Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Paine, BoeingSlide 1 doc.: IEEE 802.11-07/757r0 Submission May 2007 Secure Mobile Architecture SMA – Secure Multi-Net Handoff May 2007 SMA Demo.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Richard Paine, BoeingSlide 1 doc.: IEEE 802.11-07/757r0 Submission May 2007 Secure Mobile Architecture SMA – Secure Multi-Net Handoff May 2007 SMA Demo."— Presentation transcript:

1 Richard Paine, BoeingSlide 1 doc.: IEEE 802.11-07/757r0 Submission May 2007 Secure Mobile Architecture SMA – Secure Multi-Net Handoff May 2007 SMA Demo Team Math & Computing Technologies

2 Richard Paine, Boeing Slide 2 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Agenda Motivation and Problem Statement Review of SMA Components Public Key Infrastructure (PKI) Host Identity Protocol (HIP) Network Directory Service (NDS) Location Enabled Network Service (LENS)

3 Richard Paine, Boeing Slide 3 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Motivation and Problem Statement BCAG Business Segment Need is Total Secure Communications in the Factory (Cellular/WLAN/Fixed Wireless/Cable Replacements/Roam across Subnets) IDS Business Segment Need is Secure Mobile Communications (multi-level security, ad hoc, cross- subnet roaming, discovery) Works with any MAC, has Uniform Method of Security and Handles Layer 2 Mobility Utilizes Cryptographic Identities and Authorization Addresses most major Communications and Security Concerns in Networking Need to Treat IP as an Insecure Transport Layer Secures both Wired and Wireless (as in VOIP calls)

4 Richard Paine, Boeing Slide 4 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 What is “SMA”? ecure  Cryptographic identities are associated with each and every packet. obile  Mobility-driven address changes trans- parent to applications & connections. rchitecture  Significantly improves our Enterprise network architecture by providing: Improved flexibility and agility Network-enforced, end-to-end security Centralized access control with delegated authority Reduced operational cost and complexity Uniform internal/external access method S M A

5 Richard Paine, Boeing Slide 5 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Agenda Motivation and Problem Statement Review of SMA Components Public Key Infrastructure (PKI) Host Identity Protocol (HIP) Network Directory Service (NDS) Location Enabled Network Service (LENS)

6 Richard Paine, Boeing Slide 6 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements PKI  Public Key Infrastructure HIP  Host Identity Protocol NDS  Network Directory Services LENS  Location-Enabled Network Services SMA  Secure Mobile Architecture +

7 Richard Paine, Boeing Slide 7 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: PKI PKI  Public Key Infrastructure HIP  Host Identity Protocol NDS  Network Directory Services LENS  Location-Enabled Network Services SMA  Secure Mobile Architecture +

8 Richard Paine, Boeing Slide 8 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: PKI Badge cert Temp cert Client RA SSL/TLS Tunnel 1 2 Boeing PKI SLDAP 1)Badge used for Client Auth; TempCert request sent to RA 2)RA issues TempCert 3)Client has TempCert available for 8-16 hours TempCert Provisioning Process

9 Richard Paine, Boeing Slide 9 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: HIP PKI  Public Key Infrastructure HIP  Host Identity Protocol NDS  Network Directory Services LENS  Location-Enabled Network Services SMA  Secure Mobile Architecture +

10 Richard Paine, Boeing Slide 10 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: HIP HIP Overview Background Original concept developed by Bob Moskowitz Experimental RFCs now in last call in the IETF Boeing heavily involved in RFC development (Tom Henderson) –Linux implementation released as Open Source –Windows implementation soon to be released Other major players: Cisco, Ericsson, NEC, Siemens, NTT DoCoMo, universities HIP provides opportunistic pair-wise SA’s Somewhat like IPSec Client Cert retrieved from LDAP directory SA based on identity, not IP address SA established/managed by a IP control channel SA data flows through ESP-IP packets Mobility events handled in IP stack via HIP UPDATE packets

11 Richard Paine, Boeing Slide 11 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: HIP User Space Kernel Space Application IP Stack IPSec HIP Daemon PF_INET PF_KEY PF_RAW Key Engine Initiator Responder HIP-Enabled Secure Communications Application IP Stack IPSec HIP Daemon PF_INET PF_KEY PF_RAW Key Engine HIP Handshake IPSec ESP Data – Identified by SPI, not IP Address

12 Richard Paine, Boeing Slide 12 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: HIP IP header IPSec (ESP) Encrypted Header and Transport Payload Host Identity (HI) is public/private key pair: Identity defined by holder of private key Public key used by others to authenticate control messages SHA-1 hash of public key forms a “Host Identity Tag (HIT)” - used where 128 bit fields are needed - self-referential (i.e., HIT can be securely used instead of HI) HIT is implied by the SPI value in IPsec header HIP incurs no per-packet overhead

13 Richard Paine, Boeing Slide 13 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: NDS PKI  Public Key Infrastructure HIP  Host Identity Protocol NDS  Network Directory Services LENS  Location-Enabled Network Services SMA  Secure Mobile Architecture +

14 Richard Paine, Boeing Slide 14 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: NDS Support for real-time endpoint mobility & location data Future integration with Boeing DNS and directory (CED, NAMS-ng) infrastructure Enterprise DNS Proxy Security Perimeter Virtual Directory SLDAP Client Policy Decision Daemon Middleboxes Client DNS DDNS Location Server Directory Information Flow

15 Richard Paine, Boeing Slide 15 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: NDS Generic ISP Provisioning Process DHCP Server AAA Server Client 802.11 Access Point Enterprise Provisioning Process RA Client TLS Directory 1 2 1)HardCert authentication for TempCert 2)Identity  IP Update in Directory Two-Stage Client Provisioning DNS SLDAP

16 Richard Paine, Boeing Slide 16 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: LENS PKI  Public Key Infrastructure HIP  Host Identity Protocol NDS  Network Directory Services LENS  Location-Enabled Network Services SMA  Secure Mobile Architecture +

17 Richard Paine, Boeing Slide 17 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements: LENS Location Computation Server Directory Location Distribution Server & Policy Location Requesting Client Passive Tag Gate Boeing Intranet Location Architecture AAA Server

18 Richard Paine, Boeing Slide 18 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 SMA Elements PKI  Public Key Infrastructure HIP  Host Identity Protocol NDS  Network Directory Services LENS  Location-Enabled Network Services SMA  Secure Mobile Architecture +

19 Richard Paine, Boeing Slide 19 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 What has Changed between 2004 and 2006 Demos 2004 PKI HIP NDS LENS Smart Cards Temp Certs Boeing PKI Linux Client (Opensource) HIP Web Server Location-Based Policy Enforcement (Polling LDAP) Simulated Location Server 2005 PKI HIP NDS LENS No Change Windows XP Client (Opensource) Endbox Cellular to WLAN Handoffs Location-Based Policy Enforcement (Pub-Sub Using IBM MQ Series) Scales to Enterprise Aeroscout Location Server (Blv & 40-26) Location Events thru Pub-Sub Live Location Updates 2006 PKI HIP NDS LENS TCG Recommendations Mobile Demo Secure SCADA on 777 Crawlers VOIP Handoffs Network Location Service (NLS) No Change

20 Richard Paine, Boeing Slide 20 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Agenda SMA Technology Transfer Location Secure Layer 2 Mobility Pub-Sub SMA Policy-Based Networking Using Location Endbox Secure VoWLAN SMA in the Boeing Enterprise and Battlespace CY’07 plans Q & A

21 Richard Paine, Boeing Slide 21 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Everett Manufacturing Site WLAN 802.11-based RTLS/LENS Pilot

22 Richard Paine, Boeing Slide 22 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Everett 40-26 (TDOA) Time Synchronizers TDOA Location Devices

23 Richard Paine, Boeing Slide 23 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 RFID Components Active tags send an identifier string AeroScout: Unique 802.11 MAC address Programmable “chirp” rate Location is computed using a combination of Signal strength measurements –Both Cisco AP’s and AeroScout “Location Receivers” Time-of-Flight triangulation –AeroScout “Location Receivers” only –We expect this capability to be added to Cisco AP’s in a few years

24 Richard Paine, Boeing Slide 24 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Everett Location Policy Enforcement N

25 Richard Paine, Boeing Slide 25 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 C17 Factory

26 Richard Paine, Boeing Slide 26 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 F15/F18 Factory

27 Richard Paine, Boeing Slide 27 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Other Factories to Get NLS Fredrickson Auburn Everett

28 Richard Paine, Boeing Slide 28 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Agenda SMA Technology Transfer Location Secure Layer 2 Mobility Pub-Sub SMA Policy-Based Networking Using Location Endbox Secure VoWLAN SMA in the Boeing Enterprise and Battlespace CY’07 plans Q & A

29 Richard Paine, Boeing Slide 29 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 2005 SMA Cellular to WLAN Handoff Real-time WLAN  Cellular mobility demonstration SMAmobile AP … 130.42.32.0/24 Directory Cisco Switch TempCert RA LPDD Bellevue AAA Server PKI Internet Netscreen MSC IP Address A IP Address B PW Namespace: mct.phantomworks.org X

30 Richard Paine, Boeing Slide 30 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 2006 SMA Secure VOIP Handoff smamobiles AAA Server DNS Namespace: mobile.tl.boeing.com Router Twr … smaX Msg Brkr Directory DNS WiMAX Switch TempCert RA Location Server LPDD HIP SA AP … SMAx VOIP Msg Brkr Directory DNS WiFi Switch TempCert RA Location Server LPDD Smamobiles VOIP HIP SA Navy PKI Cellular Smamobile HIP SA Robot Controller Robots HIP SA

31 Richard Paine, Boeing Slide 31 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 2007 SMA VoWLAN for FactoryNet smamobiles Boeing Intranet AAA Server DNS Namespace: mobile.tl.boeing.com Router Twr … smaX Msg Brkr Directory DNS WiMAX Switch TempCert RA Location Server LPDD HIP SA AP … SMAx VOIP Msg Brkr Directory DNS WiFi Switch TempCert RA Location Server LPDD Smamobiles VOIP HIP SA Navy PKI Cellular Smamobile HIP SA Internet Robot Controller Robots HIP SA

32 Richard Paine, Boeing Slide 32 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Agenda SMA Technology Transfer Location Secure Layer 2 Mobility Pub-Sub SMA Policy-Based Networking Using Location Endbox Secure VoWLAN SMA in the Boeing Enterprise and Battlespace CY’07 plans Q & A

33 Richard Paine, Boeing Slide 33 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 2004 SMA Directory Service 2004 LDAP Decision Daemon Status Policies Locations Client Status Updates Status Updates Sim LS DNS IP Locations

34 Richard Paine, Boeing Slide 34 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Prototype Pub-Sub Messaging Architecture Message Broker Infrastructure Connector RTLS Location Server Passive Tag DCS Barcode Scanner DCS Content Subscription Manager RDBMS Connector Event Consumer Content Subscriptions SQL Connector Possible Future Enhancement

35 Richard Paine, Boeing Slide 35 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Pub-Sub Detail for FactoryNet RTLS Location Message Broker Infrastructure Connector RTLS Location Server Content Subscription Manager LDAP Connector Event Consumer Content Subscriptions Connector Decision Daemon Interest Updates Policy HIPD Initial Query Response Status Locations Status Updates Status Updates First Year: Polling Second Year: Pub-Sub Initial Query Response Connector Sensor Server Connector RFID Server

36 Richard Paine, Boeing Slide 36 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Agenda SMA Technology Transfer Location Secure Layer 2 Mobility Pub-Sub SMA Policy-Based Networking Using Location Endbox Secure VoWLAN SMA in the Boeing Enterprise and Battlespace CY’07 plans Q & A

37 Richard Paine, Boeing Slide 37 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Wireless_Application_Group_(WAG)_Vision_and_Arch_6-9-05.ppt |43 Boeing Technology | Phantom Works Copyright©2004 Boeing. All rights reserved. E&IT | Mathematics and Computing Technology Asset Tracking and Supply Chain Vision Location Computation Server Directory Location Distribution Server & Policy Location Requesting Client Passive TagGate(s) Boeing Intranet 866-957MHz Passive Tag RFID Systems (Internationally Available frequencies) RFID RF Containment Device Tags only have innocuous number unless they are equipped with encryption processor on tag Wireless Baseline Scans for every installation Integrity protection RFID Information Repository AAA Server WPA or WPA2 IEEE 802.11 or 802.15.4 915MHz Sensors IEEE 802.11 Active RFID Tags (innocuous number) Encourage new serial cable replacements to those that use WPA EnterpriseRLAN/RFIDManagement Council EnterpriseRLAN/RFIDTechnical Council

38 Richard Paine, Boeing Slide 38 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Agenda SMA Technology Transfer Location Secure Layer 2 Mobility Pub-Sub SMA Policy-Based Networking Using Location Endbox Secure VoWLAN SMA in the Boeing Enterprise and Battlespace CY’07 plans Q & A

39 Richard Paine, Boeing Slide 39 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Endbox (Crawlers) HIP Endbox Uses robust wireless network infrastructure securely Strong one factor authentication using SIM chip HIP Bridge SMA End-to-End Security Association over Enterprise WLAN Controller

40 Richard Paine, Boeing Slide 40 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 2005 SMA Endbox Demonstration Real-time SMA Endbox mobility demonstration SMAmobile Robot AP … 130.42.32.0/24 Directory Cisco Switch TempCert RA LPDD Bellevue AAA Server PKI Boeing Namespace: Mobile.tl.boeing.com SMAmobile Robot Controller HIP SA

41 Richard Paine, Boeing Slide 41 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Crawler Connected to WLAN w SMA

42 Richard Paine, Boeing Slide 42 doc.: IEEE 802.11-07/XXXXr0 Submission May 2007 Present Tech Transitions from SMA Network Location Service (NLS) deployed by Boeing IT 777 Crawlers – SMA/HIP Endbox (FactoryNet) HIP Bridge – enables legacy Ethernet equipment to use SMA in the factory (FactoryNet) Any Controller to Robot mobile secure communications in the factory (FactoryNet) Secure Handoff Using End-to-End HIP-Enabled Security Association (SA)

Download ppt "Richard Paine, BoeingSlide 1 doc.: IEEE 802.11-07/757r0 Submission May 2007 Secure Mobile Architecture SMA – Secure Multi-Net Handoff May 2007 SMA Demo."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.

Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Host Identity Protocol

Host Identity Protocol
Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.

Virtual Private Networks (Tunnels). When Are VPN Tunnels Used? VPN with PPTP tunnel Used if: All routers support VPN tunnels You are using MS-CHAP or.
VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © 2003. All rights.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.

Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.
Networks LANS,. FastPoll True Questions Answer A for True and B for False A wireless infrastructure network uses a centralized broadcasting device, such.

Networks LANS,. FastPoll True Questions Answer A for True and B for False A wireless infrastructure network uses a centralized broadcasting device, such.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
Richard Paine, BoeingSlide 1 doc.: 21-07-0212-00-0000 Submission May 2007 Secure Mobile Architecture SMA Basics for IEEE 802.21 May 2007 SMA Demo Team.

Richard Paine, BoeingSlide 1 doc.: Submission May 2007 Secure Mobile Architecture SMA Basics for IEEE May 2007 SMA Demo Team.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Similar presentations

Ads by Google