Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt.

Published byLambert Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt."— Presentation transcript:

1 11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt

2 2 Outline Mesh Network Model Security Reference Model Defensive Techniques Security Threats Security Requirement Defensive Techniques on Control Plane Next Steps

3 3 Network Model of Softwire Mesh Peer Model –Softwire mesh network is peer model (PE based) as defined by Softwire Problem Statement document. –A dual stack AFBR is provided by a service provider –Mesh softwire is established by extended MP-BGP with tunnel SAFI. Overlay Model –Overlay model (CE based) is not applied to Softwire mesh to avoid the special dual stack device in access networks. PE CE Peer Model Overlay Model AFBR

4 4 Security Reference Model P CE PPP AFBR-1 AFBR-2 AFBR-N AF(j) Backbone AF(i) Route Reflector BGP Update DoS Intrusion Attack on Data Plane Attack on Control Plane PE Static Route or Routing Protocol PE Vulnerability to security threats for Control and Data Plane depends on whether AF(j) backbone is secure network or not The probability of threat depends on whether the transit network consists of a single service provider network or multiple network domains.

5 5 Use of Defensive Techniques Softwire Mesh MUST be able to prevent threat X. This means that the softwire protocol for control and data plane should be capable of preventing threat X. The features or defensive techniques that prevent threat X may or may not be used depending on the deployment and the operational issues. Reference: RFC4016

6 6 Counter Measures against Security Threats P CE PPP AFBR-1 AFBR-2 AFBR-N AF(j) Backbone AF(i) BGP Update PE Static Routing Packet Filtering IPsec TCP MD5 or IPsec IPsec tunnel supported by extended MP-BGP with Tunnel SAFI Static Route or Routing Protocol Route Reflector PE

7 7 Security Threats Unauthorized Observation of Data Traffic Modification of data traffic Insertion of Non- authentic data traffic for spoofing and replay Unauthorized deletion of data traffic Unathorized traffic pattern analysis Resource exhaution DoS Sniffing Spoofing Replay Modification Snooping Threat Level Degradation of service quality Service Theft Service Disruption Reference: RFC4111 First Step in other Attacks

8 8 Defensive Techniques Cryptographic Techniques and IPsec –Encryption is to protect privacy although additional computation burden. –IPsec needs to specify an encryption algorithm, key length etc. –Applicability of encription depends on the trust model among transit and access networks. PE(AFBR) – CE PE(AFBR) – PE (AFBR) End-to-end or CE-CE [user provisoned model is ouside the scope of softwire mesh] –At least, PE-PE IPsec is provisoned by a service provider Authentication –CE-PE authentication –PE-to-PE Authentication Access control techniques –CE packet access list and Filering in PE –Firewalls

9 9 Security Requirement Protection within the transit network –Control plane protection MP-BGP UPDATE may be authenticated by using TCP MD5 or IPsec. –Data plane protection IPsec provides encription of secure user data IPsec, L2TPv3 in IPsec, and mGRE in IPsec softwire mesh encapsulations are defined. (draft-nalawade-kapoor-tunnel-safi- 05.txt) Protection on the user access link –BGP MD5 authentication on PE-CE links using eBGP –Authentication/encryption mechanisms (i.e. IPsec) between ASes for inter-provider connection –Protection against spoofing

10 10 TCP MD5 or IPsec for MP-BGP UPDATE TCP MD5 (RFC2385) –Offering Authentication and integrity on a point-to-point basis –Protection from spoofing attacks and connection hijacking –Lack of an automated key distribution –Overly long-term use of symmetric keys IPsec –ESP protocol offers authentication, data integrity, and anti- replay between BGP speakers (i.e. AFBRs) –IKE protocol for automated key management in support of ESP –PKI requires a substatial amount of computation, compared with shared secret version of IKE. –Guidelines for mandating the use of IPsec is provided by draft-bellovin-useipsec-05.txt

11 11 Issues and Next Steps Automated key management for IPsec softwire mesh tunnel per RFC4107(Guidelines for Cryptograph Key Management): memo of 3/23/06 Consideration for transit network consisting of multi-domains. Because Inter AS-AS connection is in the scope of softwire mesh. Multicast case Document update

Download ppt "11 Softwire Security Analysis and Guidance for Mesh Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota draft-ietf-softwire-security-requirements-XX.txt."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
CS 265 – Project IPv6 Security Aspects Surekha Shinde.

CS 265 – Project IPv6 Security Aspects Surekha Shinde.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker : JET 3,1’2004.

MPLS/VPN Security Threats and Defensive Techniques (provider provision) Speaker : JET 3,1’2004.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.

Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.

Security in Wireless Sensor Networks Perrig, Stankovic, Wagner Jason Buckingham CSCI 7143: Secure Sensor Networks August 31, 2004.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.

Virtual Private Networks Shamod Lacoul CS265 What is a Virtual Private Network (VPN)? A Virtual Private Network is an extension of a private network.
Security Data Transmission and Authentication

Security Data Transmission and Authentication

Similar presentations

Ads by Google