 without cookies can have valid format packets inserted

Stein-64 Slide 7 PW man-in-the-middle impostor causes 2 PWs to be set up, and stitches them impostor can snoop, delete, insert, change, etc packets Note that this is different from a PSN man-in-the-middle where a P LSR is compromised (not handled here) PE S-PE PE P PWE control PWE control protocol

Stein-64 Slide 8 Another scenario in this scenario we compromise LSR or L2 not belonging to PW path exploit MPLS tunnel merging insert packet with PW label associated with PW being attacked by judicious use of CW SN we may be able to force massive packet loss PE P

Stein-64 Slide 9 PW packet encryption to secure PW traffic from interception we may encrypt below PW level (link encryption) at PW level (new) above PW level (service encryption) PW level encryption can’t encrypt PW label (not legal MPLS) shouldn’t we encrypt control word since lose 0000 and sequence number (see below) so how different from service encryption? no packet reliability (retransmission) at PW level so PW level encryption must work with packet loss can rekey based on sequence number (can learn from wireless encryption protocols)

Stein-64 Slide 10 VCCV extensions PWE3 – 64 th IETF 10 November 2005 Yaakov (J) Stein

Stein-64 Slide 11 2 PW OAM methods original TDMoIP OAM 1 OAM PW per PSN tunnel assume defects/performance are the same for all PWs in tunnel VCCV style OAM OAM packets in each PW higher overhead (BW) when there are many PWs in tunnel

Stein-64 Slide 12 Performance Measurement VCCV presently provides only connectivity verification full PW OAM should also provide measurements of one way and round trip delay PDV (+ distribution? spectrum?) packet loss ratio for TDM PWs it is also useful to monitor backup PWs for fast switch-over maintain clock synchronization for multiple TDM PWs CW format use PWACH

Stein-64 Slide 13 PW Performance OAM format associated channel type type code service specific info PWACHVERSIONRESERVEDneed IANA allocation timestamps

Stein-64 Slide 14 Open questions what should the time format be? RTP style – 32 bit based on N*8KHz NTP style – seconds expressed as 32 bit integer + 32 bit fraction ICMP style – 32 bit milliseconds IEEE 1588 style – 32 bit seconds + 32 bit nanoseconds how many timestamps? 1 – for approximate round-trip 2 – for approximate one-way 3 – for round-trip with  t 4 – for ICMP-like timestamps many – for IEEE 1588-like timestamps what about loop-back requests?