Lucy Yong lucy.yong@huawei.com Tom Herbert therbert@google.com Generic UDP Encapsulation (GUE) for Network Virtualization Overlay (NVO) draft-hy-nvo3-gue-4-nvo-00.

Slides:

Advertisements

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

Advertisements

TRILL Header Extension Simplifications Donald Eastlake 3 rd Huawei Technologies 1July 2011.

Internet Protocol Security (IP Sec)

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

IPSec In Depth. Encapsulated Security Payload (ESP) Must encrypt and/or authenticate in each packet Encryption occurs before authentication Authentication.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Security at the Network Layer: IPSec

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Internet Protocol Security (IPSec)

VPN TUNNELING PROTOCOLS PPTP, L2TP, L2TP/IPsec Ashkan Yousefpour Amirkabir University of Technology.

CS 6401 IPv6 Outline Background Structure Deployment.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

The OSI Reference Model Key concepts: Layers Communications between two adjacent layers Encapsulation Multiplexing and demultiplexing Tunneling.

Introduction to IPv6 NSS Wing,BSNL Mobile Services, Ernakulam 1.

1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.

NVO3 dataplane encapsulation requirements discussion Erik Nordmark, Arista Networks.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CSCE 715: Network Systems Security

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Karlstad University IP security Ge Zhang

Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-01 S. Hartman M. Wasserman D. Zhang 1.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

FINAL YEAR PROJECT. FINAL YEAR PROJECT IMPLEMENTATION OF VPN USING IPSEC.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Chapter 8 IP Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

PGP & IP Security  Pretty Good Privacy – PGP Pretty Good Privacy  IP Security. IP Security.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

By Mau, Morgan Arora, Pankaj Desai, Kiran.  Large address space  Briefing on IPsec  IPsec implementation  IPsec operational modes  Authentication.

Virtual Private Networks Ed Wagner CS Overview Introduction Types of VPNs Encrypting and Tunneling Pro/Cons the VPNs Conclusion.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

Security IPsec 1 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Cryptography and Network Security (CS435) Part Thirteen (IP Security)

IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.

1 Header Compression over IPsec (HCoIPsec) Emre Ertekin, Christos Christou, Rohan Jasani {

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

Network Layer Security Network Systems Security Mort Anvari.

IPSEC Modes of Operation. Breno de MedeirosFlorida State University Fall 2005 IPSEC  To establish a secure IPSEC connection two nodes must execute a.

Inter-AS Option C between NVO3 and BGP/MPLS IP VPN network draft-hao-bess-inter-nvo3-vpn-optionc-00 Weiguo Hao Lucy Yong Susan Hares Nov, 2014 Honolulu.

IP Fragmentation. Network layer transport segment from sending to receiving host on sending side encapsulates segments into datagrams on rcving side,

CSCI 465 Data Communications and Networks Lecture 26

VPNs & IPsec Dr. X Slides adopted by Prof. William Enck, NCSU.

IPSec Detailed Description and VPN

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

Chapter 18 IP Security  IP Security (IPSec)

Network Security (contd.)

Security Protocols in the Internet

NVO3 Data Plane Discussion

Presentation transcript:

Lucy Yong lucy.yong@huawei.com Tom Herbert therbert@google.com Generic UDP Encapsulation (GUE) for Network Virtualization Overlay (NVO) draft-hy-nvo3-gue-4-nvo-00 Lucy Yong lucy.yong@huawei.com Tom Herbert therbert@google.com * Here to present November 2014 Honolulu USA

Generic UDP Encapsulation (GUE) Design for tunneling a network protocol & network virtualization Generic and extensible for a wide range of UDP tunnel applications Provide enhanced UDP tunnel transport to meet various environments Aim to unified method for DCs, (get rid of many silo methods) Have a GUE header after UDP header specify 5 key common fields in base header applying to for all applications provide extensible structure for tunnel transport and tunnel applications UDP Header GUE Header

GUE for Network Virtualization Allocate one flag bit, ‘v’, from GUE undefined flag field for NVO Define Virtual Network Identifier (VN ID) field (32 bits) that associates w/ ‘v’ flag MUST present when flag ‘v’ is set, MUST NOT present when clear Specify use of GUE secure transport in NVO (optional) VN ID is critical data for virtual network isolation, need to be secure Specify the value choice of the fields of UDP/GUE header for NVO UDP Header GUE Header For the detail, read draft-hy-nvo3-gue-4-nvo

GUE for NVO Design Merits Use of unified UDP tunnel transport in DCs With rich set of transport features such as security, offload VN ID is in option field, extensible in future, e.g. Define a new option to supersede it or New flag to add more bits, e.g. 64 No requirement on VN ID structure, local site matter Fully compliant with NVO3 architecture Potential for extensibility in future Read draft-herbert-gue-02 for more information

Generic UDP Encapsulation (GUE) For Secure Transport draft-hy-gue-4-secure-transport-00 Lucy Yong lucy.yong@huawei.com Tom Herbert therbert@google.com November 2014 Honolulu USA

GUE for Secure Transport Secure Transport over IP networks is important Generic UDP encapsulation provides UDP tunnel transport for arbitrary applications Secure UDP tunnel transport for the applications are very important in some environment Present as optional feature for the applications Secure UDP tunnel transport provides integrity and authentication of the GUE header

GUE for Secure Transport Schema Allocate two flags ‘SEC’ from GUE undefined flag fields for secure transport Specify ‘SEC’ flags as of: o 00 - No security field o 01 - 64 bit security field o 10 - 128 bit security field o 11 - 256 bit security field Specify the Security field that MUST be present if ‘SEC’ is set UDP Header GUE Header

GUE for Secure Transport UDP tunnel ingress and egress MUST negotiate the values in the security field of GUE header UDP tunnel egress MUST perform security validation before the payload process GUE may be used to encapsulate IPsec packets Benefit: providing a flow hash for the inner packets The value in GUE security field may be a cookie The value in GUE security field may be the secure hash For the detail, read: draft-herbert-gue-02 draft-hy-gue-4-secure-transport-00