Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Keyservers

Published byHolly Harris Modified over 6 years ago

Similar presentations

Presentation on theme: "Distributed Keyservers"— Presentation transcript:

1 Distributed Keyservers
J.W. Atwood 2008/03/11

2 Group Keying draft-tsvwg-rsvp-security-groupkeying Trust models
RSVP keying models Interface, Neighbor, Group Provisioning of keys Shared security domains Separate security domains

3 PIM-SM Security Domains
Single domain Multicast messages PIM-SM is inherently a “single administrative domain” protocol

4 Levels of Security One shared key per security domain
No replay protection No data origin authentication Possible to do manually One key per sender (n+1) SAs per router “harder” to manage Must have automatic key management

5 Similarities and Differences
RSVP Unicast communication Intervening router may not support RSVP PIM-SM Multicast communication Neighbor is guaranteed to be adjacent

6 ..2 OSPFv3 Multicast communication Neighbor is adjacent
Unicast routing may not be “up”  key may need to come from at most one hop away.

7 An Example Network Useful to explore the management of keys and SAs

8 Basic Network R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R14 R13 R12 R1

9 R1 as Sender R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R14 R13 R12 R1

10 R9 as Sender R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R14 R13 R12 R1

11 R1 as Receiver R6 R5 R4 R3 R2 R11 R10 R9 R8 R7 R14 R13 R12 R1

12 Communications Model Each router is the origin for a small group
That router is the (only) sender) All its neighbors are the receivers All these groups share the ALL_PIM_ROUTERS group, but can be distinguished by the sender address

13 ..2 To manage this, we can mandate one of the following:
A single key for the entire administrative region A key per “speaking router” This will be an element of “policy” for the routers

14 (Group) Security Association Management
The SPIs have to be centrally allocated, to ensure uniqueness, because the multicast groups have multiple receivers The GC will do this

15 Key management architecture
For the single key case, the GC/KS needs to distribute the (shared) key to all routers For the one-key per router case, each speaking router needs to distribute its key to all adjacent routers Overall control of the adjacencies should be centralized, for network operator convenience

16 ..2 We can model this as a central Group Controller (GC) and N distributed Key Servers (KS) (one per router) Each KS is initialized with its adjacencies at installation time, along with the address of the group controller for the PIM-SM “control plane key management group”

17 ..3 On startup, the last known configuration of adjacencies is used, and then refreshed from the GC after an appropriate interval. Only the GC needs to be replicated for reliability (if an individual router is down, it is not needed as a key server)

18 Management of the “key management” group
The GDOI GC/KS is formulated as a centralized entity. An extension needs to be specified To specify the protocol between a centralized GC and the (thousands of) individual KS  Is there interest in MSEC to host this work?

19 Adjacency lists in the GC/KS
Question of deciding which router(s) are entitled to receive keys from a “speaking router” Some sort of global (to the secure region) unique identification Applicable to many routing protocols Represents “policy” I took it to kmart BOF

20 Questions?

Download ppt "Distributed Keyservers"

Similar presentations

Router Identification Problem Statement J.W. Atwood 2008/03/11

Router Identification Problem Statement J.W. Atwood 2008/03/11
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.

Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.
OSD Metadata Management

OSD Metadata Management
Multicast Communication

Multicast Communication
CS 6401 IPv6 Outline Background Structure Deployment.

CS 6401 IPv6 Outline Background Structure Deployment.
Layering and the TCP/IP protocol Suite  The TCP/IP Protocol only contains 5 Layers in its networking Model  The Layers Are 1.Physical -> 1 in OSI 2.Network.

Layering and the TCP/IP protocol Suite  The TCP/IP Protocol only contains 5 Layers in its networking Model  The Layers Are 1.Physical -> 1 in OSI 2.Network.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.
Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 6 Internet Protocol (IP) Addressing.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 6 Internet Protocol (IP) Addressing.
Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.

Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.
Securing PIM-SM Link-Local Messages J.W. Atwood Salekul Islam Concordia University draft-atwood-pim-sm-linklocal-01.

Securing PIM-SM Link-Local Messages J.W. Atwood Salekul Islam Concordia University draft-atwood-pim-sm-linklocal-01.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 1 Scaling IP Addresses.
Multicast Routing. Unicast: one source to one destination Multicast: one source to many destinations Two main functions: – Efficient data distribution.

Multicast Routing. Unicast: one source to one destination Multicast: one source to many destinations Two main functions: – Efficient data distribution.
CCNA 4 v3.1 Module 1 Scaling IP Addresses

CCNA 4 v3.1 Module 1 Scaling IP Addresses
1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis,

1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis,
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.

Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04

Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04
1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,

1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,

Similar presentations

Ads by Google