Presentation is loading. Please wait.

Presentation is loading. Please wait.

CDNI URI Signing (draft-leung-cdni-uri-signing-01) CDNI Working Group IETF 85 Atlanta, Georgia November 8, 2012 Kent Leung

Published byHarold Shaw Modified over 8 years ago

Similar presentations

Presentation on theme: "CDNI URI Signing (draft-leung-cdni-uri-signing-01) CDNI Working Group IETF 85 Atlanta, Georgia November 8, 2012 Kent Leung"— Presentation transcript:

1 CDNI URI Signing (draft-leung-cdni-uri-signing-01) CDNI Working Group IETF 85 Atlanta, Georgia November 8, 2012 Kent Leung (kleung@cisco.com)kleung@cisco.com Francois Le Faucheur (flefauch@cisco.com)flefauch@cisco.com Matt Caulfield(mcaulfie@cisco.com)mcaulfie@cisco.com

2 Background URI Signing provides content access authorization: URI is embedded with information that can be validated to ensure the request has legitimate access to the content; symmetric or asymmetric keys used A signed URI is provided by the CSP (i.e. URI signer) to the user out of band (e.g. web site navigation) When the user selects the URI, the HTTP request is sent to the CDN. CDN validates the signed URI before delivering the content. BUT … there are no standards today

3 Multi-CDN Environment URI Signing in CDNI: When the user selects the URI (i.e. signed URI from CSP), the HTTP request is sent to the Upstream CDN which assigns the Downstream CDN HTTP request is sent to the Downstream CDN, which validates the signed URI before delivering the content

4 Goal Standardize the URI Signing method with defined attributes and extensible algorithm Enhance CDNI Interfaces HTTP-based request routing – Hop by hop, URI re-signed DNS-based request routing – Signed URI (to uCDN) is received by dCDN Note: DNS-based request routing using symmetric key is problematic when Delivering CDN does not have trust relationship with the CSP.

5 Attribute Conveyance URI Syntax (RFC 3986) foo://example.com:8042/over/there?name=ferret#nose \_/ \______________/\________/ \_________/ \__/ | | | | | scheme authority path query fragment Two parts in the query component of URI: A.Attributes that convey authorization restrictions (e.g. source IP address and time period) B.Message digest that confirms the integrity and authenticity of the URI provided by the URI creator.

6 Authorization Attributes (Keywords) Version (VER) - An integer used for identifying the version of URI signing method with its set of capabilities. Expiry Time (ET) - Time in seconds when URL expires since midnight 1/1/1970 UTC (i.e. UNIX epoch). Client IP (CIP) - IP address of the client in a dotted decimal format. Key Owner (KO) - Identifier of secret key owner in an integer format. Key ID (KN) - A number that is used as an index to the key used to validate the URI signature. Hash Function (HF) - A string used for identifying the hash algorithm (e.g. "MD5", "SHA1"). Algorithm (ALG) - An integer used for identifying the algorithm to compute the URI signature. Client ID (CID) - Identifier of the client such as IMSI, MSISDN, MEID, MAC address, etc. (Ed: Is this attribute needed?)

7 Signing and Validation Attributes and their values in URI are needed to enforce distribution policy; IANA assigned attribute keywords specified in the query string for the URI Signing function only when URI Signing is used and only in the context of CDNI Algorithm dictates entire URI or URI without scheme part is protected by message digest; extensible to other methods

8 CDNI Interfaces (Work in Progress) Capabilities Advertisement URI Signing support and its version CDNI Metadata for URI Signing support CDNI Metadata Content access control indication Type of access control. Specifically, access to content is subject to URL signature validation Key (i.e. public key or shared key) along with its key index (i.e. Key Owner and Key ID) and type (asymmetric or symmetric) used for validating URI signature List of Downstream CDN authorized for key distribution (i.e. trust relationship between CSP and CDNs) Algorithm for HMAC to be used for validation. CDNI Logging URI signature validation events (e.g. invalid client IP address, expired signed URI, incorrect URI signature, successful validation) Delivery log with confirmation of access control enforcement (i.e Delivery CDN enforced URI Signing before content delivery)

9 Issues Tracking Fix URI signing and validation for public key Remove Client ID (CID) attribute or introduce IMSI, MSISDN, MEID, MAC address, etc. as separate attributes CDNI Metadata Interface contains URI Signing required indication means Downstream CDN ensures URI must be signed and validated before content delivery; otherwise, Downstream does not perform validation regardless if URI is signed or not Specify MUST/SHOULD/MAY in text URI signing and validation steps are used as reference for operational logic and not specific implementation sequence Flexible URI signing work item CDNI Interfaces’ work items

Download ppt "CDNI URI Signing (draft-leung-cdni-uri-signing-01) CDNI Working Group IETF 85 Atlanta, Georgia November 8, 2012 Kent Leung"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
B. Davie, L. Peterson et al. draft-davie-cdni-framework-00.txt.

B. Davie, L. Peterson et al. draft-davie-cdni-framework-00.txt.
CDNI Footprint Advertisement draft-previdi-cdni-footprint-advertisement-00 Stefano Previdi Francois Le Faucheur Allan Guillou Jan Medved IETF-82 Taipei,

CDNI Footprint Advertisement draft-previdi-cdni-footprint-advertisement-00 Stefano Previdi Francois Le Faucheur Allan Guillou Jan Medved IETF-82 Taipei,
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.

Internet Networking Spring 2006 Tutorial 12 Web Caching Protocols ICP, CARP.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #13 Web Caching Protocols ICP, CARP.
CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”
Chapter 8 Web Security.

Chapter 8 Web Security.
SNMP Simple Network Management Protocol

SNMP Simple Network Management Protocol
CDN Interconnect (CDNI) Problem Space: Drivers and Enablers Nabil Bitar (Verizon) Francois Le Faucheur (Cisco) Benjamin Niven-Jenkins (Velocix/ALU) IETF80-Prague.

CDN Interconnect (CDNI) Problem Space: Drivers and Enablers Nabil Bitar (Verizon) Francois Le Faucheur (Cisco) Benjamin Niven-Jenkins (Velocix/ALU) IETF80-Prague.

Similar presentations

Ads by Google