Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.

Published byJanis Baker Modified over 8 years ago

Similar presentations

Presentation on theme: "IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch."— Presentation transcript:

1 IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch

2 Overview  Exploring the area of Receiver Access Control for IP Multicast  Subtitle: Making money using IP Multicast  Covers some of the same concerns as those of the “well-managed multicast” work that was presented in MBONED four years ago  much smaller scope of interest  MBONED: “application” level drafts  PIM: “network” level drafts 2014-07-24IETF 90-MBONED2

3 Trust Relationships: Unicast 2014-07-24IETF 90-MBONED3 CP CS EUD EU EUD EU NSP Purchasing Data Delivery

4 Trust Relationships: Multicast 2014-07-24IETF 90-MBONED4 CP CS EUD EU EUD EU NSP Purchasing Data Delivery

5 Trust Relationships: Multicast, Re-established 2014-07-24IETF 90-MBONED5 CP CS EUD EU EUD EU NSP NSP Representative Purchasing Data Delivery

6 Problem Size: mboned-maccnt-req 2014-07-24IETF 90-MBONED6 CP EUD EU EUD EU CP NSP AAA QoS Constraint: only one user on a physical link Covers various business models Purchasing Data Delivery

7 Problem Size: Other work in my lab 2014-07-24IETF 90-MBONED7 CP EUD EU EUD EU NSP AAA MR FI No QoS General business model N users on link Purchasing Data Delivery

8 Two Assumptions  The End User (EU) acquires a “ticket” from the Merchant (or anyone else) containing:  Session Descriptor  Secure End User authentication  Possibly, an encryption key for the data stream  The “Network Representative” has information on how to validate a “ticket” or assess the authorization of the EU or EU Device  This makes the discussion today independent of the business model in use by the NSP and/or CP  It restricts the scope of the work 2014-07-24IETF 90-MBONED8

9 Problem Size: Today’s Discussion 2014-07-24IETF 90-MBONED9 CP EUD EU EUD EU CP NSP AAA MR FI Purchasing Data Delivery

10 Two levels of interaction  Application Level  EU presents the “ticket”  Goal: Join the group  Network Level  End User Device issues IGMP/MLD  To ensure that only legitimate subscribers get access  MUST be secure at Application Level  MUST be secure at Network Level 2014-07-24IETF 90-MBONED10

11 Two Approaches  Solution 1  Carry the “ticket” in an extended network-level join exchange The security of the two levels is implied by the fact that they are carried in a single level of message exchanges, which are secured  Solution 2  Provide separate secure application level join and secure network level join functions, along with a method for explicitly coordinating them 2014-07-24IETF 90-MBONED11

12 Extending IGMP  Long history of attempts to extend IGMP  All of them abandoned  All were “restricted” solutions Based on a particular version of IGMP, -OR- Proposed a limited set of authorization methods  A list of citations is in the draft  None of these attempts considered “accounting” specifically 2014-07-24IETF 90-MBONED12

13 Securing IGMP/MLD  One IRTF Internet Draft on securing IGMP  Once a device established a secure relationship with its router, it was allowed to send a join for any group.  RFC 3376 suggests using AH to secure IGMP packets  RFC 3810 is silent on the issue of securing MLD packets  None of these attempts considered “accounting” specifically  No need to deploy the solution if accounting is unnecessary! 2014-07-24IETF 90-MBONED13

14 Goals  List the requirements on a set of mechanisms that  allow the Network Service Provider to act on behalf of the Content Provider  meet the access control and revenue generation goals  remain as independent as possible from the specific business model in use  Specify an architecture that meets these goals 2014-07-24IETF 90-MBONED14

15 Approach  We explore Solution 2  Separate joins and explicit coordination  Thus, the constraints fall naturally into three categories:  Application-level constraints  Network-level constraints  Interaction constraints 2014-07-24IETF 90-MBONED15

16 Requirements  Application level constraints  Authenticating and Authorizing Multicast End Users  Group Membership and Access Control  Independence of Authentication and Authorization Procedures  Re-authentication and Re-authorization  Accounting  Multiple Sessions on One Device  Multiple Independent Sessions on a LAN  Application Level Interaction must be Secured 2014-07-24IETF 90-MBONED16

17 Requirements..2  Network level constraints  Maximum Compatibility with MLD and IGMP  Group Membership and Access Control  Minimal Modification to MLD/IGMP  Multiple Network Level Joins for End User Device  NSP Representative Differentiates Multiple Joins  Network Level Interaction must be Secured 2014-07-24IETF 90-MBONED17

18 Requirements..3  Interaction constraints  Coupling of Network and Application Level Controls  Separation of Network Access Controls from Group Access Controls 2014-07-24IETF 90-MBONED18

19 Building Blocks  AAA: A general framework for managing access to networks, based on RADIUS and Diameter  EAP: A general framework for negotiating a method for authenticating users  Some methods allow mutual authentication  Typically used for access to the “entire network”  Can be adapted to manage access to multicast groups 2014-07-24IETF 90-MBONED19

20 Building Blocks..2  PANA: A “lower layer” for EAP, between the EUD and the NSP  Can be used to create a key, known to the PANA Client (PaC) and the PANA Authentication Server (PAA) (= NSP Representative)  Enforcement is done by an Enforcement Point (EP)  IGMP/MLD: Network-level access control for IP Multicast  Unsecured (in standard multicast) 2014-07-24IETF 90-MBONED20

21 Building Blocks..3  IP Security (IPsec): Protocols and methods for establishing the authenticity, integrity, and other cryptographic properties of IP datagrams  Can be used to secure IGMP/MLD  We call this secure form of IGMP/MLD Secure IGMP (SIGMP) or Secure MLD (SMLD) 2014-07-24IETF 90-MBONED21

22 Architecture 2014-07-24IETF 90-MBONED22 EUD EU EUD EU NSP PAA Q/EP PANA(EAP) SIGMP DR PAA Q/EP PANA(EAP) SIGMP DR AAAS Diameter(EAP) Purchasing Data Delivery

23 Environment: Network Segment for Multicast 2014-07-24IETF 90-MBONED23 Q NQ EU1 EU2 EU3

24 Environment: Add EAPS and PAA 2014-07-24IETF 90-MBONED24 Q NQ EU1 EU2 EU3 EAPS AAAS PAA

25 Environment: Locate EAP participants 2014-07-24IETF 90-MBONED25 Q NQ EU1 EU2 EU3 EAPS AAAS PAA EAP Server EAP Authen- ticator EAP Peer

26 Environment: Show EAP Transport 2014-07-24IETF 90-MBONED26 Q NQ EU1 EU2 EU3 EAPS AAAS PAA EAP Server EAP Authen- ticator EAP Peer Diameter PANA

27 Enforcement Points  The PAA is the negotiator for the network end of the PANA session  The PaC is the negotiator for the user end of the PANA session  In general, the PAA will have one or more Enforcement Points (EP) under its control  For general network access control, the EP may well be a switch  For our application, the EP must be the Querier (Q) for that network segment. If a snooping IGMP switch is present, we may need to adjust this. 2014-07-24IETF 90-MBONED27

28 Environment: Show EPs 2014-07-24IETF 90-MBONED28 Q NQ EU1 EU2 EU3 EAPS AAAS PAA EAP Server EAP Authen- ticator EAP Peer Diameter PANA AAAS NAS PAA PaC EP1 EP2

29 Master Session Key  From EAP negotiation, a Master Session Key (MSK) becomes known to the EAPS and the EU.  The EAPS forwards a copy to the PAA using Diameter. 2014-07-24IETF 90-MBONED29

30 EAP: MSK 2014-07-24IETF 90-MBONED30 Q NQ EU1 EU2 EU3 EAPS AAAS PAA EAP Server EAP Authen- ticator EAP Peer Diameter PANA AAAS NAS PAA PaC EP1 EP2 MSK

31 EAP: MSK copied to PAA 2014-07-24IETF 90-MBONED31 Q NQ EU1 EU2 EU3 EAPS AAAS PAA EAP Server EAP Authen- ticator EAP Peer Diameter PANA AAAS NAS PAA PaC EP1 EP2 MSK

32 PaC-EP Master Key  The PAA uses the MSK and EP-specific information to compute a PaC-EP Master Key (PEMK) for each EP.  It sends the corresponding key to each of the EPs, along with information identifying the multicast group and the EU address. 2014-07-24IETF 90-MBONED32

33 PAA sends PEMK to EPs 2014-07-24IETF 90-MBONED33 Q NQ EU1 EU2 EU3 EAPS AAAS PAA EAP Server EAP Authen- ticator EAP Peer Diameter PANA AAAS NAS PAA PaC EP1 EP2 MSK PEMK_1 PEMK_2

34 Multicast Session Specific Key  Each EP combines its PEMK with information about the EU address and the specific multicast session, to produce a Multicast Session Specific Key (MSSK).  At the EU, given that the EP is known to be Q, and given the MSK and the specific multicast group, the EU can calculate the same MSSK.  The EP and the EU now have a shared key that they can use to establish the EU’s right to join the multicast group. 2014-07-24IETF 90-MBONED34

35 EPs compute MSSK; EUs compute PEMK and MSSK 2014-07-24IETF 90-MBONED35 Q NQ EU1 EU2 EU3 EAPS AAAS PAA EAP Server EAP Authen- ticator EAP Peer Diameter PANA AAAS NAS PAA PaC EP1 EP2 MSK PEMK_1 PEMK_2 MSSK_1.1 PEMK_1 MSSK_1.1

36 Open vs Secure Groups  Open Group  No access controls  Operations will follow standard IP multicast rules (3376 or 3810)  Secure Group  Access controls to prevent an unauthorized EU from accessing the group  Additional operations are needed  IGMP/MLD exchanges are protected with IPsec, using the derived keys 2014-07-24IETF 90-MBONED36

37 Multicast Security Associ- ations for Secure IGMP  Many distinct Multicast Security Associations are required on each network segment:  One with Q as the sender, and NQ plus the admitted members as receivers  One for each legitimate participant EU, with the EU as the sender, and NQ plus Q as the receivers  All are uni-directional, as defined in RFC5374  These are negotiated using GSAM, and used by Secure IGMP (SIGMP) (or Secure MLD, for v6) 2014-07-24IETF 90-MBONED37

38 Results  Secure Authentication of the End User  Authorization is then possible using standard AAA interactions within the NSP  A shared key is generated, which can be used to derive the necessary keys for protecting the IGMP/MLD exchanges 2014-07-24IETF 90-MBONED38

39 Documents: Issued  MRAC Requirements  draft-atwood-mboned-mrac-req  MRAC Architecture  draft-atwood-mboned-mrac-arch  Secure IGMP  draft-atwood-pim-sigmp  GSAM (coordination of Secure IGMP end points)  draft-atwood-pim-gsam 2014-07-24IETF 90-MBONED39

40 Documents: To Come  Using PANA+EAP to achieve the MRAC  Secure MLD 2014-07-24IETF 90-MBONED40

41 Next Steps  Request for feedback (on the list or elsewhere)  If this work is found useful, we request a liaison statement to PIM WG asking for the SIGMP/SMLD work to be done. 2014-07-24IETF 90-MBONED41

42 Thank You! 2014-07-24IETF 90-MBONED42 Questions?

Download ppt "IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch."

Similar presentations

Doc.: IEEE 802.11-04/1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,

Doc.: IEEE /1186r0 Submission October 2004 Aboba and HarkinsSlide 1 PEKM (Post-EAP Key Management Protocol) Bernard Aboba, Microsoft Dan Harkins,
Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.

Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Secure and Accountable AMT. AMT is not secure  Possible for an intruder to force disconnection of an AMT Gateway  Just issue AMT Membership update Leave/Done.

Secure and Accountable AMT. AMT is not secure  Possible for an intruder to force disconnection of an AMT Gateway  Just issue AMT Membership update Leave/Done.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
Multicast Communication

Multicast Communication
IPv4-Embedded IPv6 Multicast Address draft-ietf-mboned-64-multicast-address-format IETF 84 Vancouver 1.

IPv4-Embedded IPv6 Multicast Address draft-ietf-mboned-64-multicast-address-format IETF 84 Vancouver 1.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Host Identity Protocol

Host Identity Protocol
Study of the Relationship between Peer to Peer Systems and IP Multicasting From IEEE Communication Magazine January 2003 學號 :M9129017 姓名 : 邱 秀 純.

Study of the Relationship between Peer to Peer Systems and IP Multicasting From IEEE Communication Magazine January 2003 學號 :M 姓名 : 邱 秀 純.
Wireless and Email Security CSCI 5857: Encoding and Encryption.

Wireless and Security CSCI 5857: Encoding and Encryption.
Chapter 13 – Network Security

Chapter 13 – Network Security
Issues to Consider w.r.t Protocol Solution - IETF54 -

Issues to Consider w.r.t Protocol Solution - IETF54 -
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
CSC 600 Internetworking with TCP/IP Unit 8: IP Multicasting (Ch. 17) Dr. Cheer-Sun Yang Spring 2001.

CSC 600 Internetworking with TCP/IP Unit 8: IP Multicasting (Ch. 17) Dr. Cheer-Sun Yang Spring 2001.
IGMP https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html.

IGMP

Similar presentations

Ads by Google