Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,

Published byJob Martin Modified over 8 years ago

Similar presentations

Presentation on theme: "1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,"— Presentation transcript:

1 1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, liuya@huawei.comliuya@huawei.com Russ White, riw@cisco.comriw@cisco.com Brian Weis, bew@cisco.combew@cisco.com Michael Barnes, mjbarnes@cisco.commjbarnes@cisco.com IETF 69, 22th Jul 2007, Chicago

2 2 Problem Statement GSA (Group SA) is used to provide the multicast security for OSPFv3 broadcast interfaces, e.g., Ethernet interfaces, to achieve the best scalability. However, only Manual Keying method is recommended. This method is neither scalable nor secure. –Please refer to RFC4552 for more details. On the other hand, it is feasible to implement automated group keying for OSPFv3 IPsec using standard MSEC GKM protocols. –Please refer to IETF MSEC WG for more details. IETF 69, 22th Jul 2007, Chicago

3 3 Aspects to Think About … Common requirements include authorizations & authentication of routers, secure distribution of GSA, storing capability of GSA context, etc. The most important issue is how to set up the GC/KS. –MSEC GKM protocols, such as GSAKMP and GDOI, are based on a client/server model. This means these protocols rely on reachability between clients and servers for the clients to obtain the group SA from the key server. In this case, the GKM is providing protection for OSPF, which is an essential component in providing reachability between the clients and servers. Hence, the client/server model breaks down in this situation. –To overcome this problem, the group SA must be locally available to each group member (each OSPFv3 router). –Possible deployment scenarios and their specific requirements are presented in following slides. IETF 69, 22th Jul 2007, Chicago

4 4 Scenario 1: Decentralized Physical GCKSs A physical GCKS is deployed on every multicast network, and provides group keying service for only its local neighbors. Issues: –It is cost expensive. –It suffers from single point of GCKS failure. –It is hard to manage. –It suffers from new joiner issue. GCKS IETF 69, 22th Jul 2007, Chicago

5 5 Scenario 2: Decentralized Logical GCKSs The GCKS is hosted by a router and provides group keying service for only its local neighbors. Issues: –It is hard to manage. –A GCKS selection mechanism is necessary here. –Authentication & authorization of GCKS. –It suffers from new joiner issue. GCKS IETF 69, 22th Jul 2007, Chicago

6 6 Scenario 3: Decentralized KSs, Centralized GC The logical KS is hosted by a router and provides group keying service for only its local neighbors. A single GC (Group Controller) is used for pushing policy and authorization to each KS Issues: –It suffers from bootstrapping issue. –A KS selection mechanism is necessary here. –Authorization and Authentication of KS. –It suffers from new joiner issue. GC KS IETF 69, 22th Jul 2007, Chicago

7 7 Scenario 4: Decentralized Delegates, Centralized GCKS Delegate is a logical role. it is deployed on every multicast network, and is responsible for relaying GSA messages between the GCKS and local group members. Issues: –It suffers from bootstrapping issue. –A delegate selection mechanism is necessary here. –Authorization and Authentication of delegate. –It suffers from new joiner issue. GCKS … Delegate IETF 69, 22th Jul 2007, Chicago

8 8 Next Step Need more comments and feedback from OSPF, RPSEC, and MSEC WGs. Accept this draft as a WG I-D? IETF 69, 22th Jul 2007, Chicago

9 9 Comments? Thanks! IETF 69, 22th Jul 2007, Chicago

Download ppt "1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,"

Similar presentations

Oct, 26 th, 2010 OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Status update

Oct, 26 th, 2010 OGF 29, FVGA-WG: Firewall Virtualization for Grid Applications Firewall Virtualization for Grid Applications - Status update
Router Identification Problem Statement J.W. Atwood 2008/03/11

Router Identification Problem Statement J.W. Atwood 2008/03/11
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
OSPF Two-part Metrics Jeffrey Zhang Lili Wang Juniper Networks 88 th IETF, Vancouver.

OSPF Two-part Metrics Jeffrey Zhang Lili Wang Juniper Networks 88 th IETF, Vancouver.
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
NORM PI Update draft-ietf-rmt-pi-norm-revised-04 68th IETF - Prague Brian Adamson NRL.

NORM PI Update draft-ietf-rmt-pi-norm-revised-04 68th IETF - Prague Brian Adamson NRL.
11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.

11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.
OSPF WG – IETF 68 - Prague OSPF WG Document Candidates Acee Lindem/Redback Networks.

OSPF WG – IETF 68 - Prague OSPF WG Document Candidates Acee Lindem/Redback Networks.
Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA

Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA
Using Digital Credentials On The World-Wide Web M. Winslett.

Using Digital Credentials On The World-Wide Web M. Winslett.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
RFC 2131 DHCP. Dynamic Host Configuration Protocol.

RFC 2131 DHCP. Dynamic Host Configuration Protocol.
Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov. 2002 Jeb Linton, EarthLink

Automatic Router Configuration Protocol (ARCP) v1.1, 18 Nov Jeb Linton, EarthLink
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Host Identity Protocol

Host Identity Protocol
IPv6 Site Renumbering Gap Analysis draft-liu-6renum-gap-analysis-01 draft-liu-6renum-gap-analysis-01 Bing Liu Sheng Jiang IETF July 2011 1.

IPv6 Site Renumbering Gap Analysis draft-liu-6renum-gap-analysis-01 draft-liu-6renum-gap-analysis-01 Bing Liu Sheng Jiang IETF July
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Adjust and Troubleshoot Single- Area OSPF Scaling Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Adjust and Troubleshoot Single- Area OSPF Scaling Networks.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
EAP Bluetooth Extension Draft-kim-eap-bluetooth-00 Hahnsang Kim (INRIA), Hossam Afifi (INT), Masato Hayashi (Hitachi)

EAP Bluetooth Extension Draft-kim-eap-bluetooth-00 Hahnsang Kim (INRIA), Hossam Afifi (INT), Masato Hayashi (Hitachi)
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

Similar presentations

Ads by Google