Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

© 2006 NEC Corporation - Confidential age 1 November SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.
U M T S F o r u m © UMTS 2002 UMTS Security aspects UMTS Forum ICTG Chair Bosco Fernandes Siemens AG
EAP Channel Bindings Charles Clancy Katrin Hoeper IETF 76 Hiroshima, Japan November 08-13, 2009.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Lecture 1: Overview modified from slides of Lawrie Brown.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
Mobile IP Security Dominic Maguire Research Essay Presentation Communications Infrastructure Module MSc Communications Software, WIT
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Introduction (Pendahuluan)  Information Security.
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidentialwww.juniper.net 1 ANCP protocol draft updates draft-ietf-ancp-protocol-00.txt ANCP.
Storage Security and Management: Security Framework
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.
Wireless Network Security. What is a Wireless Network Wireless networks serve as the transport mechanism between devices and among devices and the traditional.
Dean Cheng Jouni Korhonen Mehamed Boucadair
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIIS and Its Higher Layer Transport Requirements: Ad hoc Update and Discussion on.
Doc.: IEEE xxxxx Submission doc. : IEEE Nov 2012 Slide 1 Project: IEEE P Working Group for Wireless Personal Area.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 71 – Philadelphia draft-ietf-ancp-framework-05.txt.
0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
EAP Key Framework Draft-ietf-eap-keying-01.txt IETF 58 Minneapolis, MN Bernard Aboba Microsoft.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.
11 December, th IETF, AAA WG1 AAA Proxies draft-ietf-aaa-proxies-01.txt David Mitton.
SNMP for the PAA-EP protocol PANA wg - IETF 60 San Diego -> Yacine El Mghazli (Alcatel)
RADIUS issues in IPv6 deployments draft-hu-v6ops-radius-issues-ipv6-01 J. Hu, YL. Ouyang, Q. Wang, J. Qin,
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
NEA Requirements Update -06 version summary. Posture Transport Considerations Issue –Ability of existing protocols used for network access to meet requirements.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
1 A VPN based approach to secure WLAN access John Floroiu
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks IETF 66 - ANCP WG July 9-14, 2006 draft-ooghe-ancp-framework-00.txt.
6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.
CAPWAP Threat Analysis 66 th IETF, Montreal 10 July 2006 Scott KellyCharles Clancy.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks draft-ietf-ancp-framework-02.txt Presenter: Dong Sun.
LDP extension for Inter-Area LSP draft-decraene-mpls-ldp-interarea-04 Bruno DecraeneFrance Telecom / Orange Jean-Louis Le RouxFrance Telecom / Orange Ina.
Draft-jounay-pwe3-p2mp-pw-requirements-01.txt IETF 70 PWE3 Working Group Vancouver, December 2007 F. Jounay, P. Niger, France Telecom Y. Kamite, NTT Communications.
1 Security Framework for MPLS-TP draft-mpls-tp-security-framework-01.txt Editors: Luyuan Fang Ben Niven-Jenkins
Requirements and Selection Process for RADIUS Crypto-Agility December 5, 2007 David B. Nelson IETF 70 Vancouver, BC.
Threats and Solutions of Information Security - Confidentiality, Integrity and Availability Hyunsung Kim.
CAPWAP Threat Analysis draft-kelly-capwap-threat-analysis th IETF, San Diego 6 November 2006 Scott KellyCharles Clancy.
By Chris Zachor CS 650.  Introduction  SSH Overview  Scenarios  How To:  Results  Conclusion.
Access Node Control Protocol (ANCP) IETF 68, Prague Wojciech Dec Matthew Bocci
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Slide #1IETF 71 – Roll WG – March 2008 Routing Requirements for Urban Sensor Networks draft-dohler-r2ln-routing-reqs-00.txt M. Dohler G. Madhusudan G.
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-03.txt Hannes Tschofenig, Henning.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: September 20, 2007 Presented.
MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.
ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July , 2010 Bo Wu Liang Fan.
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
1 Network Security Maaz bin ahmad.. 2 Outline Attacks, services and mechanisms Security attacks Security services Security Mechanisms A model for Internetwork.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-00.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 73 – Minneapolis draft-ietf-ancp-framework-07.txt.
Softwire Security Update Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota 67 IETF, San Diego.
Doc.: IEEE /2179r0 Submission July 2007 Steve Emeott, MotorolaSlide 1 Summary of Updates to MSA Overview and MKD Functionality Text Date:
Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-00 Rakesh Kumar Juniper networks.
Softwire Security Update
draft-ietf-geopriv-lbyr-requirements-02 status update
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
ANCP Applicability to PON draft-bitar-wadhwa-ancp-pon-00
draft-ipdvb-sec-01.txt ULE Security Requirements
IEEE MEDIA INDEPENDENT HANDOVER DCN: sec
Requirements for Client-facing Interface to Security controller draft-ietf-i2nsf-client-facing-interface-req-02 Rakesh Kumar Juniper networks.
PAA-2-EP protocol PANA wg - IETF 58 Minneapolis
IEEE IETF Liaison Report
IEEE IETF Liaison Report
Presentation transcript:

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt

Outline History of the draft Objectives Overview and threat model Changes since last version –Organization –Definitions –Attacks classification –Security requirements modification

History of The Draft July 2006 (IETF 66th Montreal): –Need for threats analysis and security requirements –Call for contributers October 2006: –Submission: draft-moustafa-ancp-security-threats-00 November 2006 (IETF 67th San Diego): –Draft presentation and feedbacks –Consensus for WG document December 2006 –New version submission: draft-ietf-ancp-security-threats-00

Objectives Investigating security threats that ANCP nodes could encounter and developing a threat model at the ANCP level. Deriving the security requirements for the ANCP. Out of scope: –Security policy negotiation, including authentication and authorization to define per-subscriber policy at the AAA/policy server

Overview and Threat Model | AAA | | Server | | | CPE |---| HGW |---| | | | | | | Access | | | | Internet | | Node | | NAS |---| | | (AN) | | | | | | CPE |---| HGW |---| | | | | | Attackers can be either on-path or off-path : active or passive Threat Model: –Off-path adversary at the CPE or HGW –Off-path adversary on the Internet or a Regional Network –On-path adversary at the network elements between the AN and the NAS –Adversary taking control over the NAS –Adversary taking control over the AN

Changes since last version 1/4 Re-wording and re-phrasing Definition of the CPE –"Device located inside a subscriber's premise that is connected to the LAN side of the HGW" Attacks classification –Attacks disrupting the communication of individual customers –Attacks disrupting the communication of a large fraction of customers –Attacks gaining profit for the attacker

Potential attacks re-formulation (Section 5 in last version) –Attacks types (Section 5 in current version) –Attacks forms (Section 6 in current version) –Removing "Network Snooping" (Section 5.7 in last version) Changes since last version 2/4 Attacks Types (Section 5) –DoS –Integrity violation –Downgrading –Traffic Analysis Attacks Forms (Section 6) –Message replay –Faked message injection –Messages modification –Man-in-the-middle –Eavesdropping

Clarification of AAA server in scope/out of scope issues (Section 7 in current draft) –Out of scope: user's authentication process and how the user gets authenticated and how the AAA server gets the authorization data –In scope: attacks concerning the communication between the NAS and the AAA server, once the AAA server gets the authentication data Attacks Against ANCP Defined Use Cases (Section 7 in the current draft) : –re-organization and some revisions –Major changes: Dynamic access loop attributes use case: –downgrading caused by man-in-the-middle attack –Removing network snooping from on-path and off-path passive attacks Access loop configuration use case: on-path passive attacks learning the configuration attributes Changes since last version 3/4

Security requirements update –The protocol solution MUST offer authentication of the AN to the NAS –The protocol solution MUST offer authentication of the NAS to the AN –The protocol solution MUST allow authorization to take place at the NAS and at the AN –The protocol solution MUST offer replay protection –The protocol solution MUST provide data origin authentication –The protocol solution MUST be robust against DoS attacks –The protocol solution SHOULD offer confidentiality protection –The protocol solution SHOULD distinguish the control messages from the data Changes since last version 4/4

Next Step Soliciting comments Considering the WG position for the Multicast use case Asking for LC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.