richard paine, boeingslide 1 doc.: 21-07-0212-00-0000 submission may 2007 secure mobile architecture...

Richard Paine, BoeingSlide 1

doc.: 21-07-0212-00-0000

Submission

May 2007

Secure Mobile Architecture SMA

Basicsfor IEEE 802.21

May 2007 SMA Demo TeamMath & Computing Technologies


doc.: IEEE 802.21-07/0212r0

Submission

May 2007

IEEE 802.21 presentation release statementsThis document has been prepared to assist the IEEE 802.21 Working

Group. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.

The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.21.

The contributor is familiar with IEEE patent policy, as outlined in Section 6.3 of the IEEE-SA Standards Board Operations Manual <http://standards.ieee.org/guides/opman/sect6.html#6.3> and in Understanding Patent Issues During IEEE Standards Development http://standards.ieee.org/board/pat/guide.html>


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Agenda

• Motivation and Problem Statement• Review of SMA Components

• Public Key Infrastructure (PKI) • Host Identity Protocol (HIP) • Network Directory Service (NDS) • Location Enabled Network Service (LENS)


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Motivation and Problem Statement

• BCAG Business Segment Need is Total Secure Communications in the Factory (Cellular/WLAN/Fixed Wireless/Cable Replacements/Roam across Subnets)

• IDS Business Segment Need is Secure Mobile Communications (multi-level security, ad hoc, cross-subnet roaming, discovery)

• Works with any MAC, has Uniform Method of Security and Handles Layer 2 Mobility

• Utilizes Cryptographic Identities and Authorization • Addresses most major Communications and Security

Concerns in Networking• Need to Treat IP as an Insecure Transport Layer• Secures both Wired and Wireless (as in VOIP calls)


doc.: IEEE 802.21-07/0212r0

Submission

May 2007What is “SMA”?

ecure Cryptographic identities are associated with each and every packet.

obile Mobility-driven address changes trans-parent to applications & connections.

rchitecture Significantly improves our Enterprise network architecture by providing:

• Improved flexibility and agility• Network-enforced, end-to-end security• Centralized access control with delegated

authority• Reduced operational cost and complexity• Uniform internal/external access method

SMA


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Agenda

• Motivation and Problem Statement• Review of SMA Components

• Public Key Infrastructure (PKI) • Host Identity Protocol (HIP) • Network Directory Service (NDS) • Location Enabled Network Service (LENS)


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements

PKI Public Key Infrastructure

HIP Host Identity Protocol

NDS Network Directory Services

LENS Location-Enabled Network Services

SMA Secure Mobile Architecture

+


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements: PKI






+


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements: PKI

Badgecert

Tempcert

ClientRA

SSL/TLSTunnel

1

2

Boeing PKI

SLDAP

1) Badge used for Client Auth; TempCert request sent to RA2) RA issues TempCert3) Client has TempCert available for 8-16 hours

TempCert Provisioning Process


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements: HIP






+


doc.: IEEE 802.21-07/0212r0

Submission


HIP Overview• Background

• Original concept developed by Bob Moskowitz• Experimental RFCs now in last call in the IETF• Boeing heavily involved in RFC development (Tom

Henderson)– Linux implementation released as Open Source– Windows implementation soon to be released

• Other major players: Cisco, Ericsson, NEC, Siemens, NTT DoCoMo, universities

• HIP provides opportunistic pair-wise SA’s• Somewhat like IPSec• Client Cert retrieved from LDAP directory• SA based on identity, not IP address• SA established/managed by a IP control channel• SA data flows through ESP-IP packets• Mobility events handled in IP stack via HIP UPDATE packets


doc.: IEEE 802.21-07/0212r0

Submission


UserSpace

KernelSpace

Application

IP StackIPSec

HIP Daemon

PF_INET PF_KEYPF_RAW

KeyEngine

Initiator Responder

HIP-Enabled Secure Communications

Application

IP StackIPSec

HIP Daemon

PF_INETPF_KEY PF_RAW

KeyEngine

HIP Handshake

IPSec ESP Data – Identified by SPI, not IP Address


doc.: IEEE 802.21-07/0212r0

Submission


IP header

IPSec (ESP)

Encrypted Header and Transport Payload

Host Identity (HI) is public/private key pair:

Identity definedby holder of private key

Public key usedby others to authenticatecontrol messages

SHA-1 hash of public key forms a“Host Identity Tag (HIT)”- used where 128 bit fields are needed - self-referential (i.e., HIT can besecurely used instead of HI)

HIT isimplied

by the SPIvalue in

IPsec header

HIP incursno per-packet

overhead


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements: NDS






+


doc.: IEEE 802.21-07/0212r0

Submission


• Support for real-time endpoint mobility & location data• Future integration with Boeing DNS and directory (CED,

NAMS-ng) infrastructure

Enterprise

DNS Proxy

Security Perimeter

Virtual Directory

SLDAPClient

Policy DecisionDaemon

Middleboxes

Client

DNSDDNS

Location Server

Directory Information Flow


doc.: IEEE 802.21-07/0212r0

Submission


Generic ISP Provisioning Process

DHCPServer

AAAServer

Client

802.11

Access Point

Enterprise Provisioning Process

RA

Client

TLS

Directory

1 2

1) HardCert authentication for TempCert2) Identity IP Update in Directory

Two-Stage Client Provisioning

DNS

SLD

AP

SLD

AP


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements: LENS






+


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements: LENS

LocationComputationServer

Directory

Location DistributionServer & Policy

LocationRequestingClient

Passive Tag Gate BoeingIntranet

Location Architecture

AAA Server


doc.: IEEE 802.21-07/0212r0

Submission

May 2007SMA Elements






+


doc.: IEEE 802.21-07/0212r0

Submission

May 2007What has Changed between 2004 and 2006 Demos

2004

PKI

HIP

NDS

LENS

Smart CardsTemp CertsBoeing PKI

Linux Client (Opensource)HIP Web Server

Location-Based Policy Enforcement(Polling LDAP)

Simulated Location Server

2005

PKI

HIP

NDS

LENS

No Change

Windows XP Client (Opensource)EndboxCellular to WLAN Handoffs

Location-Based Policy Enforcement(Pub-Sub Using IBM MQ Series)Scales to Enterprise

Aeroscout Location Server (Blv & 40-26)Location Events thru Pub-SubLive Location Updates

2006

PKI

HIP

NDS

LENS

TCG Recommendations

Mobile DemoSecure SCADA on 777 CrawlersVOIP Handoffs

Network Location Service (NLS)

No Change


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Agenda

• SMA Technology Transfer• Location• Secure Layer 2 Mobility• Pub-Sub• SMA Policy-Based Networking Using Location• Endbox• Secure VoWLAN

• SMA in the Boeing Enterprise and Battlespace• CY’07 plans• Q & A


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Everett Manufacturing Site

WLAN 802.11-based RTLS/LENS Pilot


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Everett 40-26 (TDOA)

Time Synchronizers

TDOA Location Devices


doc.: IEEE 802.21-07/0212r0

Submission

May 2007RFID Components

• Active tags send an identifier string• AeroScout: Unique 802.11 MAC address• Programmable “chirp” rate

• Location is computed using a combination of• Signal strength measurements

– Both Cisco AP’s and AeroScout “Location Receivers”• Time-of-Flight triangulation

– AeroScout “Location Receivers” only– We expect this capability to be added to Cisco AP’s in a few

years


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Everett Location Policy Enforcement

N


doc.: IEEE 802.21-07/0212r0

Submission

May 2007C17 Factory


doc.: IEEE 802.21-07/0212r0

Submission

May 2007F15/F18 Factory


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Other Factories to Get NLS

• Fredrickson

• Auburn

• Everett


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Agenda




doc.: IEEE 802.21-07/0212r0

Submission

May 20072005 SMA Cellular to WLAN Handoff

• Real-time WLANCellular mobility demonstration

SMAmobile

AP

AP

AP

…

130.42.32.0/24

Directory

CiscoSwitch

TempCert RA

LPDD

Bellevue

AAAServer

PKI

Internet

NetscreenMSC

IP Address AIP Address

B

PW Namespace:mct.phantomworks.org

X


doc.: IEEE 802.21-07/0212r0

Submission

May 20072006 SMA Secure VOIP Handoff

smamobiles

AAAServer

DNS Namespace:mobile.tl.boeing.com

RouterTwr

Twr

Twr

…

smaX

Msg Brkr

Directory

DNS

WiMAXSwitch

TempCert RA

LocationServer

LPDD

HIP SA

AP

AP

AP

…

SMAxVOIP

Msg Brkr

Directory

DNS

WiFiSwitch

TempCert RA

LocationServer

LPDD

SmamobilesVOIP

HIP SAHIP S

A

HIP SA

NavyPKI

CellularSmamobile

HIP SA

HIP

SA

RobotController

RobotsHIP

SA

HIP

SA


doc.: IEEE 802.21-07/0212r0

Submission

May 20072007 SMA VoWLAN for FactoryNet

smamobiles

Boeing Intranet

AAAServer

DNS Namespace:mobile.tl.boeing.com

RouterTwr

Twr

Twr

…

smaX

Msg Brkr

Directory

DNS

WiMAXSwitch

TempCert RA

LocationServer

LPDD

HIP SA

AP

AP

AP

…

SMAxVOIP

Msg Brkr

Directory

DNS

WiFiSwitch

TempCert RA

LocationServer

LPDD

SmamobilesVOIP

HIP SAHIP S

A

HIP SA

NavyPKI

CellularSmamobile

HIP SA

HIP

SA

Internet

RobotController

RobotsHIP

SA

HIP SA

HIP

SA


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Agenda




doc.: IEEE 802.21-07/0212r0

Submission

May 20072004 SMA Directory Service

• 2004LDAP

DecisionDaemon

Status

PoliciesLocations

Client

Client

Status Updates

Status Updates

Sim LS

DNSIP

Locations


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Prototype Pub-Sub Messaging Architecture

MessageBroker

Infrastructure

MessageBroker

Infrastructure

ConnectorRTLS

LocationServer

PassiveTagDCS

BarcodeScanner

DCS

ContentSubscription

Manager

RDBMS

Connector

Connector

Connector

EventConsumer

Content

Sub

scriptions

SQ

L

Connector

Possible Future Enhancement


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Pub-Sub Detail for FactoryNet

• RTLS Location

MessageBroker

Infrastructure

MessageBroker

Infrastructure

ConnectorRTLS

LocationServer

ContentSubscription

Manager

LDAP

Connector

EventConsumer

Content

Sub

scriptionsConnector

DecisionDaemon

Interest

Updates

Policy

HIPD

HIPDInitial Query Response

Status

Locations

Status Updates

Status Updates

First Year: PollingSecond Year: Pub-Sub

Initial Query Response

ConnectorSensorServer

ConnectorRFIDServer


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Agenda




doc.: IEEE 802.21-07/0212r0

Submission

May 2007

Wireless_Application_Group_(WAG)_Vision_and_Arch_6-9- 05.ppt | 43

Boeing Technology | Phantom Works

Copyright © 2004 Boeing. All rights reserved.

E&IT | Mathematics and Computing Technology

Asset Tracking and Supply Chain Vision

LocationComputationServer

Directory

Location DistributionServer & Policy

LocationRequestingClient

Passive Tag Gate(s)

BoeingIntranet

• 866-957MHz Passive Tag RFID Systems (Internationally Available frequencies)• RFID RF Containment Device• Tags only have innocuous number unless they are equipped with encryption processor on tag• Wireless Baseline Scans for every installation• Integrity protection

RFID InformationRepository

AAA Server

• WPA or WPA2• IEEE 802.11 or 802.15.4 915MHz Sensors• IEEE 802.11 Active RFID Tags (innocuous number)• Encourage new serial cable replacements to those that use WPA

• Enterprise RLAN/RFID Management Council• Enterprise RLAN/RFID Technical Council


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Agenda




doc.: IEEE 802.21-07/0212r0

Submission

May 2007Endbox (Crawlers)

• HIP Endbox• Uses robust wireless network infrastructure securely• Strong one factor authentication using SIM chip

HIP Bridge

SMA End-to-End Security Association over Enterprise WLAN

Controller


doc.: IEEE 802.21-07/0212r0

Submission

May 20072005 SMA Endbox Demonstration

• Real-time SMA Endbox mobility demonstration

SMAmobile Robot

AP

AP

AP

…

130.42.32.0/24

Directory

CiscoSwitch

TempCert RA

LPDD

Bellevue

AAAServer

PKI

Boeing Namespace:Mobile.tl.boeing.com

SMAmobile RobotController

HIP SA


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Crawler Connected to WLAN w SMA


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Present Tech Transitions from SMA

• Network Location Service (NLS) deployed by Boeing IT

• 777 Crawlers – SMA/HIP Endbox (FactoryNet)

• HIP Bridge – enables legacy Ethernet equipment to use SMA in the factory (FactoryNet)

• Any Controller to Robot mobile secure communications in the factory (FactoryNet)

• Secure Handoff Using End-to-End HIP-Enabled Security Association (SA)


doc.: IEEE 802.21-07/0212r0

Submission

May 2007Lessons for 802.21

• Secure mobile handoff is possible using HIP

• Seamless secure mobility is possible

• SCADA solutions being deployed

• Discussions ongoing about securing governmental utility infrastructure using mobile secure methods

richard paine, boeingslide 1 doc.: 21-07-0212-00-0000 submission may 2007 secure mobile architecture...

Documents