Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79.

Published byJade Magdalene Pierce Modified over 7 years ago

Similar presentations

Presentation on theme: "Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79."— Presentation transcript:

1 Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79

2 Introduction Host identities are critical in generating transient key for communicating between two hosts After a HI is not secure enough any more, it will be revoked and refreshed. This draft tries to discuss the issues with key revocation and potential solutions in HIP architectures.

3 Changes Since the Last Meeting Mention the delta CRL in section Add the discussion of extending RVSes to support key revocation. –When a user revoked it key, it needs to inform the revocation and the new key to its RVS –If a host tries to use antique HIT to access the user, RVS will inform the host Correct typos

4 Investigation in HIP Proxies draft-irtf-hiprg-proxies-01 Dacheng Zhang IETF 79

5 Introduction HIP proxies play an important role in the transition from the current Internet architecture to the HIP architecture. There are various design options of HIP proxies, each of them has advantages and limitations respectively This draft tries to classify different implementations of HIP proxies and compare their performance in different high available scenarios

6 Changes Since the Last Meeting Correct typos Analyze the solutions of separating the DNS related functions from proxies and integrating them into DNS resolvers.

7 Taxonomy DNS lookups Intercepting Proxies (DI proxies) –DI1 proxies, which insert HIT in the AAAA records of DNS answers –DI2 proxies, which insert IP addresses from its IP address pool in the AAAA records of DNS answers –DI3 proxy, which only obtain information from DNS lookups but do not modify them Non-DNS lookups Intercepting Proxies (N-DI proxies)

8 DNS Resolvers Supporting DI1 Proxies A resolver extended to support a DI1 proxy returns HITs in DNS answers to ML hosts. –The resolver needs to transfer other information (e.g, IP addresses of the HIP hosts and RVSes) of the HIP hosts to the associated DI1 proxy

9 DNS Resolvers Supporting DI2 Proxies A resolver extended to support a DI2 proxy returns the IP addresses in the address pool of the DI2 proxy in DNS answers to ML hosts. –The resolver needs to transfer other information (e.g, IP addresses of the HIP hosts, the IP addresses in the pool which is assigned to the hosts, and RVSes) of the HIP hosts to the DI2 proxy –Maintain the mapping information so as to avoid associated multiple HIs with a single IP address

10 DNS Resolvers Supporting DI1 Proxies Only transfer other information (e.g, IP addresses of the HIP hosts and RVSes) of the HIP hosts to the associated DI3 proxy

11 An issue with DI1 and DI3 Proxies Legacy Host in a private network HIP Proxy1 HIP Proxy2 HIP host in the public network DNS server When there are multiple DI proxies are deployed at the border of a private network, it is difficult to guarantee a proxy intercepting DNS lookups can deal with subsequent communication.

12 An issue with DI1 and DI3 Proxies Legacy Host in a private network HIP Proxy1 HIP Proxy2 HIP host in the public network DNS resolver DNS resolver can forward the information of HIP hosts to the proper HIP proxy.

13 Extensions of Host Identity Protocol (HIP) with Hierarchical Information draft-xu-hip-hierarchical-01 Dacheng Zhang IETF 79

14 Introduction Hierarchy in an effective way to reduce the complexity in designing and managing complex distributed systems With hierarchical information, different ID management systems will get clear boundaries, which is compatible with reasonable business models This draft attempts to analyse the issues and solutions in integrating hierarchical information into HIP architectures.

15 Changes Since the Last Meeting Correct typos list some possible attacks on hierarchical HITs Intrusion: Generation of HITs belonging to some organization. Substitution: An attacker tries to use the HIT already existed in the organization. Accumulation: Valid HITs can be prepared in advance, i.e., collected in a database. Polutions on DNS and DHT servers DOS attacks on DNS and DHT servers

16 Any comments will be more than welcomed

Download ppt "Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79."

Similar presentations

Hierarchical Routing Architecture Introduction draft-xu-rrg-hra-00.txt Routing Research Group Xiaohu XU

Hierarchical Routing Architecture Introduction draft-xu-rrg-hra-00.txt Routing Research Group Xiaohu XU
2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.
Name Resolution Domain Name System.

Name Resolution Domain Name System.
LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.
IETF82, TAIWAN Meilian LU, Xiangyang GONG, Wendong WANG

IETF82, TAIWAN Meilian LU, Xiangyang GONG, Wendong WANG
Multiple Provisioning Domain (MPVD) Architecture status & next steps Dmitry Anipko (architecture document editor) IETF 89 MIF WG London, March 6 th 2014.

Multiple Provisioning Domain (MPVD) Architecture status & next steps Dmitry Anipko (architecture document editor) IETF 89 MIF WG London, March 6 th 2014.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing in an Enterprise Network Introducing Routing and Switching in the.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Addressing in an Enterprise Network Introducing Routing and Switching in the.
Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.

Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.

Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
2004-12-01 HIP proxy Patrik Salmela. 2004-12-01 2 Contents Background: ID-locator split HIP Why a HIP proxy Functionality of a HIP proxy The prototype.

HIP proxy Patrik Salmela Contents Background: ID-locator split HIP Why a HIP proxy Functionality of a HIP proxy The prototype.
Approaches to Multi6 An Architectural View of Multi6 proposals Geoff Huston March 2004.

Approaches to Multi6 An Architectural View of Multi6 proposals Geoff Huston March 2004.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
CSE 461 Section. Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.

CSE 461 Section. Port numbers for applications MAC addresses for hardware IP addresses for a way to send data in a smart, routable way.
Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.

Domain Name System: DNS To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the Connection of a host to the Internet.
DNS Security Risks Section 0x02. Joke/Cool thing traceroute 216.81.59.173 traceroute 216.81.59.173 https://www.youtube.com/watch?v=5_dRqPLP1d c https://www.youtube.com/watch?v=5_dRqPLP1d.

DNS Security Risks Section 0x02. Joke/Cool thing traceroute traceroute c
Understand Names Resolution

Understand Names Resolution
Key management issues in PGP

Key management issues in PGP
DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to 131.179.192.144 DNS.

DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses E.g., thesiger.cs.ucla.edu translates to DNS.

Similar presentations

Ads by Google