Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

Published byMiles Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne."— Presentation transcript:

1 Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne

2 Hannes.Tschofenig@siemens.com Scope NSIS also aims to signaling non-QoS information Signaling NAT and firewall information is a possible NSIS application. Draft focus: Security issues for signaling in-path NAT/firewall information. Builds on previous TIST activities

3 Hannes.Tschofenig@siemens.com Peer-to-Peer Security only Administrative Domain A Administrative Domain B Node ANode B Core Network Security protection between end hosts and networks depends on scenario (=> Secure Network Access)

4 Hannes.Tschofenig@siemens.com Administrative Domain A Intra-domain Trust Relationship PDP Edge routers must receive particular attention Intra-domain signaling message protection is still required to “separated” NSIS nodes from non-NSIS nodes (by signaling message protection) Edge Router A Edge Router B Router

5 Hannes.Tschofenig@siemens.com Administrative Domain B End-to-Middle Authentication Administrative Domain A Node ANode B Core Network In a firewall traversal environment user authentication might also be required to intermediate networks. Firewalls are distributed sparsely. User Credentials

6 Hannes.Tschofenig@siemens.com Missing Trust Node ANode B Core Network Without protection of signaling messages between the two networks a signaling message exchange might not be possible. Alternatives: Authorization Tokens Signaling only at the local access network Receiver-initiated signaling No Trust / No Security Protection Administrative Domain B Administrative Domain A

7 Hannes.Tschofenig@siemens.com Differences Difference QoS and Firewall signaling? Trust relationships and authorization are different For QoS signaling accounting and charging is a very important issue (for firewall signaling probably not) Firewall signaling is seen as more security sensitive Lower number of devices need to store state / are affected by a firewall signaling protocol (discovery)

8 Hannes.Tschofenig@siemens.com Network Address Translation NAT handling Does not need to be combined within firewall signaling as an application. Must be addressed by NSIS to let the protocol operate correctly. Double-NAT handling makes a solution quite complex

9 Hannes.Tschofenig@siemens.com Some IETF working groups also create protocols which allow firewall traversal or policy rule establishment: MIDCOM WG — Establishment of policy rules at middleboxes in an off-path nature IPSec WG — IPSec protocols would allow only authenticated data traffic to pass security gateways IPSRA WG — IPSec + legacy authentication + provisioning of configuration parameters. PANA — Secure network access based on EAP Additionally of interest: Authorization tokens exchanged with other protocols (e.g. HTTP or SIP) to restrict end host to create firewall rules Relationship to other protocols and working groups

Download ppt "Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne."

Similar presentations

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.

World Class Standards ANFOV - Milano, 14 November 2007 – Paolo DE LUTIIS ANFOV - Milano, 14 November 2007 Autore:Paolo DE LUTIIS Telecom Italia Security.
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Next Step In Signaling (NSIS) and Internet Routing Dynamics Charles Shen and Henning Columbia University in the City of New York Internet.

Next Step In Signaling (NSIS) and Internet Routing Dynamics Charles Shen and Henning Columbia University in the City of New York Internet.
NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:
CASP – Future Work Plans and Ideas Henning Schulzrinne & LQS team August 27, 2002.

CASP – Future Work Plans and Ideas Henning Schulzrinne & LQS team August 27, 2002.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Trade-offs and open issues with path discovery and transport or not all requirements are orthogonal… Henning Schulzrinne Columbia University

Trade-offs and open issues with path discovery and transport or not all requirements are orthogonal… Henning Schulzrinne Columbia University
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
E J B J A V A X M L C O R B A M P L S D i f f S e r v I P V P N Q o S I P v 6 G P R S U M T S An Analysis.

E J B J A V A X M L C O R B A M P L S D i f f S e r v I P V P N Q o S I P v 6 G P R S U M T S An Analysis.

Similar presentations

Ads by Google