Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rserpool Security Trust Argument draft-ietf-rserpool-asap-13.txt Maureen Stillman November 6, 2006

Published byMagdalen Reeves Modified over 8 years ago

Similar presentations

Presentation on theme: "Rserpool Security Trust Argument draft-ietf-rserpool-asap-13.txt Maureen Stillman November 6, 2006"— Presentation transcript:

1 Rserpool Security Trust Argument draft-ietf-rserpool-asap-13.txt Maureen Stillman November 6, 2006 maureen.stillman@nokia.com

2 Current Status Generate updates to security considerations sections for ASAP and ENRP

3 Threat Summary PE registration/deregistration flooding and/or spoofing (threat 2.1, 2.2, 2.3, 2.4) Security mechanism in response: ENRP server authenticates the PE ENRP PE Registration messages

4 Threat Summary PE registers with a malicious ENRP server (threat 2.6) Security mechanism in response: PE authenticates the ENRP server ENRP PE Mutual authentication

5 Threat Summary Malicious ENRP server joins the pool Mitigation: mutual authentication of ENRP servers ENRP Mutual authentication

6 Threat Summary PU communicates with a malicious ENRP server for name resolution (Threat 2.7, 2.12) Security mechanism in response: The PU authenticates the ENRP server. PU ENRP ENRP authentication

7 Threat Summary Replay attack (threat 2.8) –Can corrupt the ENRP database Mitigation: security mechanism that supports protection from replay attack

8 Threat Summary Threat 2.10) Corrupted data which causes a PU to have misinformation concerning a name resolution Security mechanism in response: Security protocol which supports integrity protection Threat 2.11) Eavesdropper snooping on namespace information Security mechanism in response: Security protocol which supports data confidentiality

9 Summary of Requirements Security mechanisms must provide support for authentication, integrity, data confidentiality and protection from replay attacks TLS supports all this and we selected that for our security mechanism –No need to invent new security mechanisms

10 Summary by component PU (rserpool client) Mandatory to implement –Authentication of ENRP server protects the client from malicious ENRP server –Confidentiality, integrity and protection from replay attacks

11 Summary by component PE Mandatory to implement –Authentication of ENRP server protects it from malicious ENRP server –Confidentiality, integrity and protection from replay attacks

12 Summary by component ENRP Mandatory to implement –Mutual authentication of ENRP server protects it from malicious ENRP server –Authentication of PE protects it from malicious PE –Confidentiality, integrity and protection from replay attacks

13 Rserpool Security Architecture using TLS = easy trust argument PU PE ENRP Server Authentication of ENRP server, integrity, replay, confidentiality ENRP Server Mutual authentication, integrity, replay, confidentiality

14 ENRP mixed security database ENRP PE A pool “foo” PE C pool “foo” ENRP foo Database PE A,C – secure PE B, D – not secure PE B pool “foo” PE D pool “foo”

15 Proposed Solution ENRP PE A pool “foo” PE C pool “foo” ENRP foo Database PE A,C – secure PE B pool “foo” PE D pool “foo” Security error Secure database

16 Mixed data base issues Need to mark PE registrations – some have used security to register others not When a PU requests a list, does it get the mixed list or one or the other? Makes implementation more complex Consensus reached – mixed database not allowed; either all secure or all not secured

17 Securing the control channel Two options –Data channel only –Control and data -- We have decided to multiplex the data and control channel When the data channel is secured, the control channel is as well due to the multiplex If data is not secured, neither is the control Consensus reached that this is adequate for securing the control channel

18 TLS cipher suite TLS has dozens of ciphersuites specified Client and server perform a handshake to determine cipher suite If they have no overlap; then communication is not possible Usually specify a mandatory to implement ciphersuite to get around this problem –Consensus is TLS_RSA_WITH_AES_128_CBC_SHA mandatory; TLS_RSA_WITH_3DES_EDE_CBC_SHA recommended

19 Next steps Finish security update to ASAP and ENRP protocol

Download ppt "Rserpool Security Trust Argument draft-ietf-rserpool-asap-13.txt Maureen Stillman November 6, 2006"

Similar presentations

April 23, 20021 XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.
SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
11/10/031 ENRP and ASAP Updates and Issues Presenter: Qiaobing Xie November 10, 2003.

11/10/031 ENRP and ASAP Updates and Issues Presenter: Qiaobing Xie November 10, 2003.
1 SASP v1 (Server/Application State Protocol) draft-bivens-sasp-00.txt Alan Bivens IBM Research New York, USA IETF 60.

1 SASP v1 (Server/Application State Protocol) draft-bivens-sasp-00.txt Alan Bivens IBM Research New York, USA IETF 60.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
Chapter 8 Web Security.

Chapter 8 Web Security.
MagicNET: Security Architecture for Discovery and Adoption of Mobile Agents Presented By Mr. Muhammad Awais Shibli.

MagicNET: Security Architecture for Discovery and Adoption of Mobile Agents Presented By Mr. Muhammad Awais Shibli.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
1 /10 Pascal URIEN, IETF 66 h, Wednesday July 12 th,Montreal, Canada draft-urien-badra-eap-tls-identity-protection-00.txt

1 /10 Pascal URIEN, IETF 66 h, Wednesday July 12 th,Montreal, Canada draft-urien-badra-eap-tls-identity-protection-00.txt
IEEE 802.11i WPA2. IEEE 802.11i (WPA2) IEEE 802.11i, is an amendment to the 802.11 standard specifying security mechanisms for wireless networks. The.

IEEE i WPA2. IEEE i (WPA2) IEEE i, is an amendment to the standard specifying security mechanisms for wireless networks. The.
RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.

RADIUS Crypto-Agility Requirements November 18, 2008 David B. Nelson IETF 73 Minneapolis.
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG 2012.07.30.

PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
1 NIST Key State Models SP800-57 Part 1SP800-130 (Draft)

1 NIST Key State Models SP Part 1SP (Draft)
MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)

1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)

Similar presentations

Ads by Google