Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication for TCP-based Routing and Management Protocols draft-bonica-tcp-auth-04.

Published byMoris Jennings Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication for TCP-based Routing and Management Protocols draft-bonica-tcp-auth-04."— Presentation transcript:

1 Authentication for TCP-based Routing and Management Protocols draft-bonica-tcp-auth-04

2 Motivation Many operators do not authenticate TCP based routing protocols –BGP, LDP Current BCP (RFC 2385) does not fulfill operator requirement

3 Concerns Regarding RFC 2385 CPU utilization –Not addressed in the current memo Key management –Keys need to be refreshed periodically –Key refresh (typically) requires session reset Weak cryptography –There are many well-know attacks on MD5

4 Approach Better TCP-layer authentication –Enhanced TCP Authentication Option Hitless key rollover –Key chains configured on peer systems –Key Identifiers Stronger cryptography –CMAC-AES-128-96 –HMAC-SHA-1-89

5 Alternative Approaches TLS –Does not protect TCP session, itself IPSec –Perception of operational complexity –Coordination issues for pre-shared key rollover –Protection of PKI certificates –Otherwise, a feasible approach

6 Enhanced Authentication Option 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Kind | Length |T|K| Alg ID |Res| Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Authentication Data | | // | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

7 Key Chain Contains up to 64 keys Each key contains –Identifier [0..63] –Authentication Algorithm –Shared secret –Vector [in|out|both] –Start and end time for sending –Start and end time for receiving

8 Sending System Procedure Identify active key candidates –vector == out || vector == both –Start-time for sending <= system-time –End-time for sending > system time If there are no candidates, log event and discard outbound packet If there are multiple candidates, select key with most recent start-time for sending

9 Sending System Procedure (continued) Calculate MAC using active key –Calculate over TCP pseudo-header, TCP header and TCP payload –By default, include TCP options Format Enhanced Authentication Option –Active key identifier –Flags –Message Authentication Code (MAC) –Authentication Identifier

10 Receiving System Procedure Lookup key specified by TCP Option Determine whether that key is eligible –Vector == in || vector == both –Start-time for receiving <= system time –End-time for receiving > end time Calculate MAC If calculated MAC is equal to received MAC, accept datagram

11 Authentication Error Procedure Discard datagram Log DO NOT send indication to originator

12 Coming Soon Automated session key distribution –Draft-weis-tcp-auth-auto-ks

13 Co-authors and Contributors Ron Bonica (Juniper) Brian Weis (Cisco) Sriram Viswanathan (Cisco) Andrew Lange (Alcatel) Owen Wheeler (BT) Chandrashekhar Appanna (Cisco) Andy Heffernan (Juniper) Kapil Jain (Juniper) David McGrew (Cisco)

Download ppt "Authentication for TCP-based Routing and Management Protocols draft-bonica-tcp-auth-04."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
Web security: SSL and TLS

Web security: SSL and TLS
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.

ISAKMP RFC 2408 Internet Security Association & Key Management Protocol Protocol Establish, modify, and delete SAs Negotiate crypto keys Procedures Authentication.
Network Layer Security: IPSec

Network Layer Security: IPSec
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
IPsec Internet Headquarters Branch Office SA R1 R2

IPsec Internet Headquarters Branch Office SA R1 R2
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010

Similar presentations

Ads by Google