Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00

Published byDorothy Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00"— Presentation transcript:

1 Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00
Proxying SEND messages Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00 Suresh Krishnan, Julien Laganier, Marco Bonola Ericsson AB 2008

2 Sender of ND message is the address owner
SEND Assumptions Sender of ND message is the address owner ND message target address is a CGA CGA derived from a public key. Sender of ND message owns target address. CGA Proof-of-ownership via proving possession of the corresponding private key, i.e. signing the message.

3 Different types of ND proxies
Sender of ND message is not the address owner RFC3775: MIPv6 HA intercepts packet sent to a MIPv6 MN away from home by sending NAs on the behalf of the MN. RFC4389: Bridging multiple L2 segments into one by rewriting L2 addresses in ND messages tobeRFC5213: PMIPv6 MAG sends NAs on behalf of the PMIPv6 LMA.

4 Secure Proxy ND Support for SEND
Separates the roles of ownership and advertiser. The proxy is certified as part of the trusted infrastructure just like a SEND router. The proxy is granted a certificate that specifies the range of addresses that it is allowed to proxy. Hosts can use the same process to discover the certification path between a proxy and one of the host's trust anchors as the one defined for routers in RFC3971

5 Operation Overview Perform all the operations performed as per existing specs (RFC3775, RFC4389, RFC5213) ND proxy provisioned with an authorization certificate [I-D.krishnan-cgaext-send-cert-eku] Proxy Signature option (PSO) Modified SEND processing rules for ND messages NA, NS, RS, RA, and Redirect A messages with a valid PSO is considered as secure even if it doesn't contain a CGA option

6 Secure Proxy ND Sender Processing Rules
If the ND message is locally generated the message is constructed as per NDP [RFC4861]. If the ND message is forwarded, the authenticity of the intercepted message is verified as per SEND [RFC3971], then the intercepted message is modified as per ND Proxy [RFC4389]. CGA and RSA option are be removed. Proxy Signature option is added.

7 Modified SEND Receiver Processing Rules
An ND message without PSO is treated as per SEND [RFC3971]. In an ND message with PSO, CGA and RSA option are ignored, if the PSO contains a valid signature and the IP address range encompass the target address the message is considered as valid.

8 Backward Compatibility
Nodes that do not implement the modified receiving rules will ignore the PSO, and since RSA and CGA option were removed, the message will be treated as insecure as per SEND [RFC3971]

9 Thanks Questions?

Download ppt "Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00"

Similar presentations

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
BOEING is a trademark of Boeing Management Company. Copyright © 2011 Boeing. All rights reserved. On-Demand Dynamic Route Optimization Between Tunnel Endpoints.

BOEING is a trademark of Boeing Management Company. Copyright © 2011 Boeing. All rights reserved. On-Demand Dynamic Route Optimization Between Tunnel Endpoints.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
Access control for IP multicast T-110.557 Petri Jokela

Access control for IP multicast T Petri Jokela
Netext issues Julien Laganier, IETF-80. Logical Interface (I) #1: Replication of ND multicast messages across physical interfaces – What is in the source.

Netext issues Julien Laganier, IETF-80. Logical Interface (I) #1: Replication of ND multicast messages across physical interfaces – What is in the source.
Draft-kk-mpvd-ndp-support-01 MIF WG – IETF88 Jouni Korhonen Suresh Krishnan Sri Gundavelli.

Draft-kk-mpvd-ndp-support-01 MIF WG – IETF88 Jouni Korhonen Suresh Krishnan Sri Gundavelli.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
Draft-li-l2vpn-ccvpn-arch-00IETF 88 L2VPN1 An Architecture of Central Controlled Layer 2 Virtual Private Network (L2VPN) draft-li-l2vpn-ccvpn-arch-00 Zhenbin.

Draft-li-l2vpn-ccvpn-arch-00IETF 88 L2VPN1 An Architecture of Central Controlled Layer 2 Virtual Private Network (L2VPN) draft-li-l2vpn-ccvpn-arch-00 Zhenbin.
Guide to TCP/IP Fourth Edition

Guide to TCP/IP Fourth Edition
Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2.

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2.
Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.

Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.
Future Internet Presentation Kyung Hee University, 2008. 9. 29 Seok Hyun Hwang( 황석현 ) Seamless Handover in Proxy MIPv6 with AAA Server ( 이종망간 빠른 이동성 제공을.

Future Internet Presentation Kyung Hee University, Seok Hyun Hwang( 황석현 ) Seamless Handover in Proxy MIPv6 with AAA Server ( 이종망간 빠른 이동성 제공을.
49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier.

49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier.

Similar presentations

Ads by Google