11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast.

Slides:

Advertisements

Similar presentations

Authentication Authorization Accounting and Auditing

Advertisements

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Lousy Introduction into SWITCHaai

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Router Identification Problem Statement J.W. Atwood 2008/03/11

GT 4 Security Goals & Plans Sam Meder

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Access Control Chapter 3 Part 3 Pages 209 to 227.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

PDC Enabling Science Grid Security Research Olle Mulmo.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Sepucha_Date_01 Group Key Management Architecture Howie Weiss NASA/JPL/SPARTA

The EC PERMIS Project David Chadwick

6/4/2015Page 1 Enterprise Service Bus (ESB) B. Ramamurthy.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Group Secure Association Key Management Protocol (GSAKMP) Presented by Hugh Harney

Introduction to Kerberos Kerberos and Domain Authentication.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

A Policy Framework for Multicast Group Control Salekul Islam and J. William Atwood Concordia University Department of Computer Science and Software Engineering.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

7/11/2006IETF-66 MSEC applied to RMT page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July 11 th 2006.

Digital Object Architecture

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.

Doc: Submission September 2003 Dorothy Stanley (Agere Systems) IETF Liaison Report September 2003 Dorothy Stanley – Agere Systems IEEE.

1 © 1999, Cisco Systems, Inc. AAA/Mobile IP For 3G CDMA Systems Gopal Dommety and Allen Long.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

Group Communications at Concordia J. William Atwood High Speed Protocols Laboratory Concordia University Montreal, Quebec, Canada.

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Attribute Certificate By Ganesh Godavari. Talk About An Internet Attribute Certificate for Authorization -- RFC 3281.

Active Directory Travis Favors Ryan Manuel Robert Rayer.

July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...

EAP Authentication for SIP & HTTP V. Torvinen (Ericsson), J. Arkko (Ericsson), A. Niemi (Nokia),

I2RS draft-rfernando-yang-mods.txt I2RS Yang Extensions draft-rfernando-yang-data-mods R.Fernando, P.Chinnakannan, M.Madhayyan, A.Clemm.

7/11/2006IETF-66 MSEC IPsec composite groups page 1 George Gross IdentAware ™ Multicast Security IETF-66, Montreal, Canada July.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.

Manish Mehta, CS 590L Authentication Services in Open Grid Services by Manish Mehta April 27, 2004.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

1 Achieving Local Availability of Group SA Ya Liu, Bill Atwood, Brian Weis,

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.

IP Multicast Receiver Access Control draft-atwood-mboned-mrac-req draft-atwood-mboned-mrac-arch.

Link-local security J.W. Atwood, S. Islam PIM Working Group 2007/12/04

1 OSPFv3 Automated Group Keying Requirements draft-liu-ospfv3-automated-keying-req-01.txt Ya Liu, Russ White,

MIP6 WG IETF-68 Service Selection for Mobile IPv6 draft-korhonen-mip6-service-01 March, 2007 Jouni Korhonen, Ulf Nilsson, Vijay Devarapalli.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

1 GDOI Changes to Update Draft draft-ietf-msec-gdoi-update-01 Sheela Rowles Brian Weis.

Chapter 6 Server Management: Domains Workgroup Domain Trust Relationship Examples.

Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh.

8/02/2005IETF-63 MSEC IPsec extensions page 1 Brian Weis, Cisco Systems George Gross, IdentAware ™ Security Dragan Ignjatic, Polycom IETF-63, Paris, France,

Unified Identity for Access Control Carl Ellison 7 April 2011 IDtrust.

Thoughts on Bootstrapping Mobility Securely Chairs, with help from James Kempf, Jari Arkko MIP6 WG/BOF 57 th IETF Vienna Wed. July 16, 2003.

Group Key Management Architecture

Some basics of a AAA Control model

Zueyong Zhu† and J. William Atwood‡

Distributed Keyservers

ERP/AAK support for Inter-AAA realm handover discussion

R0KH-R1KH protocol requirements

AAA: A Survey and a Policy- Based Architecture and Framework

Presentation transcript:

11/07/2003IETF-58 MSEC and AAA page 1 George Gross, IdentAware ™ Security IETF-58, Minneapolis, MN November 10 th 2003 Multicast Security with Authentication, Authorization, and Accounting (AAA)

11/07/2003IETF-58 MSEC and AAA page 2 What motivates MSEC/AAA? Large-scale secure multicast groups straddle administrative/business domain boundaries AAA enforces contractual relationships, generates data usable for service accounting Allows Service Provider to securely control their multicast transit routing service Enables dynamic MSEC groups with the Service Provider AAA as the broker

11/07/2003IETF-58 MSEC and AAA page 3 Relevant Background Reading RFC3588, Diameter base protocol spec RFC2904, generic authorization framework NASREQ Diameter application –ietf-draft-aaa-diameter-nasreq-13.txt next rev of generic policy token draft –msec-gspt-04.txt –missed the ID cut-off

11/07/2003IETF-58 MSEC and AAA page 4 GDOI Roaming Pull AAA Model Administrative Domain “B” Group Owner Z authorization Authentication Server Diameter AAA Server Grp. Controller Key Server Accounting Server GM Diameter AAA Server Subordinate GC/KS Accounting Server GM Administrative Domain “A” Diameter GDOI Diameter NASREQ+MSEC Secure multicast group “Z”

11/07/2003IETF-58 MSEC and AAA page 5 Observations about GDOI/AAA Can leverage existing IKE/ISAKMP AAA –Q: does the group member have a NAI? –Reasonable design: extend NASREQ Diameter application to handle GDOI Undefined how to add a S-GC/KS to group Issue: currently no way to separate KS from the S-GC role if the S-GC domain is not trusted with the group’s encryption key

11/07/2003IETF-58 MSEC and AAA page 6 GSAKMP Push AAA Model Administrative Domain “B” Group Owner Z authorization Certificate Authority Diameter AAA Server Grp. Controller Key Server Accounting Server GM Diameter AAA Server Subordinate GC/KS Accounting Server GM Administrative Domain “A” Diameter GSAKMP Diameter accounting Secure multicast group “Z” Policy token

11/07/2003IETF-58 MSEC and AAA page 7 GSAKMP/AAA Observations PKI based authentication only, no NAI Multicast policy token encodes membership authorization, acts as AAA service ticket Diameter back-end used for accounting Does not fit Diameter NASREQ model Like GDOI, can not withhold group key from S-GC in partially trusted domain

11/07/2003IETF-58 MSEC and AAA page 8 Future MSEC/AAA directions Need to separate the S-GC and key server roles in both GSAKMP and GDOI Introduce “generic” policy token attributes to encode multiple service authorizations –nesting the tokens will avoid layer violations –multicast PT is scalable, but it is not part of GDOI today, is this feasible to add? Long-term: Diameter extensions for MSEC