Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012.

Published byHelen Stewart Modified over 9 years ago

Similar presentations

Presentation on theme: "1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012."— Presentation transcript:

1 1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012

2 2 Goals and Scope  Provide the following for the DDT lookup process – Data origin authentication – Data integrity protection – XEID-prefix delegation  Out of scope: – Global XEID prefix authorization

3 3 DDT1, PK1 0.0.0.0/0 DDT2, PK2 10.0.0.0/8 DDT4, PK4 10.1.0.0/16 MS7, PK7 10.1.1.0/24 MR preconfigured: DDT1,PK1 Security Architecture Overview DDT3, PK3 15.0.0.0/8 MS5, PK5 10.2.0.0/16 MS6, PK6 15.1.0.0/16 MS8, PK8 10.1.0.0/24  Each DDT node, and Map-Server configured with one or more Public/private key pair(s)  Map-Resolvers configured with one or more trusted public keys (usually the root)  DDT node private keys are used to digitally sign Map-Referral Records  Every DDT node also configured with its children’s Public Keys  Children public keys are included in the signed Map-Referral records

4 4 MR ITR ETR 10.1.0.0/24 Signing Referral Records Preconfigured: DDt1-PK1 Map-Request Map-Ref ([Record[Locator[PbKey]*]* + Sig]*) Map-Request Map-Ref ([Record[Locator[PbKey]*]* + Sig]*) Map-Reply + LISP-SEC DDT1, PK1 0.0.0.0/0 DDT2, PK2 10.0.0.0/8 MS7, PK7 10.1.1.0/24 Map-Request( Key Wrapped OTK ) Map-Request(OTK)  Provides origin auth and integrity protection for the record data  securely delegates a sub XEID- prefix to a child DDT node  Authenticates the child DDT public keys  Authorizes the child DDT node’s public key to provide further delegation of the associated XEID-prefix (including origin authentication and integrity protection)  MR can form an authentication chain of Pub keys to verify Map- Referrals

5 5 Map-Referral Format 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Type=6 |D|M| Reserved | Record Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Nonce... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |... Nonce | +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Record TTL | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ R | Locator Count | EID mask-len | ACT |A| Reserved | e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ c |SigCnt | Map Version Number | EID-AFI | o +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ r | EID-prefix... | d +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | /| Priority | Weight | M Priority | M Weight | | L +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | o | Unused Flags |R| Loc/LCAF-AFI | | c +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | \| Locator... | +-> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

6 6 Signature Format +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /| Original Record TTL | / +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ / | Key Tag | Sig-Algorithm | Reserved | s +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ i | Signature Expiration | g +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \ | Signature Inception | \ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \~ Signature ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

7 7 Including Keys in referrals +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |... | Loc/LCAF AFI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Rsvd1 | Flags | Type = 11 | Rsvd2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 4 + n | Key Count | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ /| Key-Algorithm | Reserved |R| Key Length | key+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \~ Key Material ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AFI = x | Locator Address... ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

8 8 Q&A  Thanks to Noel Chiappa for his major contribution to DDT Security design.

Download ppt "1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012."

Similar presentations

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman

Olaf M. Kolkman. APNIC, 6 February 2014, Bangkok. DNSSEC and in-addr an update Olaf M. Kolkman
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
LISP Mobile Node LISP Mobile Node draft-meyer-lisp-mn-00.txt Dino Farinacci, Vince Fuller, Darrel Lewis and David Meyer IETF StockholmHiroshima LISP Working.

LISP Mobile Node LISP Mobile Node draft-meyer-lisp-mn-00.txt Dino Farinacci, Vince Fuller, Darrel Lewis and David Meyer IETF StockholmHiroshima LISP Working.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
IETF 72 – July 2008 Vince Fuller, Darrel Lewis, Eliot Lear, Scott Brim, Dave Oran, Noel Chiappa, John Curran, Dino Farinacci, and David Meyer LISP Deployment.

IETF 72 – July 2008 Vince Fuller, Darrel Lewis, Eliot Lear, Scott Brim, Dave Oran, Noel Chiappa, John Curran, Dino Farinacci, and David Meyer LISP Deployment.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
LISP MIB draft-lisp-mib-05 Vancouver IETF - LISP WG Gregg Schudel, Amit Jain, Victor Moreno July 2012.

LISP MIB draft-lisp-mib-05 Vancouver IETF - LISP WG Gregg Schudel, Amit Jain, Victor Moreno July 2012.
A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.

A New Approach to DNS Security (DNSSEC) Author: Giuseppe Ateniese Stefan Mangard Presenter: Liu, Xiaotao.
Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.

Slide 1 Many slides from Vitaly Shmatikov, UT Austin Public-Key Infrastructure CNS F2006.
NANOG-46 Philadelphia, June 2009 Vince Fuller & Dave Meyer (for the rest of the LISP crew: Noel Chiappa, Dino Farinacci, Darrel Lewis, Andrew Partan, and.

NANOG-46 Philadelphia, June 2009 Vince Fuller & Dave Meyer (for the rest of the LISP crew: Noel Chiappa, Dino Farinacci, Darrel Lewis, Andrew Partan, and.
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Centre for Wireless Communications University of Oulu, Finland

Centre for Wireless Communications University of Oulu, Finland
Lecture 12 e-mail Security. Summary  PEM  secure email  PGP  S/MIME.

Lecture 12 Security. Summary  PEM  secure  PGP  S/MIME.
Chapter 8 Web Security.

Chapter 8 Web Security.
Domain Name System Security Extensions (DNSSEC) Hackers 2.

Domain Name System Security Extensions (DNSSEC) Hackers 2.
DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.

DNS Security Brad Pokorny The University of Minnesota Informal Security Seminar 4/18/03.
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.

Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Similar presentations

Ads by Google