Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls and GMPLS Networks: A token based approach

Published byBethany McCormick Modified over 6 years ago

Similar presentations

Presentation on theme: "Firewalls and GMPLS Networks: A token based approach"— Presentation transcript:

1 Firewalls and GMPLS Networks: A token based approach
Firewall Issues - Research Group meeting OGF Chapel Hill, NC - Januari 30th 2006 Leon Gommans University of Amsterdam

2 Accessing GMPLS network resources.
Optical network connections are increasingly perceived as expensive and valuable resources. Optical connections might be high-jacked in cases where it is difficult to separate “sheep” from “goat” application traffic (Matthew 25:32). GMPLS control plane signalling uses RSVP protocol requests (to open / keep a link), which are send (over a secured channel) every few seconds: (re-)authorization of such requests must be simple and fast. RSVP enforcement therefore demands complex authentication and authorization processes to be performed separately and in advance. The token model allows such an approach. Outsourcing models do not. Although RSVP signaling can be secured to some degree, the transport itself is not secured - Question: Can a firewall help?

3 Problem 1: “goat” applications can potentially use storage service across the optical link after “sheep” has opened the link. Application Host Storage Host Application B Application A Storage Middleware Control plane LSR Client LSR LSR LSR Client Data plane Optical Switch Optical Switch

4 Problem 2: Multiple goat hosts can potentially use same network link when a sheep application accesses the storage host Host A Storage Host Application B Application A Storage Middleware Control plane LSR Client LSR LSR LSR Client Data plane Host X Optical Switch Optical Switch Host Y

5 Typical setup: Sheep application A (or its Middleware) requests network link via AAA Service that governs the GMPLS network resource. Application Host Storage Host Application B Application A AAA Server Storage Middleware Policy Enforcement Point LSR Client LSR LSR LSR Client Optical Switch Optical Switch

6 Typical real setup: Firewall separates the public transit network from the application hosts. Firewall could also interact with GMPLS network as a (proxy-) client. Host A Storage Host Application B Application A Storage Transit Network Middleware Control plane Fire Wall Fire Wall LSR Client LSR LSR LSR Client Data plane Host X Optical Switch Optical Switch Campus Network Host Y

7 Question: How should a firewall interact with GMPLS
Application / Middleware may still have to talk to the same network resource authorization service. Question: How should a firewall interact with GMPLS Host A Storage Host Application B Application A Storage AAA Server Middleware Policy Enforcement Point Control plane Fire Wall Fire Wall LSR Client LSR LSR LSR Client Data plane Host X Optical Switch Optical Switch Campus Network Host Y

8 The token concept Authority Service Request AuthZ info (eg time) User
PEP Access Request .

9 Token inside GMPLS RSVP Path, generated by LSR client
RSVP TE PATH Source Address Destination Address Request ID RFC 2750 Request ID HMAC-SHA1 Token Key

10   Token validation at Policy Enforcement Point RSVP TE PATH RFC 2750
Source Address Destination Address Request ID RFC 2750 Schedule Token verify Time slot verify HMAC-SHA1

11 A possible way to interact
+ rule 5 Host A Storage Host Application B Application A Storage AAA Server 1 4 2 Middleware Policy Enforcement Point 3 + rule Control plane Fire Wall Fire Wall 6 LSR Client LSR LSR LSR Client Data plane Host X Optical Switch Optical Switch Campus Network Host Y

12 Plans Approaches will be researched in EU IST PHOSPHORUS project using GMPLS software developed in the NSF DRAGON project. Firewall GMPLS signaling concepts will be implemented using the IETF FORCES architecture deploying an Intel IXP NPU development platform in collaboration with Hitachi European Laboratory and University of Padras in Greece. Integrate meta-scheduler deployed in German VIOLA project as requestor of the network resource. Considering integration with Intrusion Detection work performed in EU IST NextGrid project to signal and identify “goat” requests. Demo planned at SuperComputing ‘07.

Download ppt "Firewalls and GMPLS Networks: A token based approach"

Similar presentations

© 2006 Open Grid Forum Network Services Interface Introduction to NSI Guy Roberts.

© 2006 Open Grid Forum Network Services Interface Introduction to NSI Guy Roberts.
Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,

Multi-Domain Lightpath Authorization Architecture using Tokens By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Yuri Demchenko,
Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:

Token Based Authorization of GMPLS Networks By: Leon Gommans, Paola Grosso, Fred Wan, Cees de Laat, Marten Hoekstra, Li Xu University of Amsterdam By:
RSVP Cryptographic Authentication ...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.

Generic AAA based provisioning Of Network Elements Status update EVL 9/10/03 Leon Gommans University of Amsterdam.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Circuit & Application Level Gateways CS-431 Dick Steflik.

Circuit & Application Level Gateways CS-431 Dick Steflik.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.

Institute of Computer and Communication Network Engineering OFC/NFOEC, 6-10 March 2011, Los Angeles, CA Lessons Learned From Implementing a Path Computation.
M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.
Chapter 3 How to build a network?. 2 Objectives What is a Network? IP Addresses Key Components of a Network (NIC) Factors in Designing a Network.

Chapter 3 How to build a network?. 2 Objectives What is a Network? IP Addresses Key Components of a Network (NIC) Factors in Designing a Network.
TeraPaths TeraPaths: establishing end-to-end QoS paths - the user perspective Presented by Presented by Dimitrios Katramatos, BNL Dimitrios Katramatos,

TeraPaths TeraPaths: establishing end-to-end QoS paths - the user perspective Presented by Presented by Dimitrios Katramatos, BNL Dimitrios Katramatos,
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.

Similar presentations

Ads by Google