Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00

Slides:

Advertisements

Similar presentations

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Advertisements

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

BOEING is a trademark of Boeing Management Company. Copyright © 2011 Boeing. All rights reserved. On-Demand Dynamic Route Optimization Between Tunnel Endpoints.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

MIP Extensions: FMIP & HMIP

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Network Localized Mobility Management using DHCP

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Access control for IP multicast T Petri Jokela

Netext issues Julien Laganier, IETF-80. Logical Interface (I) #1: Replication of ND multicast messages across physical interfaces – What is in the source.

Draft-kk-mpvd-ndp-support-01 MIF WG – IETF88 Jouni Korhonen Suresh Krishnan Sri Gundavelli.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

Draft-li-l2vpn-ccvpn-arch-00IETF 88 L2VPN1 An Architecture of Central Controlled Layer 2 Virtual Private Network (L2VPN) draft-li-l2vpn-ccvpn-arch-00 Zhenbin.

Guide to TCP/IP Fourth Edition

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2.

Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.

Future Internet Presentation Kyung Hee University, Seok Hyun Hwang( 황석현 ) Seamless Handover in Proxy MIPv6 with AAA Server ( 이종망간 빠른 이동성 제공을.

49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier.

1 Motorola PMIPv4 Call Flows: Bearer Setup with Dual Anchoring Parviz YeganiVojislav VuceticAlmon Tang (408) (732) (847)

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Simple DNA draft-krishnan-dna-simple-03 Suresh Krishnan Greg Daley.

Slide title minimum 48 pt Slide subtitle minimum 30 pt PMIPv6 Local Routing draft-krishnan-netext-pmip-lr-02.

AERO DHCPv6 Control Messaging IETF91 – Honolulu, HI Fred L.Templin

Thierry Ernst - MOTOROLA Labs / INRIA Ludovic Bellier - INRIA project PLANETE Claude Castelluccia - INRIA project PLANETE Hong-Yon Lach - MOTOROLA Labs.

IETF 81: V6OPS Working Group – Proxy Mobile IPv6 – Address Reservations 1 Reserved IPv6 Interface Identifier for Proxy Mobile IPv6 Sri Gundavelli (Cisco)

1 Evaluation of PMIPv6 Base Multicast Support Drafts Stig Venaas Behcet Sarikaya November 2009 Multimob WG IETF 76.

1 Arkko, 57th IETF: SEND base protocol issue list Issues in the SEND base document draft-ietf-send-ipsec-01.txt

6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.

A Scheme for MN-MAP Security in HMIPv6 draft-qiu-mipshop-mn-map-security-00.txt Jianying ZHOU Feng BAO, Robert DENG, Ying QIU Institute for Infocomm Research,

Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt SEND Certificate Profile draft-krishnan-cgaext-send-cert-eku-01 Suresh Krishnan Ana Kukec Khaja Ahmed.

QoS in Mobile IP by Preethi Tiwari Chaitanya Deshpande.

Integrating Identity based Cryptosystem (IBC) with CGA in Mobile IPv6 draft-cao-mipshop-ibc-cga-00.txt Zhen Cao Hui Deng IETF #67.

英文标题 :40-47pt 副标题 :26-30pt 字体颜色 : 反白内部使用字体 : FrutigerNext LT Medium 外部使用字体 : Arial 中文标题 :35-47pt 字体 : 黑体副标题 :24-28pt 字体颜色 : 反白字体 : 细黑体.

2/25/2016CSI WG/IETF761 Open Source Project SEND & Extensions Beijing University of Posts & Telecommunications HUAWEI Yuhong LI (Speaker) Wendong WANG.

RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.

CSI WG / IETF741/12 Implementation of SeND/CGA and Extensions Beijing University of Posts and Telecommunications HUAWEI.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

DMET 602: Networks and Media Lab Amr El Mougy Yasmeen EssamAlaa Tarek.

Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.

ROUTING MOBILE IP  Motivation  Data transfer  Encapsulation.

Suresh Krishnan Secure Proxy ND Suresh Krishnan

Trust Profiling for Adaptive Trust Negotiation

Distributing a Symmetric FMIPv6 Handover Key using SEND

DMET 602: Networks and Media Lab

Booting up on the Home Link

STI Interworking with SIP-PBXs

Unit 3 Section 6.4: Internet Security

Authentication, Authorisation and Security

Trust Anchor Management Problem Statement

Cryptography and Network Security

Fast Handover for Multicast in Proxy Mobile IPv6

Chris Wendt, David Hancock (Comcast)

ND-Shield: Protecting against Neighbor Discovery Attacks

H. Anthony Chan, Unified framework and DMM gap analysis draft-chan-dmm-framework-gapanalysis H. Anthony Chan,

APNIC Trial of Certification of IP Addresses and ASes

DMET 602: Networks and Media Lab

Digital Certificates and X.509

CSE 4215/5431: Mobile Communications Winter 2010

ROA Content Proposal November 2006 Geoff Huston.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

CSE 4215/5431: Mobile Communications Winter 2011

NETLMM 및 IETF 이동성기술 표준화 동향

Issuing delegate certs to Customer AF using Cross-Certification

Advanced Computer Networks

Chapter 24 Mobile IP.

Network-based and Client-based DMM solutions using Mobile IP mechanisms draft-bernardos-dmm-cmip-07 draft-bernardos-dmm-pmip-08 draft-bernardos-dmm-distributed-anchoring-09.

Presentation transcript:

Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00 Proxying SEND messages 2008-03-10 Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00 Suresh Krishnan, Julien Laganier, Marco Bonola Ericsson AB 2008

Sender of ND message is the address owner SEND Assumptions Sender of ND message is the address owner ND message target address is a CGA CGA derived from a public key. Sender of ND message owns target address. CGA Proof-of-ownership via proving possession of the corresponding private key, i.e. signing the message.

Different types of ND proxies Sender of ND message is not the address owner RFC3775: MIPv6 HA intercepts packet sent to a MIPv6 MN away from home by sending NAs on the behalf of the MN. RFC4389: Bridging multiple L2 segments into one by rewriting L2 addresses in ND messages tobeRFC5213: PMIPv6 MAG sends NAs on behalf of the PMIPv6 LMA.

Secure Proxy ND Support for SEND Separates the roles of ownership and advertiser. The proxy is certified as part of the trusted infrastructure just like a SEND router. The proxy is granted a certificate that specifies the range of addresses that it is allowed to proxy. Hosts can use the same process to discover the certification path between a proxy and one of the host's trust anchors as the one defined for routers in RFC3971

Operation Overview Perform all the operations performed as per existing specs (RFC3775, RFC4389, RFC5213) ND proxy provisioned with an authorization certificate [I-D.krishnan-cgaext-send-cert-eku] Proxy Signature option (PSO) Modified SEND processing rules for ND messages NA, NS, RS, RA, and Redirect A messages with a valid PSO is considered as secure even if it doesn't contain a CGA option

Secure Proxy ND Sender Processing Rules If the ND message is locally generated the message is constructed as per NDP [RFC4861]. If the ND message is forwarded, the authenticity of the intercepted message is verified as per SEND [RFC3971], then the intercepted message is modified as per ND Proxy [RFC4389]. CGA and RSA option are be removed. Proxy Signature option is added.

Modified SEND Receiver Processing Rules An ND message without PSO is treated as per SEND [RFC3971]. In an ND message with PSO, CGA and RSA option are ignored, if the PSO contains a valid signature and the IP address range encompass the target address the message is considered as valid.

Backward Compatibility Nodes that do not implement the modified receiving rules will ignore the PSO, and since RSA and CGA option were removed, the message will be treated as insecure as per SEND [RFC3971]

Thanks Questions?