Presentation is loading. Please wait.

Presentation is loading. Please wait.

7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.

Published byJanis Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July."— Presentation transcript:

1 7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security gmgross@IdentAware.com IETF-66, Montreal, Canada July 11 th 2006 Multicast IPsec Composite Cryptographic Groups

2 7/11/2006IETF-66 MSEC IPsec composite groups page 2 Composite Cryptographic Groups Definition: The logical group formed from union of two or more sub-groups, each sub- group supporting different cryptographic properties (e.g. IPsec software version). Composite groups occur when large-scale groups contains multiple protocol versions or multiple partially interoperable vendors. –e.g. retiring 3-DES, migrating to AES –software bug fixes

3 7/11/2006IETF-66 MSEC IPsec composite groups page 3 IPsec Subsystem Composite Group Requirements Multicast application is unaware of sub- groups, it only sends one packet to the composite group, not each sub-group. Must provide a mechanism where each data packet gets replicated for each sub-group, and treated with the respective sub-group’s IPsec cryptographic policy. IPsec policy per sub-group, set by its GCKS

4 7/11/2006IETF-66 MSEC IPsec composite groups page 4 Motivation for Composite Groups Can not easily upgrade a large-scale group, no “flag day” is allowed Cryptographic algorithms age or break, need strategy to move to new ones –witness recent attacks on MD5, SHA-1 Parallel vendor-specific sub-groups support different feature sets, want best combination Straddle IPv4 and IPv6 sub-groups

5 7/11/2006IETF-66 MSEC IPsec composite groups page 5 Sub-Group A A1 A4 Internet A2 A3 A0 A5 Sub-Group B B1 B4 B2 B3 B0 Group Speaker Host IPsec Subsystem B5 Transport mode multicast data security association Transport Mode IPsec

6 7/11/2006IETF-66 MSEC IPsec composite groups page 6 Composite Cryptographic Group IPsec Transport Mode End-to-end security, no plain-text on wire Supports Native, BITS, and BITW architectural modes Requires IPsec subsystem replicate each data SA packet for each sub-group before applying its cryptographic algorithms –do not want the multicast application to be aware of the cryptographic sub-groups

7 7/11/2006IETF-66 MSEC IPsec composite groups page 7 Sub-Group A A1 A4 Internet A2 A3 A0 A5 Sub-Group B B1 B4 B2 B3 B0 Group Speaker B5 Application data sent unencrypted across multicast LAN to security gateways IPsec Tunnel Endpoint IPsec Security Gateway IPsec Tunnel Endpoint IPsec Security Gateway multicast-capable LAN Tunnel Mode IPsec

8 7/11/2006IETF-66 MSEC IPsec composite groups page 8 Composite Cryptographic Group IPsec Tunnel Mode Application multicasts its data to two or more IPsec security gateways, one gateway per sub-group. Advantage: simply bolt together as many gateways as there are sub-groups Drawback: Unencrypted data must transit a trusted network to reach the gateways

9 7/11/2006IETF-66 MSEC IPsec composite groups page 9 Composite Groups Proposed for Experimental Track Request that draft-gross-ipsec-composite- group-00.txt become a MSEC WG item Publish as an IETF experimental RFC Revise and transition to a proposed standard RFC after: –additional operational experience –wider recognition by industry that this provides a solution that merits full standardization

10 7/11/2006IETF-66 MSEC IPsec composite groups page 10 Background Reading draft-gross-msec-ipsec-composite-group- 00.txt draft-ietf-msec-ipsec-extensions-02.txt RFC4301 - IP security architecture

Download ppt "7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July."

Similar presentations

IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.

IP security over ATM CS 329 Hwajung Lee Computer and Communications Security The George Washington University.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.

11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Network Security Essentials Chapter 8 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.

ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.

Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Network Security Sorina Persa Group 3250 Group 3250.

Network Security Sorina Persa Group 3250 Group 3250.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
7/11/2006IETF-66 MSEC applied to RMT page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July 11 th 2006.

7/11/2006IETF-66 MSEC applied to RMT page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July 11 th 2006.
Cisco 1 - Networking Basics Perrine. J Page 19/17/2015 Chapter 9 What transport layer protocol does TFTP use? 1.TCP 2.IP 3.UDP 4.CFTP.

Cisco 1 - Networking Basics Perrine. J Page 19/17/2015 Chapter 9 What transport layer protocol does TFTP use? 1.TCP 2.IP 3.UDP 4.CFTP.

Similar presentations

Ads by Google