Presentation is loading. Please wait.

Presentation is loading. Please wait.

Controlling Service Function Access to NSH

Published bySusanti Cahyadi Modified over 6 years ago

Similar presentations

Presentation on theme: "Controlling Service Function Access to NSH"— Presentation transcript:

1 Controlling Service Function Access to NSH
IETF 97 – Seoul SFC WG Vu Anh Vu – Younghan Kim - IETF 97 Seoul

2 Problem Statement Should SFs be trusted ??
Operator deploy and operate SFs => Ok, let’s trust them but ... how much ??? SFs can be malnipulated by malwares SFs can be malfunctioned Third-party SFs Service provider outsource their services Enterprise rent external SFs from SPs Transportation network security threats (man-in-the middle, SF spoof, etc.) IETF 97 Seoul

3 Problem Statement What if a SF can malnipulate:
SPI: wrong service path redirect SI: forwarding loop or skip SFs Metadata: Information leaking (sub) NSH information must be protected Header encryption: costly The document propose an inexpensive mechanism to protect the sensitive information in NSH IETF 97 Seoul

4 Terminologies Access-Controlled Segment (ACS): an area/field within NSH that carries a piece of sensitive SFC information needed to be protected SF Access Control List (SF ACL): a list describes the access permission of an SF to each ACS in the packet NSH-state: a set of value/information stored in the NSH of a packet at a particular moment IETF 97 Seoul

5 Access Control Policies
An Access Control List of an SF contains access permissions of the SF to each ACS Three levels of permission to access an ACS Hidden: the SF cannot view the information in this ACS Read-only: the SF can view, but cannot modify the information in this ACS Write: the SF can view and modify the information in this ACS IETF 97 Seoul

6 Mechanism Only give SFs what information they need to access
SFFs cannot control SFs not to modify SFC information, but they can choose to discard the modification Advantages: Obscure sensitive information Detect abnormal SF behavior SFs are unaware of being controlled IETF 97 Seoul

7 Flow tracking Track the packet between ingress and egress Sub-CFs in order to recover the appropriate NSH state: Reclassification: i.e. Using 5-tuple Using Metadata IETF 97 Seoul

8 Implementation Demo in IETF 97Hackathon
Using OpenDaylight as control plane and OVS as dataplane SFF and CF are combine into a OVS Using flow-rule to save NSH-state IETF 97 Seoul

9 Consideration Define MD mask for SF: Only give SFs what information they need to access Dynamic MD for concealing information : MCH value changes constantly between SFs to conceal the real value Subsequent CF handle value mapping IETF 97 Seoul

10 Discussion Should Service Path Header be access controlled or only MD?
Addition requirements for access control for MD type 2 NSH-State sync between ingress and egress Sub-CFs IETF 97 Seoul

11 Thank you !!! IETF 97 Seoul

Download ppt "Controlling Service Function Access to NSH"

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Network Service Header (NSH) draft-quinn-sfc-nsh IETF 90

Network Service Header (NSH) draft-quinn-sfc-nsh IETF 90
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
SFC Header Mapping for Legacy SF draft-song-sfc-legacy-sf-mapping-03 Haibin Song Jianjie You Lucy Yong.

SFC Header Mapping for Legacy SF draft-song-sfc-legacy-sf-mapping-03 Haibin Song Jianjie You Lucy Yong.
Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.

Report of Interconnectivity Testing of Service Function Chaining by Six Companies NTT Alaxala Networks Cisco Systems Hitachi Alcatel-Lucent Japan et al.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 Clark Wilson Implementation Shilpa Venkataramana.

1 Clark Wilson Implementation Shilpa Venkataramana.
Draft-ietf-sfc-architecture Prepared by Carlos Pignataro and Joel Halpern.

Draft-ietf-sfc-architecture Prepared by Carlos Pignataro and Joel Halpern.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
SFC OAM Requirements and Framework

SFC OAM Requirements and Framework
Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Modification Proposals to Current TURN Spec Mikael Latvala.

Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Modification Proposals to Current TURN Spec Mikael Latvala.
Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.

Analysis of Existing Work for I2NSF draft-zhang-gap-analysis-00 H.Rafiee Dacheng Zhang Huawei IETF 91 I2NSF BoF.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
A Survey on Secure Cloud Data Storage ZENG, Xi 1010105140 CAI, Peng 1010121750.

A Survey on Secure Cloud Data Storage ZENG, Xi CAI, Peng
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Interworking between SIP and QSIG for call transfer draft-rey-sipping-qsig2sip-transfer-00.txt Jean-Francois Rey Alcatel IETF59.

Interworking between SIP and QSIG for call transfer draft-rey-sipping-qsig2sip-transfer-00.txt Jean-Francois Rey Alcatel IETF59.
Csci5233 computer security & integrity 1 An Overview of Computer Security.

Csci5233 computer security & integrity 1 An Overview of Computer Security.
Update on the IETF Diffserv Working Group NANOG 13 Detroit, MI June 8, 1998 Kathleen M. Nichols

Update on the IETF Diffserv Working Group NANOG 13 Detroit, MI June 8, 1998 Kathleen M. Nichols

Similar presentations

Ads by Google