Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Secure” migration to host identity based networks Kristian Slavov, Patrik Salmela Ericsson Research, NomadicLab NordicHIP 9.10.2007.

Published byVeronica Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "“Secure” migration to host identity based networks Kristian Slavov, Patrik Salmela Ericsson Research, NomadicLab NordicHIP 9.10.2007."— Presentation transcript:

1 “Secure” migration to host identity based networks Kristian Slavov, Patrik Salmela Ericsson Research, NomadicLab NordicHIP 9.10.2007

2 Assumptions Host Identity based network Hosts in the network utilise host identity binding protocols for communications Hosts in the network utilise host identity binding protocols for communications HIP, NodeID HIP, NodeID Legacy host Doesn’t support used communication protocols Doesn’t support used communication protocols Cannot address all hosts due to complex global network Cannot address all hosts due to complex global network Need to authenticates to the network Need to authenticates to the network

3 Problems Legacy host How to connect to a host not necessarily reachable via legacy techniques? How to connect to a host not necessarily reachable via legacy techniques? Peer host How to identify and authenticate the client? How to identify and authenticate the client? What is required? Security features, network protocol agility, name resolution Security features, network protocol agility, name resolution

4 HIP Proxy Basically a simple proxy Store-(modify)-forward Store-(modify)-forward Can do name resolution for the client host Can do name resolution for the client host Additional features Can create HIP connections on behalf of the legacy host Can create HIP connections on behalf of the legacy host Creates temporary host identities for legacy hosts Enables a mobile sub-network

5 Legacy Authentication Service Understands legacy authentication procedures SIM, HTTP-Digest, etc. SIM, HTTP-Digest, etc. Stores (host) identities for subscribed users AuC, AAA, etc. AuC, AAA, etc. Issues binding certificates for temporary and permanent (host) identities.

6 λ*λ* β β*β* LAS HIP Proxy Legacy host performs network attachment. HIP Proxy generates temporary identity for the legacy proxy. α*α*

7 λ*λ* β β*β* LAS HIP Proxy Legacy host authenticates itself to the network. A HIP connection is established between HIP proxy and the authentication server. α*α*

8 λ*λ* β β*β* LAS HIP Proxy As a result LAS creates identity binding certificate for the HIP proxy. α*α* α β

9 λ*λ* β β*β* LAS HIP Proxy Traffic sent by the legacy host is intercepted at the HIP proxy. New HIP association is created using identity certificate provided by the LAS. α*α* α β

10 Recap HIP Proxy creates temporary host identity to a legacy host Legacy host authenticates to LAS LAS negotiates with HIP Proxy and issues a certificate binding temporary identity and permanent identity together. Legacy host initiates connection to a peer host HIP Proxy intercepts, runs connection establishment protocol with the peer host using identity certificate Traffic flows between legacy host and peer host

11 Weaknesses Network access divided into two parts with different (security) properties access network (i.e. legacy host to HIP proxy) access network (i.e. legacy host to HIP proxy) core network (i.e. HIP proxy to peer host) core network (i.e. HIP proxy to peer host) Access network is insecure Security depends on the legacy host Security depends on the legacy host Identification in the access network Identification in the access network

12 Security problems HIP proxy Uses legacy host’s identity to do bad things Uses legacy host’s identity to do bad things Target for hacking attacks Operators may certify HIP proxies Operators may certify HIP proxies LAS configured to issue identity binding certificates only to trusted HIP proxies Certificate revocation Lifetimes Lifetimes The peer host must explicitly check from the CA The peer host must explicitly check from the CA The peer host could subscribe for revocation info at the LAS of the certificate Name resolution No DNSSEC or alike No DNSSEC or alike HIP proxy needs to tamper the DNS queries/replies

13 Conclusion Allows legacy hosts to communicate with “full-featured” hosts Allows the peer hosts to associate the legacy host with proper host identity Allows certain type of network mobility for legacy hosts An opportunistic security solution

Download ppt "“Secure” migration to host identity based networks Kristian Slavov, Patrik Salmela Ericsson Research, NomadicLab NordicHIP 9.10.2007."

Similar presentations

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Yuan, Tein Horng Academia Sinica Computing Centre 13 June 2003.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Internet Networking Spring 2004 Tutorial 1 Subnetting and CIDR Proxy ARP.

1 Internet Networking Spring 2004 Tutorial 1 Subnetting and CIDR Proxy ARP.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
Chapter 13 Mobile IP. Outline  ADDRESSING  AGENTS  THREE PHASES  AGENT DISCOVERY  REGISTRATION  DATA TRANSFER  INEFFICIENCY IN MOBILE IP.

Chapter 13 Mobile IP. Outline  ADDRESSING  AGENTS  THREE PHASES  AGENT DISCOVERY  REGISTRATION  DATA TRANSFER  INEFFICIENCY IN MOBILE IP.
Lesson 17 – UNDERSTANDING OTHER NETWARE SERVICES.

Lesson 17 – UNDERSTANDING OTHER NETWARE SERVICES.

Similar presentations

Ads by Google