Presentation is loading. Please wait.

Presentation is loading. Please wait.

Router Identification Problem Statement J.W. Atwood 2008/03/11

Published byElla Ortega Modified over 11 years ago

Similar presentations

Presentation on theme: "Router Identification Problem Statement J.W. Atwood 2008/03/11"— Presentation transcript:

1 Router Identification Problem Statement J.W. Atwood 2008/03/11 bill@cse.concordia.ca

2 Group Keying draft-tsvwg-rsvp-security-groupkeying Trust models RSVP keying models Interface, Neighbor, Group Provisioning of keys Shared security domains Separate security domains

3 PIM-SM Security Domains Single domain Multicast messages

4 Levels of Security One shared key per security domain No replay protection No data origin authentication Possible to do manually One key per sender (n+1) SAs per router harder to manage Must have automatic key management

5 Similarities and Differences RSVP Unicast communication Intervening router may not support RSVP PIM-SM Multicast communication Neighbor is guaranteed to be adjacent

6 ..2 OSPFv3 Multicast communication Neighbor is adjacent Unicast routing may not be up key may need to come from at most one hop away.

7 Communications Model Each router is the origin for a small group That router is the (only) sender) All its neighbors are the receivers All these groups share the ALL_PIM_ROUTERS group, but can be distinguished by the sender address

8 ..2 To manage this, we can mandate one of the following: A single key for the entire administrative region A key per speaking router This will be an element of policy for the routers

9 Key management architecture For the single key case, the GC/KS needs to distribute the (shared) key to all routers For the one-key per router case, each speaking router needs to distribute its key to all adjacent routers Overall control of the adjacencies should be centralized, for network operator convenience

10 ..2 We can model this as a central Group Controller (GC) and N distributed Key Servers (KS) (one per router) Each KS is initialized with its adjacencies at installation time, along with the address of the group controller for the PIM-SM control plane key management group

11 ..3 On startup, the last known configuration of adjacencies is used, and then refreshed from the GC after an appropriate interval. Only the GC needs to be replicated for reliability (if an individual router is down, it is not needed as a key server)

12 Management of the key management group The GDOI GC/KS is formulated as a centralized entity. An extension needs to be specified To specify the protocol between a centralized GC and the (thousands of) individual KS ask MSEC to host this work

13 Adjacency Lists in GCKS Question of deciding which router(s) are entitled to receive keys from a speaking router To ensure that rogue routers do not appear as neighbors of a particular router, the GC can maintain an adjacency matrix or adjacency lists, and only authorize true neighbors to receive the key for a particular speaker router

14 Router Identification Need some form of unique identification of routers PKI for the region under consideration Trust anchors Each sender needs to retain information on its permitted neighbors Periodic refresh; update when new neighbor appears

15 Global Problem To control adjacencies, we need a view of the entire region The solution could be applicable to any/all routing problems: PIM-SM, OSPFv3, RSVP, etc

16 Where? Where is the best place to do the work? Not clear that PIM WG is the right place!

17 Alternate Views of Validity of the Adjacency For IPv6 May be able to use the Neighbor Discovery functionality in IPv6 to certify the validity of a particular neighbor. Alternatively, a local KS may refer to the central GC to approve the distribution of a key

18 ..2 For IPv4 Need to use the central GC to approve the distribution of a key Alternatively, need to create an IPv4 equivalent for neighbor discovery and certification

19 Questions?

Download ppt "Router Identification Problem Statement J.W. Atwood 2008/03/11"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Extended Service Set (ESS) Mesh Network Daniela Maniezzo.

Extended Service Set (ESS) Mesh Network Daniela Maniezzo.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
IPv6 Routing.

IPv6 Routing.
IPv6 Network Security.

IPv6 Network Security.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.

Hierarchy of Routing Knowledge IP Routing: All routers within domains that carry transit traffic have to maintain both interior and exterior routing information.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &

TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
OSD Metadata Management

OSD Metadata Management
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.

Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.

X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Chapter 4: Managing LAN Traffic

Chapter 4: Managing LAN Traffic
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 6 Routing and Routing Protocols.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 6 Routing and Routing Protocols.

Similar presentations

Ads by Google