Presentation is loading. Please wait.

Presentation is loading. Please wait.

11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.

Published byMartin Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast."— Presentation transcript:

1 11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security gmgross@IdentAware.com IETF-58, Minneapolis, MN November 10 th 2003 Multicast Security with Authentication, Authorization, and Accounting (AAA)

2 11/07/2003IETF-58 MSEC and AAA page 2 What motivates MSEC/AAA? Large-scale secure multicast groups straddle administrative/business domain boundaries AAA enforces contractual relationships, generates data usable for service accounting Allows Service Provider to securely control their multicast transit routing service Enables dynamic MSEC groups with the Service Provider AAA as the broker

3 11/07/2003IETF-58 MSEC and AAA page 3 Relevant Background Reading RFC3588, Diameter base protocol spec RFC2904, generic authorization framework NASREQ Diameter application –ietf-draft-aaa-diameter-nasreq-13.txt next rev of generic policy token draft –msec-gspt-04.txt –missed the ID cut-off

4 11/07/2003IETF-58 MSEC and AAA page 4 GDOI Roaming Pull AAA Model Administrative Domain “B” Group Owner Z authorization Authentication Server Diameter AAA Server Grp. Controller Key Server Accounting Server GM Diameter AAA Server Subordinate GC/KS Accounting Server GM Administrative Domain “A” Diameter GDOI Diameter NASREQ+MSEC Secure multicast group “Z”

5 11/07/2003IETF-58 MSEC and AAA page 5 Observations about GDOI/AAA Can leverage existing IKE/ISAKMP AAA –Q: does the group member have a NAI? –Reasonable design: extend NASREQ Diameter application to handle GDOI Undefined how to add a S-GC/KS to group Issue: currently no way to separate KS from the S-GC role if the S-GC domain is not trusted with the group’s encryption key

6 11/07/2003IETF-58 MSEC and AAA page 6 GSAKMP Push AAA Model Administrative Domain “B” Group Owner Z authorization Certificate Authority Diameter AAA Server Grp. Controller Key Server Accounting Server GM Diameter AAA Server Subordinate GC/KS Accounting Server GM Administrative Domain “A” Diameter GSAKMP Diameter accounting Secure multicast group “Z” Policy token

7 11/07/2003IETF-58 MSEC and AAA page 7 GSAKMP/AAA Observations PKI based authentication only, no NAI Multicast policy token encodes membership authorization, acts as AAA service ticket Diameter back-end used for accounting Does not fit Diameter NASREQ model Like GDOI, can not withhold group key from S-GC in partially trusted domain

8 11/07/2003IETF-58 MSEC and AAA page 8 Future MSEC/AAA directions Need to separate the S-GC and key server roles in both GSAKMP and GDOI Introduce “generic” policy token attributes to encode multiple service authorizations –nesting the tokens will avoid layer violations –multicast PT is scalable, but it is not part of GDOI today, is this feasible to add? Long-term: Diameter extensions for MSEC

Download ppt "11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
Router Identification Problem Statement J.W. Atwood 2008/03/11

Router Identification Problem Statement J.W. Atwood 2008/03/11
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
PDC Enabling Science Grid Security Research Olle Mulmo.

PDC Enabling Science Grid Security Research Olle Mulmo.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA

Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Group Secure Association Key Management Protocol (GSAKMP) Presented by Hugh Harney

Group Secure Association Key Management Protocol (GSAKMP) Presented by Hugh Harney
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Similar presentations

Ads by Google