Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.

Slides:

Advertisements

Similar presentations

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

Advertisements

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Network Layer Packet Forwarding IS250 Spring 2010

CS335 Networking & Network Administration Tuesday, May 11, 2010.

THE USE OF IP ESP TO PROVIDE A MIX OF SECURITY SERVICES IN IP DATAGRAM SREEJITH SREEDHARAN CS843 PROJECT PRESENTATION 04/28/03.

CAPWAP Editor’s Report Pat R. Calhoun Cisco Systems, Inc.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Draft-gu-ppsp-protocol-00 PPSP Session IETF 77, Anaheim March 22, 2010.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

TCP/IP Essentials A Lab-Based Approach Shivendra Panwar, Shiwen Mao Jeong-dong Ryoo, and Yihan Li Chapter 5 UDP and Its Applications.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

INRIA Rhône-Alpes - Planète research group Reed-Solomon FEC I-D LDPC-* FEC I-D TESLA I-D Simple-auth I-D IETF 70 th – Vancouver meeting, November 2007.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.

TCP/IP Protocols Contains Five Layers

QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.

1 July, 2002 doc:.: /275r0 Daniel V. Bailey, Ari Singer, NTRU 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs)

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

March 2007 CAPWAP Protocol Specification Editors' Report March 2007

Internet Protocols (chapter 18) CSE 3213 Fall 2011.

SIP working group IETF#70 Essential corrections Keith Drage.

March 2006 CAPWAP Protocol Specification Update March 2006

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

SRI International 1 Topology Dissemination Based on Reverse-Path Forwarding (TBRPF) Richard Ogier September 21, 2002.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Open issues from SIP list Jonathan Rosenberg dynamicsoft.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Currently Open Issues in the MIPv6 Base RFC MIPv6 security design team.

SOURCE: Tony Lee David Wang ABSTRACT: To control SACK.

Issues Discussions CAPWAP Interim Jan 24-25, 2007 Mahalingam Mani.

Generic UDP Encapsulation for IP Tunneling Lucy Yong July 2014 Toronto CA draft-ietf-tsvwg-gre-in-udp-02.

1 Header Compression over IPsec (HCoIPsec) Emre Ertekin, Christos Christou, Rohan Jasani {

1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.

IETF WG Presentation1 Urooj Rab Audio/Video Transport.

July 2007 CAPWAP Protocol Specification Editors' Report July 2007

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.

IP Protocol CSE TCP/IP Concepts Connectionless Operation Internetworking involves connectionless operation at the level of the Internet Protocol.

GIST NAT traversal and Legacy NAT traversal for GIST AND

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

Issue EAPoL-Key message generation at WTP or AC Issue 199, summarized as:...the WTP maintains the KeyRSC while the AC requires this information to.

K. Salah1 Security Protocols in the Internet IPSec.

Draft-ietf-p2psip-base-08 Cullen Jennings Bruce Lowekamp Eric Rescorla Salman Baset Henning Schulzrinne March 25, 2010.

Doc.: IEEE /250r0 Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: IEEE :

IPv6 Security By Eric Pennington COSC 356 – Network Security Dr. Oblitey

Hybrid-MAC Model for CAPWAP draft-ietf-opsawg-capwap-hybridmac-00 Presenting: Hui Deng:

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Ken Grewal Gabriel Montenegro Manav Bhatia

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

Open issues with PANA Protocol

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

CSE 4905 IPsec.

PANA Issues and Resolutions

Shi Yang David T. Perkins IETF 70th 3 Dec 2007, Vancouver

IT443 – Network Security Administration Instructor: Bo Sheng

Topic #1 & #5 “All that has to do with header formats”

Bob Briscoe, BT IETF-72 tsvwg Jul 2008

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

Internet Control Message Protocol (ICMP)

Guide to TCP/IP Fourth Edition

May 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Considerations on general MAC frame] Date Submitted:

March 2013 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Comment Resolution Suggestions Date Submitted:

March 2013 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: Comment Resolution Suggestions Date Submitted:

May 2018 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Considerations on general MAC frame] Date Submitted:

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec

Presentation transcript:

Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or not. Leads up to comments for #146 (in some 224/89 list comments) Comments: Need to determine if data is plain text or DTLS. –WG List proposed text for new 32 bit pre-amble header, with 1 bit reserved for DTLS payload identification. –No Consensus yet Do we put the pre-amble/mux on the capwap data channel. (from #146 comments on list) CON: Wastes 31 bits, since 1 bit is to used to tell if encrypted or not. CON: Since we set up a UDP tunnel in the first place it’s a property of that channel if the data is encrypted or not. FOR: the Lookup to check if the data is encrypted or not, is slower than just looking at 1 bit in header. FOR: an AC will have to handle non-encrypted traffic and MAY have to handle encrypted traffic (optional). So will have to do a table look up to check for data encryption for each packet. Less processing to know encrypted in packet. Alternate proposal, put bit in the capwap header and move the capwap header out of the data portion. –Can’t capwap hdr comes after dtls header. –WG decided to protect the entire capwap header.

Packet Format Issues #146: Updated Proposal for packet formats Separate fragmentation header from control header and if PDU is fragmented, put the control header only in first fragment FOR: Reduction of packet size? FOR: frag/re-assembly not really function of capwap? CON: Bits proposed are already specified in F and L bits. Introduces complexity in packet handling logic since packets have separate header sizes –Tracker recommendation to reject request. Changing control and data formats so fields are tailored to the header type (data or control) CON: small amount of redundant data doesn’t justify different header formats –Tracker recommendation to reject request. Add a Retry Number field CON: Doesn’t matter what the retry number is. Seq Num field is used to detect duplicate packets (retransmissions) –Tracker recommendation to reject request Req and Resp to share the same message type vs explicit request and response message types CON: Easier to read with explicit message types. –Tracker recommendation to reject request Increase the message type from 16 to 32 bits. COMMENT: WG List agreement that 16 bits is sufficient. Was originally increased from 8 bits. –Tracker recommendation to reject request New comments (not considered in 146) on WG list on 1/23/07: Message drop recovery? Message syntax version? Message source/target specification?

Packet Format Issues #127: Usage of the Session ID field Do we need a Session ID Field? FOR: Used to bind control & data channels together with a dual port architecture. FOR: Easier for NAT traversal and load balancing (source/destination ip address changes) Comment: Is this only needed for DTLS control messages? –Reply on list: This is independent of DTLS session. Change Session ID from 32 bits to 64 bit field FOR: harder to spoof the ID. Use keep alive packet as Session ID FOR: Put session ID in the payload of keep-alive message to manage NAT State. FOR: Use the keep alive function to bind control and data COMMENT: Do keep alive packets need to be sent if NAT is not detected? –Reply on List: Yes, needed on DC so that we don’t lose DC (black-hole) and can detect errors on DC. WG List: Proposed Text submitted for keep alive packet. No consensus yet.

Packet Format Issues #223: Description of the RID Field is unclear Clarify the case why we need RID field to support multiple radios that share the same MAC address. Comment: Explain the BSSID is not sufficient since there can be BSSID re-use across a/b/g WTP vendors. Comment: Accepted in tracker, no further comments on list. –Propose to List for General Consensus #230: Crypto Algorithms for DTLS Add AES-GCM with GMAC as mandatory mode FOR: Supported in IPSec (RFC 4106) and 802.1ae FOR: Significant performance improvements with AES-GCM to prepare for high throughput with upcoming n. Comment: This would require changes to TLS, but is a work in progress. Requires ECC instead or RSA, ECC is not mandatory now. –Propose to List for WG Consensus