Presentation is loading. Please wait.

Presentation is loading. Please wait.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

Published byNora Wilkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent."— Presentation transcript:

1 Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota

2 Status Rev-02 is created incorporating comments on Rev-01 by Security Expert Changed to IKEv2 centric description instead of IKEv1 for IPsec SA establishment

3 Mailing list comments Background –softwire problem statement draft: "The goal of this effort is to reuse or extending existing technology. …, deployed technology must be very strongly considered in our solution selection.” –Hub and spokes phase 0 is to use L2TPv2. Deployed clients that support L2TPv2 today likely support IKEv1 for securing L2TPv2 (RFC3193, Securing L2TP using IPsec). NAT-traversal for IKE and ESP is also deployed today in recent OS. Question on mailing list: –IKEv1, apply RFC3193 + NAT traversal? –Recommend IKEv2? Got 4 comments, all in favor in using IKEv2

4 Hubs & Spokes Change(1) Review of Requirement Language –Requirement language for Softwire security protocol is made consistent with security description in “Softwire Problem Statement” Softwire Security Threat Scenario (Section 3.3) –Clarification of softwire solution as a subset of L2TPv2 for softwire tunnel setup. –Add text for security protection mechanism in L2TPv2 tunnel setup procedure in Softwire context and address the security weakness Without per-packet based authentication for PPP CHAP Weak security solution of PPP ECP No key management facilities for L2TPv2 CHAP option

5 Softwire Security Guidelines (Section 3.4) –From generic descriptions in Rev-01 to more softwire specific descriptions based on the security threat analysis of Section 3.3 –Requirements for softwire security protocol are moved from Section 3.5 in Rev-01 to Section 3.4 in Rev-02 –Describe IPsec ESP in transport mode as Softwire security protocol to meet all requirements given in Section 3.4 Change to Guidelines of IPsec usage (Section 3.5) –Change from security protection mechanism usage in Rev-01 to IPsec usage specific in Rev-02 –Change to IKEv2 centric description from IKE in general. e.g. new implementation SHOULD use IKEv2. –Revise SPD example per Security Expert comment –SPD for IKEv2 is not completed yet. Hubs & Spokes Change(2)

6 Other Changes –Add warning text when non-authenticated connection or anonymous connection service is deployed. –Add the description of user authentication using EAP payload in case of IKEv2. –Address AAA involvement for authentication –Add description of the prohibition of group pre-shared keys Hubs & Spokes Change(3)

7 Mesh Change (1) Mesh Deployment Scenario (Section 4.1) –Classification of two cases such as PE-based AFBR and provider provisioned CE-based AFBR. –Clarification of AS boundary for the discussion in Section 4.2. Trust Relationship (Section 4.2) –Within a single autonomous system, nodes can trust each other. But not necessarily for PE-CE link. –For CE model, trust relationship between CE-based AFBRs as well as between users in access islands and transit core provider are required. –CE-based AFBR should be provisioned by service provider.

8 Case1 : PE-based/Single AS PE-based AFBR –PEs trust each other. Authentication may be turned off in some circumstances. (per Softwire Problem Statement) –When transit core includes non-trusted devices, security protection is required. AF(j)-transit core single AS AF(i)- access iBGP PE trusted each other

9 Case1 : PE-based/Inter AS AF(j)-transit core AS-1 AF(i)- access iBGP PE AS-2 AS-3 AS-4 eBGP PE-based AFBR –PE based AFBR trust each other. –PE-CE link may or may not be trusted. –Confidentiality may be needed when PE-CE link is not trusted. In this circumstance, cryptographic security protection such as IPsec ESP SHOULD be used. trusted or non- trusted

10 Case2: CE based AF(j)-transit core Single AS AF(i)- access iBGP PE CE CE-based AFBR –Dual stack processing is resided in CE of access networks. –Inter-CE BGP peering is used. –CEs MUST trust each other.

11 Mesh Change (2) Applicability of Security Protection Mechanism (New Section 4.4) –Old Section 4.4 was Softwire Security Guideline. –Address security requirements for mesh solution described in Softwire Problem Statement. Softwire mesh setup MUST support authentication Transit core provider may turn it off in some circumstances Softwire MUST support IPsec for data plane –Add description for encryption of PE-CE link referring to RFC4111 –Description of access control filtering moved from Section 4.5

12 Mesh Change (3) Guidelines for Security Protection Mechanism Usage (Section 4.5) –Change text for TCP-MD5 usage for BGP peer at AFBR by stating that TCP-MD5 does not maintain a respectable level of security. –Change text of IPsec usage for BGP peer at AFBR describing the capability of confidentiality, integrity and authentication for BGP session. –Remove text regarding AH. –Address use of IKEv2 to support scalable key management. –Description of security protection mechanism for data plane requires more information on IPsec encapsulation from Softwire Mesh framework document which is in progress.

13 Next Steps IKE2 description for Hubs & Spokes –Add SPD example for IKEv2 –More description of IKEv2 usage Mesh description –Wait for Softwire Mesh Framework document Moving forward –Finalize current document by adding above two items –Discuss changes on ML –Publish new version. –WGLC

Download ppt "Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Host Identity Protocol

Host Identity Protocol
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
11 KDDI Trial Hub & Spoke Shu Yamamoto Carl Williams Hidetoshi Yokota KDDI R&D Labs.

11 KDDI Trial Hub & Spoke Shu Yamamoto Carl Williams Hidetoshi Yokota KDDI R&D Labs.
Softwires Hub & Spoke with L2TP

Softwires Hub & Spoke with L2TP
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.

Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Similar presentations

Ads by Google