Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.

Published byEzra Turner Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt."— Presentation transcript:

1 Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt hassnaa.moustafa@orange-ftgroup.com hannes.tschofenig@siemens.com stefaan.de_cnodder@alcatel-lucent.be

2 Outline History of the draft Objectives Overview and threat model Changes since last version –Organization –Definitions –Attacks classification –Security requirements modification

3 History of The Draft July 2006 (IETF 66th Montreal): –Need for threats analysis and security requirements –Call for contributers October 2006: –Submission: draft-moustafa-ancp-security-threats-00 November 2006 (IETF 67th San Diego): –Draft presentation and feedbacks –Consensus for WG document December 2006 –New version submission: draft-ietf-ancp-security-threats-00

4 Objectives Investigating security threats that ANCP nodes could encounter and developing a threat model at the ANCP level. Deriving the security requirements for the ANCP. Out of scope: –Security policy negotiation, including authentication and authorization to define per-subscriber policy at the AAA/policy server

5 Overview and Threat Model +--------+ | AAA | | Server | +--------+ | +-----+ +-----+ +--------+ +-----+ +----------+ | CPE |---| HGW |---| | | | | | +-----+ +-----+ | Access | | | | Internet | | Node |-----------------| NAS |---| | +-----+ +-----+ | (AN) | | | | | | CPE |---| HGW |---| | | | | | +-----+ +-----+ +--------+ +-----+ +----------+ Attackers can be either on-path or off-path : active or passive Threat Model: –Off-path adversary at the CPE or HGW –Off-path adversary on the Internet or a Regional Network –On-path adversary at the network elements between the AN and the NAS –Adversary taking control over the NAS –Adversary taking control over the AN

6 Changes since last version 1/4 Re-wording and re-phrasing Definition of the CPE –"Device located inside a subscriber's premise that is connected to the LAN side of the HGW" Attacks classification –Attacks disrupting the communication of individual customers –Attacks disrupting the communication of a large fraction of customers –Attacks gaining profit for the attacker

7 Potential attacks re-formulation (Section 5 in last version) –Attacks types (Section 5 in current version) –Attacks forms (Section 6 in current version) –Removing "Network Snooping" (Section 5.7 in last version) Changes since last version 2/4 Attacks Types (Section 5) –DoS –Integrity violation –Downgrading –Traffic Analysis Attacks Forms (Section 6) –Message replay –Faked message injection –Messages modification –Man-in-the-middle –Eavesdropping

8 Clarification of AAA server in scope/out of scope issues (Section 7 in current draft) –Out of scope: user's authentication process and how the user gets authenticated and how the AAA server gets the authorization data –In scope: attacks concerning the communication between the NAS and the AAA server, once the AAA server gets the authentication data Attacks Against ANCP Defined Use Cases (Section 7 in the current draft) : –re-organization and some revisions –Major changes: Dynamic access loop attributes use case: –downgrading caused by man-in-the-middle attack –Removing network snooping from on-path and off-path passive attacks Access loop configuration use case: on-path passive attacks learning the configuration attributes Changes since last version 3/4

9 Security requirements update –The protocol solution MUST offer authentication of the AN to the NAS –The protocol solution MUST offer authentication of the NAS to the AN –The protocol solution MUST allow authorization to take place at the NAS and at the AN –The protocol solution MUST offer replay protection –The protocol solution MUST provide data origin authentication –The protocol solution MUST be robust against DoS attacks –The protocol solution SHOULD offer confidentiality protection –The protocol solution SHOULD distinguish the control messages from the data Changes since last version 4/4

10 Next Step Soliciting comments Considering the WG position for the Multicast use case Asking for LC

Download ppt "Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
© 2006 NEC Corporation - Confidential age 1 November 2008 - 1 SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.

© 2006 NEC Corporation - Confidential age 1 November SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.
U M T S F o r u m © UMTS 2002 UMTS Security aspects UMTS Forum ICTG Chair Bosco Fernandes Siemens AG

U M T S F o r u m © UMTS 2002 UMTS Security aspects UMTS Forum ICTG Chair Bosco Fernandes Siemens AG
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.

EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT 1 1 1 0 11 0.

Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 ANCP protocol draft updates draft-ietf-ancp-protocol-00.txt ANCP.

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 ANCP protocol draft updates draft-ietf-ancp-protocol-00.txt ANCP.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.

Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.
Wireless Network Security. What is a Wireless Network Wireless networks serve as the transport mechanism between devices and among devices and the traditional.

Wireless Network Security. What is a Wireless Network Wireless networks serve as the transport mechanism between devices and among devices and the traditional.
Dean Cheng Jouni Korhonen Mehamed Boucadair

Dean Cheng Jouni Korhonen Mehamed Boucadair
IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-06-0348-06-0000 Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.
Doc.: IEEE 802.15-xxxxx Submission doc. : IEEE 802. 15-12-0679-00-0008 Nov 2012 Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area.

Doc.: IEEE xxxxx Submission doc. : IEEE Nov 2012 Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 71 – Philadelphia draft-ietf-ancp-framework-05.txt.

Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 71 – Philadelphia draft-ietf-ancp-framework-05.txt.

Similar presentations

Ads by Google