Presentation is loading. Please wait.

Presentation is loading. Please wait.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

Published byVictor Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig."— Presentation transcript:

1 7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig

2 7/14/2003IETF57 Enabling IPsec Access control PANA protocol - used to authenticate the client. PANA protocol - also capable of sending Protection-capability-AVP (with PANA-Bind- Request) asking (enforcing) the client to use L2 or L3 cipher. But PANA protocol does not specify the details on how the L2/L3 SAs are established etc. This draft essentially discusses the details of using IPsec as the L3 cipher.

3 7/14/2003IETF57 Pre-requisites for using IPsec PANA client (PaC) should learn the IP address of the enforcement point (EP) during the PANA exchange. PaC learns that the network uses IPsec for securing the PaC-EP link. PaC has already acquired an IP address and PAA knows about the IP address of the PaC before the exchange starts.

4 7/14/2003IETF57 IKE/IPsec details At the end of a successful authentication, a PANA SA is established between PaC and PAA (assuming the underlying EAP method is capable of generating a Master Key (MK)). IKE pre-shared key is derived from the PANA SA (TBD). EP securely receives the following from PAA: - IKE pre-shared key - IP address of PaC - PANA session id

5 7/14/2003IETF57 IKE/IPsec details (contd..) Manual keying not supported. IKE is used to establish IPsec SAs. Both Aggressive mode and Main mode is easy to support. In main mode, PaC and EP uses the IP address as the client identifier. In Aggressive mode, PaC and EP use the PANA session id as identifier - part of ID_KEY_ID payload.

6 7/14/2003IETF57 IKE/IPsec details (contd..) After Phase I SA is established, quick mode exchange is performed to setup an IPsec SA. Quick mode IPsec SA is an ESP transport mode SA used in conjunction with IP-IP tunnel interface (IP-IP transport mode SA). IPsec tunnel mode SA also can be used.

7 7/14/2003IETF57 IPv4/IPv6 Details Draft has specific examples on SPD entries, IPsec processing details for both IPv4 and IPv6. In IPv4, the SPD entries are very simple. All of the traffic is tunneled to the security gateway (EP). In IPv6, there are a few exceptions. EP is the security gateway – a router. Implies hop count is decremented by 1. This won’t work for RD/ND messages which assume nhop count = 255.

8 7/14/2003IETF57 IPv4/IPv6 details (contd..) As IPsec selectors are not capable of expressing bypass rules for ND/RD messages: - Use just fe80::/10 as the on-link prefix i.e., all other packets are sent to the default router. - Bypass IPsec for packets destined to fe80::/10. All packets are tunneled to the link-local address of the EP.

9 7/14/2003IETF57 Double IPsec If the PaC uses IPsec for secure remote access, there will be separate SPD entries for protecting the remote network traffic. Packets will be protected twice. Once for the remote network and once for the local network. This case of iterated tunneling is discussed in RFC2401 (IPsec).

10 7/14/2003IETF57 Open Issues IKE pre-shared key derivation from PANA SA. Use IPsec tunnel mode to describe the IPsec details instead of IP-IP transport mode.

11 7/14/2003IETF57 Question to WG Should we make this a WG I-D?

Download ppt "7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Security at the Network Layer: IPSec

Security at the Network Layer: IPSec
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 © 2005 Nokia mobike-transport.ppt/2005-11-09 MOBIKE Transport mode usage and issues Mohan Parthasarathy.

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
1 IPsec Youngjip Kim 2004. 05. 24. 2 Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.

1 IPsec Youngjip Kim Objective Providing interoperable, high quality, cryptographically-based security for IPv4 and IPv6 Services  Access.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
SNMP for the PAA-EP protocol PANA wg - IETF 61 Washington DC Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-02.txt.

SNMP for the PAA-EP protocol PANA wg - IETF 61 Washington DC Yacine El Mghazli (Alcatel) Yoshihiro Ohba (Toshiba) Julien Bournelle (GET/INT) draft-ietf-pana-snmp-02.txt.

Similar presentations

Ads by Google