Presentation is loading. Please wait.

Presentation is loading. Please wait.

BRSKI overview and issues

Published byDinah Lynch Modified over 5 years ago

Similar presentations

Presentation on theme: "BRSKI overview and issues"— Presentation transcript:

1 BRSKI overview and issues
Very short BRSKI overview. recap of incoming/outgoing discussion audit token, nonce-full/nonce-less versions online view, offline view ownership voucher details: Kent

2 The cast Manufacturer Manufacturer Authorized Signing Authority (MASA)
Registar Join Assistant/Proxy New Node (pledge) (ownership) voucher LL fe80::123->fe80::proxy ULA fd12:345::1-> registrar (circuit proxy, IPIP, NAT66)

3 Incoming (callhome) / Outgoing Debate
I-D.ietf-netconf -call-home 6tisch Will use incoming, With COMI+ System-keystore proxy Call Home -outgoing TCP, followed by swap of client/server Incoming pledge registrar Syn coap Syn/ack pledge registrar Syn ClientHello syn Syn/ack Syn/ack Outgoing ack TLS ClientHello SSH open pledge registrar syn Syn/ack Tcp client TLS server ANIMA Decided to stick With outgoing via proxy Ack TLS ClientHello

4 Audit tokens and ownership Mix of contradictory requirements!
Weak to no link to owner May be bearer token! Likely contains link to owner’s public key. May link to some DN/CN of owner Uses MASA to serve as registration, providing audit trail to subsequent “owners” Ownership Voucher Strong link to owner MASA either produces the voucher (possibly “online”), or provides access to already created voucher. MASA stores history of previous vouchers. (controversial), may include Voucher Revocation List!

5 Audit vs Ownership Voucher
YANG description module: ietf-voucher +--rw voucher Audit Ownership +--rw assertion trust anchor for Registrar +--rw trusted-ca-certificate id of Registrar +--rw certificate-id | +--rw cn-id? string | +--rw dns-id? string +--rw unique-id* id of Pledge +--rw nonce Real Time Clock proofing +--rw created-on if RTC available on Pledge +--rw expires-on +--rw revocation-location under consideration +--rw additional-data future proofing

6 Token Requirements Online validation
May include NEA-type assessment of current firmware of device (remote attestation) back to vendor. Strong connection to supply chain to provide proof of ownership. Offline validation Need to collect all Tokens/Vouchers onto stable storage for use offline. National security concerns, disaster recovery, protection against vendor going out of business Uncooperative/immature supply chain Need to include voucher in bearer token form inside packaging as QR code Supporting re-sale of devices, transitive trust of ownership vouchers

Download ppt "BRSKI overview and issues"

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Www.opendaylight.org Secure Network Bootstrapping Infrastructure May 15, 2014.

Secure Network Bootstrapping Infrastructure May 15, 2014.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
A RELOAD Usage for Distributed Conference Control (DisCo) – update – draft-knauf-p2psip-disco-00 draft-knauf-p2psip-disco-00 Alexander Knauf, Gabriel Hege,

A RELOAD Usage for Distributed Conference Control (DisCo) – update – draft-knauf-p2psip-disco-00 draft-knauf-p2psip-disco-00 Alexander Knauf, Gabriel Hege,
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Copyright © 2003-2004 B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall 2003 1 Security Systems Lecture notes Dr.

Copyright © B. C. Neuman, - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Fall Security Systems Lecture notes Dr.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
1 Lecture 11 Public Key Infrastructure (PKI) CIS 4362 - CIS 5357 Network Security.

1 Lecture 11 Public Key Infrastructure (PKI) CIS CIS 5357 Network Security.
draft-kwatsen-netconf-zerotouch-01

draft-kwatsen-netconf-zerotouch-01
Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.

Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.
National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.

National Institute of Advanced Industrial Science and Technology Self-audit report of AIST GRID CA Yoshio Tanaka Information.
Unit 1: Protection and Security for Grid Computing Part 2

Unit 1: Protection and Security for Grid Computing Part 2

Similar presentations

Ads by Google