Presentation is loading. Please wait.

Presentation is loading. Please wait.

LinkSec Architecture Attempt 3

Published bySydney Wallace Modified over 10 years ago

Similar presentations

Presentation on theme: "LinkSec Architecture Attempt 3"— Presentation transcript:

1 LinkSec Architecture Attempt 3
Robert Moskowitz ICSAlabs

2 LinkSec Network Model Hop-by-hop model for Link Confidentiality
Except where provider bridges facilitate virtual links between subscriber bridges Terminology Provider ‘owns’ the network. A Provider may be the Corporate IT department Subscribers ‘use’ the network. E.G. a corporate employee or a paying customer. Transparency in security refers to 2 or more links appearing as a single link to the end devices with the intermediate bridges being transparent to the security services

3 LinkSec Network Model LinkSec delineates link ownership
Provider link Joint link (Provider/Subscriber) Virtual link (Subscriber over Provider) The Network is the collection of Links, Provider link interfaces, and Provider Authentication Servers (and related services)

4 LinkSec Network Model Primarily to protect the Provider network from attack and misuse A Provider IEEE 802 Infrastructure Provider Links Cross-Provider Links Network attachment points Jointly controlled by Provider and Subscriber Network Authentication Link Authorization Link confidentiality (privacy and integrity)

5 Network Definition For purposes here, a Network refers to Layer 2 infrastructure and Layer 3 provisioning services The network is an entity in its own right that needs to be secure The components of a network need various levels of security Rest of the network Network Attachment Point Network Attachment Point The network topology Networked Device Networked Device Networked Device Networked Device Networked Device

6 Security Services Components
Pre-existing trust between Authentication Server and Provider components Subscriber components Targeted Trust is Between Attached devices and Network Between 2 attached devices in specific situations Established Trust Authentication Server Rest of the network Network Attachment Point Network Attachment Point Networked Device Networked Device Networked Device Networked Device Target Trust

7 Provider View Of LinkSec
Support billing No money, no network Binary, no provisioning implied Subscriber and cross-provider Legal obligations Subscriber expectations Legal intercept function of deployment, not protocols Control access to Network Attachment Points Know your Subscriber (i.e. link termination)

8 Subscriber View of LinkSec
Network exists to service Subscribers LinkSec exists to protect subscribers from other subscribers Trust in Network Authenticate the Provider Restriction of exposure Asynchronous: Subscriber assumes no attack from Provider, but Provider assumes attack from Subscriber Trust in billing Only charged for real usage

9 Peer View of LinkSec 2 Peer systems control the link
Bi-directional control Either can initiate authentication Both play an equal role in controlling the authentication process One system may take control of the link Typically based on link ownership e.g ad Provider Bridge might always be the Responder, even if it initiated the authentication

10 Business-Driven Requirements
Provider Network centric IEEE 802 networks only Provider link protection Intra-Provider, Inter-Provider, Subscriber to NAPs Authentication always needed Helps limit mis-use of network Detects mis-wiring Privacy and Integrity protection Data confidentiality

11 More Business-Driven Requirements
Provider Bridge (802.1ad) transparency Customer data private from provider Including bridge management traffic Multiple subscribers to one physical port e.g ah and

12 Business-Driven Requirements Not Included
Link Transparency Virtual, trusted links across hostile bridges Exception is 802.1ad Provider bridges Impact on multi-party Adhoc networks Multiparty links E.G. 2 bridges on with device ignorant of which is active Legal Intercept Solved by deployment methodology not provisions in LinkSec

13 Requirements Details Multi-link model per network component
Each network component (or node) has N points of connection to the network N = 1 is the degenerate case Consider all links as ephemeral “permanent links” are just long-lived ephemeral links links change state as soon as link is lost

14 More Requirements Details
Peer nature of Authentication Both ends of the link control the authentication process, even though one side starts the authentication The peers SHOULD be mutually authenticated (this is a function of a higher level service) One end may force a role of Initiator or Responder There should never be a race condition If both peers start authentication at the same time, one is gracefully terminated

15 More Requirements Details
Layer Signalling of LinkSec Support for Handoff between NAPs No direct support of Handoff mechanisms in LinkSec. I.E. Transparency to handoff at layer 3 Confidentiality of Data frames Integrity of Management frames These are specific media management frames not carried in data frames (e.g DISASSOCIATE) Minimally only accept control packets from authenticated links

Download ppt "LinkSec Architecture Attempt 3"

Similar presentations

Authentication.

Authentication.
MultiNet: Connecting to Multiple IEEE 802.11 Networks Using a Single Radio Ranveer Chandra, Cornell University joint work with: Victor Bahl (MSR) and Pradeep.

MultiNet: Connecting to Multiple IEEE Networks Using a Single Radio Ranveer Chandra, Cornell University joint work with: Victor Bahl (MSR) and Pradeep.
Report from the Networking in Times of Disaster. What is a Disaster? Networks that work in times of disaster should address: Events that affect a network.

Report from the Networking in Times of Disaster. What is a Disaster? Networks that work in times of disaster should address: Events that affect a network.
1 IEEE 802.21 MEDIA INDEPENDENT HANDOVER DCN: 21-09-0014-00-0sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE 802.21.

1 IEEE MEDIA INDEPENDENT HANDOVER DCN: sec Title: Security Group TR Date Submitted: 20 th January, 2009 Presented at IEEE
1 IEEE 802.21 Media Independent Handoff Overview of services and scenarios for 3GPP2 Stefano M. Faccin 802.21 Liaison officer to 3GPP2.

1 IEEE Media Independent Handoff Overview of services and scenarios for 3GPP2 Stefano M. Faccin Liaison officer to 3GPP2.
1 2/20/03 Link Security Scenarios Ali Abaye Charles Cook Norm Finn Russ Housley Marcus Leech Mahalingam Mani Bob Moskowitz Dave Nelson Antti Pietilainen.

1 2/20/03 Link Security Scenarios Ali Abaye Charles Cook Norm Finn Russ Housley Marcus Leech Mahalingam Mani Bob Moskowitz Dave Nelson Antti Pietilainen.
ECMP for 802.1Qxx Proposal for PAR and 5 Criteria Version 2 16 people from ECMP ad-hoc committee.

ECMP for 802.1Qxx Proposal for PAR and 5 Criteria Version 2 16 people from ECMP ad-hoc committee.
1 Introducing the Specifications of the Metro Ethernet Forum.

1 Introducing the Specifications of the Metro Ethernet Forum.
1 Introducing the Specifications of the Metro Ethernet Forum MEF 17 Service OAM Framework and Requirements February 2008.

1 Introducing the Specifications of the Metro Ethernet Forum MEF 17 Service OAM Framework and Requirements February 2008.
M A Wajid Tanveer http://www.IctDirector.com Infrastructure M A Wajid Tanveer http://www.IctDirector.com.

M A Wajid Tanveer Infrastructure M A Wajid Tanveer
Extended Service Set (ESS) Mesh Network Daniela Maniezzo.

Extended Service Set (ESS) Mesh Network Daniela Maniezzo.
Lemonade and Mobile e- mail Stéphane H. Maes – Lemonade Intermediate meeting Vancouver, BC October 2004.

Lemonade and Mobile e- mail Stéphane H. Maes – Lemonade Intermediate meeting Vancouver, BC October 2004.
Data Link Layer B. Konkoth. PDU  Protocol Data Unit  A unit of data which is specified in a protocol of a given layer  Layer 5, 6, 7 – Data  Layer.

Data Link Layer B. Konkoth. PDU  Protocol Data Unit  A unit of data which is specified in a protocol of a given layer  Layer 5, 6, 7 – Data  Layer.
Omniran-13-0018-00-ecsg 1 Introduction to OmniRAN EC SG 2013-03-18 Max Riegel (OmniRAN SG Chair)

Omniran ecsg 1 Introduction to OmniRAN EC SG Max Riegel (OmniRAN SG Chair)
Omniran-14-0037-00-00TG 1 Cooperation for OmniRAN P802.1CF Max Riegel, NSN (Chair OmniRAN TG)

Omniran TG 1 Cooperation for OmniRAN P802.1CF Max Riegel, NSN (Chair OmniRAN TG)
UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.

UMA (Unlicensed Mobile Access) El Ayoubi Ahmed Hjiaj Karim.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.

Similar presentations

Ads by Google