Presentation is loading. Please wait.

Presentation is loading. Please wait.

2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG.

Published byBaldwin Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG."— Presentation transcript:

1 2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG Guangxue SU Quanchao HUI

2 Contents Project overview Basic and extended functions Implementations Tests Future work

3 2/25/2016CSI WG/IETF763 Project Overview Project began from Nov. 2008 GPL-style License Code –Plan to put at Google Code (http://code.google.com) Platforms –HostLinux* –RouterQuagga over Linux* Linux* Linux Kernel 2.6.24.6 Ubuntu 8.04

4 2/25/2016CSI WG/IETF764 Basic Functions Implementations of RFCs: –RFC3971 - Secure Neighbor Discovery (SEND) –RFC3972 - Cryptographically Generated Addresses (CGAs) –RFC3779 - X.509 Extensions for IP Addresses and AS Identifiers Supported features: –Processing CPS/CPA messages (Authorization Delegation Discovery) Configuration of trust anchor & certificate path Adding IP Address Extensions to certificates Handling of the certificate path … –Processing ND messages with SEND options Generation & Verification of CGA and CGA parameters Generation & Verification of the RSA signature Handling the Nonce & Timestamp options …

5 2/25/2016CSI WG/IETF765 Extended Functions Supports –ECDSA as an alternative of RSA Based on draft-shen-csi-ecc-01 ( the revised version in draft-cheneau-csi-ecc-sig-agility-00) –CRL verification

6 2/25/2016CSI WG/IETF766 Implementations SEND Kernel module –Embedded into IPv6 module of Linux kernel –About 6K lines of C++ SEND Daemon module –Cryptographical procedures are implemented in user space in the form of Daemon –About 7K lines of C++

7 2/25/2016CSI WG/IETF767 Software Prototype ---- Host

8 2/25/2016CSI WG/IETF768 Software Prototype –--- Router

9 Tests of SEND & Extensions Performed in a link-local environment 72 function tests for SEND and extensions Performance tests on CGA and RSA/ECDSA

10 Test scenario 1: nodes support only SEND Messages from the original NDP nodes are considered insecure and are discarded –Neighbor Discovery SEND nodes discard ND messages without SEND options. –Router Discovery SEND nodes send CPS to routers to require CPA; Routes are considered insecure and will be ignored if routes do not respond CPA messages –Redirect SEND nodes ignore Redirect messages from NDP nodes

11 Test scenario 2: nodes work in compatible mode SEND nodes in compatible mode accept NDP nodes, but mark them as insecure –Neighbor Discovery SEND nodes on link are marked as secure NDP nodes on the link are marked as insecure –Router Discovery Routers which pass CPA verification are marked as secure Other routers are marked as insecure secure routers have higher priority when routing –Redirect Both SEND/ND redirect messages are accepted.

12 Test results of CGA generating time Platform: –An Intel Duo2 (2.53GHz) workstation Results of average CGA generating time –SEC=0: 100 μs –SEC=1: 60 ms; –SEC=2: 2000s (varies from 100~7000sec) –SEC=3: N/A Theoretically estimating, more than 30000 hours are required.

13 Performance comparisons of RSA and ECDSA Ref: draft-shen-csi-ecc-01 ( the revised version in draft-cheneau-csi-ecc-sig- agility-00) RSA-1024 and ECDSA-192 is of the same security strength. ECDSA has a shorter signature length, and a less signature generating time.

14 2/25/2016CSI WG/IETF7614 Future work Supports signature algorithm agility based on –draft-cheneau-csi-cga-pk-agility-00 Support for Multiple Signature Algorithms in Cryptographically Generated Addresses (CGAs) Proposed in Oct. 12, 2009 by Huawei Support multiple signature algorithms through providing multiple public keys in CGA –draft-cheneau-csi-send-sig-agility-00 Signature Algorithm Agility in the Secure Neighbor Discovery (SEND) Protocol Proposed in Oct. 12, 2009 by Huawei Add Supported Signature Algorithm Option, provide agility to SEND –draft-cheneau-csi-ecc-sig-agility-00 ECC public key and signature support in Cryptographically Generated Addresses (CGA) and in the Secure Neighbor Discovery (SEND) Proposed in Oct. 12, 2009 by Huawei E.g. how to use ECC public key in CGA etc.

15 Thanks! Questions/Comments? Contact us –Yuhong Li:hoyli@bupt.edu.cn –Wendong Wang: wdwang@bupt.edu.cnwdwang@bupt.edu.cn –Guangxue Su:guangxsu@gmail.com –Quanchao Hui:huiquanchao@gmail.com

Download ppt "2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG."

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.

TCP/IP Protocol Suite 1 Chapter 27 Upon completion you will be able to: Next Generation: IPv6 and ICMPv6 Understand the shortcomings of IPv4 Know the IPv6.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access control for IP multicast T-110.557 Petri Jokela

Access control for IP multicast T Petri Jokela
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.

Internet Control Message Protocol (ICMP). Introduction The Internet Protocol (IP) is used for host-to-host datagram service in a system of interconnected.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
1 Name Directory Service based on MAODV and Multicast DNS for IPv6 MANET Jaehoon Jeong, ETRI VTC 2004.

1 Name Directory Service based on MAODV and Multicast DNS for IPv6 MANET Jaehoon Jeong, ETRI VTC 2004.
1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.
Guide to TCP/IP Fourth Edition

Guide to TCP/IP Fourth Edition
Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 1.

Cisco Public © 2013 Cisco and/or its affiliates. All rights reserved. 1.

Similar presentations

Ads by Google