spain university of murcia antonio f. gómez …...solaris 9 6wind 6200 edge device operation mode...
TRANSCRIPT
� Network Security in IPv6
� IPv6 IPsec/IKE Implementations
� UMU-PKIv6
� Policy-Based Network Management (PBNM)
� PBNM for IPv6 Network Security Components
� Implementation of some Elements of the UMU-PBNM
� Conclusions
� References
� Network Security in IPv6� Introduction
� IPsec … main features
� Public Key Infrastructures
� IPv6 IPsec/IKE Implementations
� UMU-PKIv6
� Policy-Based Network Management (PBNM)
� PBNM for IPv6 Network Security Components
� Conclusions
� References
� Network Security in IPv6: key aspect for current and new Internet services and applications
� No longer an add-on option: mandated and built in as part of IPv6
� It is based on:� IPsec � Some additional components like
� Public Key Infrastructures� DNSsec� …
� Standardized: defined as extensions to the IP protocol suite … AH and ESP headers
� Mandated: all implementations must offer it� Integrated into the protocol:
� Protects all upper layer protocols� Invisible to applications (they can use IPsec
based on their needs)
� Protects both router-to-router and end-to-end communications
� Enables the management of public keys� Why a PKI need to support IPv6
communications?� To provide native access to PKI services
through IPv6-only or dual-stack networks� To enable and promote security-related
services and applications, such as:� Secure VPNs� AAA� Secure videoconferencing
� One of the first experiences on PKIs for IPv6: UMU-PKIv6
� Network Security in IPv6
� IPv6 IPsec/IKE Implementations� IPsec/IKE Solutions Analyzed
� First Evaluation
� Conclusions
� UMU-PKIv6
� Policy-Based Network Management (PBNM)
� PBNM for IPv6 Network Security Components
� Conclusions
� References
� Open-Source Solutions
� FreeS/WAN 1.91 (K)/1.99 (U) with IPv6 support (Linux)
� USAGI Stable Release 4 (Linux)
� KAME-integrated in FreeBSD 4.6 (FreeBSD)
� Commercial Solutions
� Microsoft IPv6 (Windows XP)
� Solaris 9
� 6WIND 6200 Edge Device
Operation Mode FreeS/WAN USAGI KAME Windows Solaris 6WIND
Transport support support support support support Tunnel support future support support support
Compression Algorithms FreeS/WAN USAGI KAME Windows Solaris 6WIND
Deflate future support LZS
AuthenticationAlgorithms FreeS/WAN USAGI KAME Windows Solaris 6WIND
HMAC-MD5 support support support support support support HMAC-SHA-1 support support support support support support
Encryption Algorithms FreeS/WAN USAGI KAME Windows Solaris 6WIND
DES-CBC support support support support Triple DES support support support support support
Rijndael/AES support support support Cast128 support Twofish support Blowfish support support
Configurations FreeS/WAN USAGI KAME Windows Solaris 6WIND Static keys support support support support support
Preshared keys support support future future support Certificates support support support Secure DNS future
� IPsec/IKE with IPv6 not equally deployed as with IPv4 (e.g. FreeS/WAN); in some cases independent (e.g. Windows XP or Solaris 9)
� KAME is the implementation with better IPsec/IKE support
� Commercial OS are having complete IPv6 IPsec implementations
� Normally, implementations manually configured
� It seems that implementations are getting mature enough
� Network Security in IPv6� IPv6 IPsec/IKE Implementations� UMU-PKIv6
� Description� Architecture
� Policy-Based Network Management (PBNM)� PBNM for IPv6 Network Security Components� Conclusions� References
� Main Objective ... to establish a high security infrastructure for distributed systems
� Main Features:� PKI supporting the IPv6 protocol� Developed in Java � running on every Operating
System� Issue, renew and revoke certificates for every entity
belonging to one organisation� Final users can use either RAs or Web browsers to
make their own certification operations� LDAPv6 directory support
� Main Features: (II)� Use of smart cards (file system, RSA or Java Cards)
... allowing user mobility and increasing security� PKI Certification Policy (CPS) support� VPN devices certification support (using the SCEP and
SSH/SCEP protocol)� Support for the OCSP protocol and Time Stamp� Web Administration� Used in both Euro6IX and 6NET projects (cross-
certification between UMU and UCL-CS)
WWW Secure Request Server
Data Base
LDAP Server End User
Certification Authority Registration
Authority
Administrator
IPv6 SSL connectionIPv6 Plain connection
SCEP
VPN Device
WWW Secure Request Server
Data BaseData Base
LDAP ServerLDAP Server End UserEnd User
Certification Authority
Certification Authority Registration
AuthorityRegistration
AuthorityRegistration
Authority
AdministratorAdministrator
SCEPSCEP or SSH/SCP over IPv6
VPN Device
Certification Authority
OCSPResponder
TimeStampingResponder
Time StampServer
OCSP Server
TSPClient
Certificate
Certificate
OCSP Client
msg hash
time stamp
cert serial number
status
TSP Message
OCSP Message
� Network Security in IPv6� IPv6 IPsec/IKE Implementations� UMU-PKIv6� Policy-Based Network Management (PBNM)
� Why do we need policies??� What is a policy??� Where can we apply them??
� PBNM for IPv6 Network Security Components� Implementation of some Elements of the UMU-
PBNM� Conclusions� References
� Current state of the art in IP networks:� Devices on networks: more …
� Numerous� Complicated to configure
� Enterprises and services providers� New services: QoS, VPNs, mobility, etc.� New applications: videoconference, streaming, etc.
� Current IP networks: complex connection of resources difficult (if not impossible) to manage
� Policies …� Offer a system-wide view of
� The network� The services� The applications
� Shift the emphasis of network management to users, services, and applications
� Abstract the details of � Device configuration� Services and applications behaviour
� Set of rules that determine the behaviour of the network, services and applications
� IF certain conditions are present, THEN specific actions are taken
� Example:
If ((trafficToOrFrom NetworkA) and (dayOfMonth is last10Days))
thensecurityLevel = high
� It can be applied to:� Non-networking-related fields (e.g. operating systems)� Networking (IP-based or not)
� Some application areas within IP networking:� QoS control� VPNs� Videoconferencing� Voice over IP� VoD Service� SLA validation� AAA� IP routing� Etc.
� Network Security in IPv6� IPv6 IPsec/IKE Implementations� UMU-PKIv6� Policy-Based Network Management (PBNM)� PBNM for IPv6 Network Security Components
� Policies for the UMU-PKIv6� Policies for IPsec� UMU-PBNM applied to VPNs� UMU-PBNM Components
� Conclusions� References
� Drive the way the UMU-PKIv6 itself works� Digital implementation of a Certification Practice
Statement (CPS) ... they specify which rules must be applied to requested or existing certificates
� Centralised creation process driven by the admin� Distributed use by RAs and other PKI components� Categories:
� Certification rules� Re-issuance rules � Revocation rules
� Verified by all the PKI entities� Digitally signed (integrity and authentication)
normally by the CA private key� Serial Number� Issue Date� Next Issue
� General definition ... “IF conditions include a type of traffic, IP address, and/or TCP/UDP port, THEN actions should include setting certain level ofauthentication and encryption of traffic”
� Common mean of specifying IPsec policies� Vendor and platform independent� Defined in XML and mapping, using XML style-sheets,
onto every IPsec and IKE (freeware or commercial) implementations
� Enables a coordinated control of IP-level security services in every administrative domain
� A policy system working with IPv6 security: UMU-PBNM
VPN: IPv6 Security
COPS: UMU-PBNMStandardsin Use
PEP: UMU-PBNM ComponentsPolicy Management Tool
(PMT)
Policy Enforcement Point(PEP): IPsec Node
Policy Repository
Policy Decision Point (PDP)
Administrator
PolicyConsole
PEP: IPsec Node PEP: IPsec Node
HTTPS
LDAP LDAP
COPSCOPS-PR
CIM/PCIM
XML/XML Signature XML/XML Signature XML/XML Signature
Monitoring Information
VPN VPN
COPSCOPS-PR
COPSCOPS-PR
UMU
PARIS
VPN EPointAdministrator
Euro6IXBackbone
VPN Enforcement
Export Request Certificate/ Import Certificate
PWR
OK
WIC0ACT/CH0
ACT/CH1
WIC0ACT/CH0
ACT/CH1
ETHACT
COL
6WIND Router 1
PWR
OK
WIC0ACT/CH0
ACT/CH1
WIC0ACT/CH0
ACT/CH1
ETHACT
COL
6WIND Router 2
Client
PKIv6
Client
Tunnel ESP
PKI Interaction (get Admin Certificate)/ VPN EPoint Interaction
� Currently, it is also being deployed for CISCO routers
� Network Security in IPv6
� IPv6 IPsec/IKE Implementations
� UMU-PKIv6
� Policy-Based Network Management (PBNM)
� PBNM for IPv6 Network Security Components
� Conclusions
� References
� Network Security in IPv6 is a key point for current and new services and applications
� IPsec is the base component, though some additional ones are needed, e.g. PKI
� State of the art:� IPv6 IPsec implementations are getting enough mature� Just few experiences on PKI over IPv6� New scenarios need to be defined and tested
� Much work still to be done (technically, legally, dissemination, …)
� Policies … new paradigm: � Providing a holistic view of the network, allowing
� (Current) network managers � network engineers (near future)� To “forget” about individual device configuration
� To see how the network is performing at a high-level –from the service and application perspective– rather than just throughput
� To concentrate on how the network is meeting business needs
� Easier, faster, and more scalable deployment of new services and applications (e.g. end-to-end)
� Adding more intelligence to the network, service and application provision and management
� Addressing important issues for the deployment of the Next Generation Internet
� Network Security in IPv6
� IPv6 IPsec/IKE Implementations
� UMU-PKIv6
� Policy-Based Network Management (PBNM)
� PBNM for IPv6 Network Security Components
� Conclusions
� References
� Euro6IX Projecthttp://www.euro6ix.org
� Euro6IX – Deliverable D4.1ahttp://www.euro6ix.org/ingles/documents/deliverables.htm
� UMU-PKIv6 https://pki.umu.euro6ix.org� UMU-PBNM https://shire.dif.um.es/
https://shire.dif.um.es/pmtool/