Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Published byAngela Rhea Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014."— Presentation transcript:

1 www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014

2 www.opendaylight.org  How do devices get initial secure IP connectivity?  Several southbound protocols assume IP connectivity exist for the control protocol (e.g. OpenFlow, Netconf,..)  How do we ensure devices associate with the “right” controller and get an appropriate IP address to do so? (Join a particular Domain)  How do we ensure connectivity to all the devices which have joined a particular domain ? (Reachability)  How do we ensure that devices once connected do not get silently swapped? (Security) Motivation: Secure Network Bootstrapping Infrastructure 2 FE 1 FE 3 FE 5 FE 6 FE 2 FE 4 C1C1 C1C1 C2C2 C2C2

3 www.opendaylight.org  Fully automatic: Incremental discovery and attachment of devices to a network domain  Manufacturer installed IEEE 802.1AR credentials for device identification  Automatic enrollment of certificates to devices to secure communication and device identity  Automatic assignment of IP-addresses  Virtual out-of-band channel (VOOBC) to connect devices – “hop-by-hop” tunneling  Scalable connectivity (e.g. no star topology overlay)  Routing over tunneled network ensures “always- on” reachability in case of topology changes. Approach Zero touch secure connectivity establishment FE 1 FE 3 FE 5 FE 6 FE 2 FE 4 C1C1 C1C1 C2C2 C2C2  Nice “side effects”:  Topology discovery  Virtual out-of-band channel can be used by other control protocols running between Controller and Forwarding Elements (e.g. Netconf, OpenFlow); i.e. we bootstrap the management network over which OpenFlow, Netconf, etc. can run X

4 www.opendaylight.org Key Components - Overview 4

5 www.opendaylight.org Automatic Network Bootstrapping 5 Can you connect me ? What’s your Identifier ? I have 802.1AR credentials Perfect, Let’s talk! Michael Controller Forwarding Element Registrar

6 www.opendaylight.org Domain Certificates 6 Domain Certificate Present credentials e.g 802.1AR Validate credentials e.g Against Local white list Controller Forwarding Element Registrar

7 www.opendaylight.org FE 2 Proxy Bootstrap Discovery Hello 802.1AR New Guy! 802.1AR Can you connect me ? Present your Credentials Please ? Controller Registrar FE 1

8 www.opendaylight.org Virtual Out Of Band Channel 8 1.Secure Tunnel Infra is created Hop by Hop. 2.Each Element gets a IPv6 ULA address (Hash of domain name and device number) 3.Enabling Routing over this Infra provides end-to-end connectivity Michael Forwarding Element FE2 Forwarding Element FE2 Forwarding Element FE1 Forwarding Element FE1 Controller Registrar Secure Tunnel 1 Secure Tunnel 2 Physical Link

9 www.opendaylight.org FE 1 FE 2 FE 8 FE 7 FE 9 FE 6 FE 5 FE 4 FE 3 SNBI Build-up … 9 Controller Registrar … automatic discovery of topology as side effect.

10 www.opendaylight.org  Controller  SNBI Registrar – Trust anchor of the domain  SNBI SB plugin – Device discovery/handshake, certificate distribution, virtual out of band channel  Forwarding Element  SNBI client/proxy - Device discovery/handshake, certificate distribution, virtual out of band channel  Portable foundation – Reference environment for forwarding element, using containers  Test environment for system test (controller and forwarding element) SNBI - Key Components 10

11 www.opendaylight.org  Project Proposal:Secure Network Bootstrapping Infrastructure Project Proposal:Secure Network Bootstrapping Infrastructure  SNBI draft release plan SNBI draft release plan  Project IRC channel on Freenode: #opendaylight-snbi http://webchat.freenode.net/?channels=opendaylight-snbi http://webchat.freenode.net/?channels=opendaylight-snbi References 11

12 www.opendaylight.org Q & A 12

13 www.opendaylight.org Details New device Domain edge device (proxy) SNBI Registrar Domain Discovery.1AR credential Device belongs to domain? Authorization token Domain information Domain enrollment Domain certificate Establish virtual out of band channel

14 www.opendaylight.org 1. The new device discovers the Domain. This starts with a search for a SNBI-Registrar. Contact to the SNBI-Registrar will typically be supplied via a “domain edge device” which is already part of the Domain, has the SNBI active, and acts as a proxy for the SNBI-Registrar. Discovery will first try to locate a “domain edge device” on the local link using neighbor discovery, in case this fails, it will try to obtain an address using DHCP and search for a registrar using DNS service discovery. If this is also not successful, it could search for a predefined, factory- provided global registrar using DNS. Note that the latter two methods already require some form of IP connectivity to the DNS server. 2. The new device presents its 802.1AR credentials to the discovered SNBI-Registrar. The message can be relayed by the “domain edge device” serving as proxy. 3. The SNBI-Registrar checks whether device belongs to the Domain. If true, invites the new device to join the “Domain” and provides it with a “device id”. 4. The new device validates the SNBI-Registrar signature in the invite message and, if valid, decides to join the domain. 5. After accepting the invite message, the new device generates a certificate signing request. It creates a public and private key. 6. The new device then initiates a “Boot strap request” message towards the registrar and provides a PKCS10, PKCS10_signature and the public key. 7. The SNBI-Registrar negotiates to enroll with a Certificate Authority (CA) using the SCEP protocol contained within the SNBI-Registrar component. 8. The result of the negotiation provides a “Domain certificate”, which is relayed from the SNBI-Registrar to the new device using a “Bootstrap response” message. 9. The device is now a member of the domain and will only repeat the discovery process if it is returned to factory default settings. 10. Once enrolled, the new device establishes a “virtual out-of-band channel” to the domain edge device, which connects it securely to the Domain and configures basic IP connectivity:  Create a loopback interface on the new device and assign it an address from an SNBI specific address prefix (e.g. combining the prefix with a hash of the device serial number and domain name).  Establish a secure tunnel between the new device and the domain-edge device.  Automatically configure a routing protocol (e.g. RPL) over the newly established tunnel.RPL Details 14

Download ppt "Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014."

Similar presentations

Router Identification Problem Statement J.W. Atwood 2008/03/11

Router Identification Problem Statement J.W. Atwood 2008/03/11
Proposal: Model-Driven SAL for the OpenDaylight Controller

Proposal: Model-Driven SAL for the OpenDaylight Controller
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
DHCPv6.

DHCPv6.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Implementing IPv6 Module B 8: Implementing IPv6

Implementing IPv6 Module B 8: Implementing IPv6
IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

IPv4 & IPv6 Coexistence & Migration Joe Zhao SW2 Great China R&D Center ZyXEL Communications, Inc.
Host Autoconfiguration ALTTC, Ghaziabad. IPv4 Address and IPv6 equivalents ALTTC, Ghaziabad.

Host Autoconfiguration ALTTC, Ghaziabad. IPv4 Address and IPv6 equivalents ALTTC, Ghaziabad.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Lecture Week 7 Implementing IP Addressing Services.

Lecture Week 7 Implementing IP Addressing Services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

Similar presentations

Ads by Google