Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Secure Network Access Alper E. YE DoCoMo USA Labs March 6

advertisement 
Secure Network Access
Alper E. YEöøN
DoCoMo USA Labs
March 6th, 2002
Network Access
• Components of connectivity
– Link-layer connectivity
– IP address configuration
– On-link forwarding
• ARP
• Neighbor Discovery
– Off-link forwarding
• Gateway
– Router discovery (stateless)
– DHCP (stateful)
– Manual configuration
2
http://www.unik.no/personer/paalee/
Secure Network Access
Secure Network Access
• Only authenticated and authorized clients gets
access
– Important for enterprise networks
– Definitely for public access networks
• Public access networks:
– More challenging
• Network also has to prove its identity to clients
• Wireless technologies, possible malicious nodes/networks
everywhere
• Authentication (not privacy)
3
Secure Network Access
Current Technologies
• Door locks
• HTTP-based schemes
– Mobilestar
• PPP with EAP
• 802.1x (EAP)
4
Secure Network Access
Current Technologies - Issues
• Door locks
– Wireless network leaks
– No doors on street!
• HTTP-based schemes
– Requires user intervention
• PPP
– Works only on point-to-point links
– Additional encapsulation
• 802.1x
– Only works for 802 family links
– Not general deployment yet
Secure Network Access
5
PANA
• Protocol for Carrying Authentication for
Network Access
• To define a network-layer carrier for
authentication and basic authorization
process
– Link-layer independent
• Part of ALL-IP architecture
6
Secure Network Access
PANA
• Define the carrier, pick the payload
– Like Mobile IPv4 registration request carries
MN-FA authentication extension
– Possible payloads
• EAP
• MN-AAA authentication extension of Mobile IPv4
• Like a front-end to AAA
7
Secure Network Access
PANA
Internet
AAA Visited
PANA Client
(PaC)
AAA Home
PANA Authentication
Agent (PAA)
8
Secure Network Access
PANA WG Plan
•
•
•
•
•
•
Requirements and terminology
Usage scenarios
Framework
Interactions with PPP and 802.1x
Protocol design
MIB definitions
9
Secure Network Access
Requirements Highlights
•
•
•
•
•
draft-ietf-pana-requirements-01
Authentication and (simple) authorization
Mutual authentication
Authentication backend
Just the carrier, pick an already defined payload
(security mechanism/protocol)
• Accounting, access control, mobility management
outside the scope
• Multi-access links, clients
• Efficiency
10
Secure Network Access
Link Security
• PANA likely to do key distribution
• Data traffic can be authenticated and
encrypted by using these keys with
– IPsec
– Link-layer protocols
11
Secure Network Access
Solutions
• Too soon to discuss at IETF, but:
– SNARD: Alper E. Yegin, Xiaoning He, Carl
Williams, Lisa Yiqun Lin, Satomi Okazaki
– EAP over ICMP: George Tsirtsis
– EAP over UDP: Paal Engelstad
12
Secure Network Access
SNARD
• Secure network access using router discovery and
AAA: draft-yegin-unap-snard-00
• Carrier:
– Router discovery
• Router solicitations from PaC
• Router advertisements from PAA
• PAA located on the access router
• Payload:
– MN-AAA authentication extension (RFC3012)
– AAA registration keys for Mobile IP: draft-ietfmobileip-aaa-key-08
– Generalized key distribution extensions for Mobile IP:
13
draft-ietf-mobileip-gen-key-01
Secure Network Access
The Protocol
PANA Client
(PaC)
PANA Authentication
Agent (PAA)
AAA Visited
AAA Home
RS
RA+Chal_PAA
RS*
AAAreq
AAAreq
RA*
•
•
AAArep
AAArep
RS*: RS + PaC_id + MN-FA_key_request + Chal_PAA + Chal_PaC +
MN-AAA_auth_ext
RA*: RA + PAA_id + MN-FA_key_reply + Chal_PaC + Chal_PAA +
MN-FA_auth_ext
Secure Network Access
14
Async Re-authentication
• At any time PaC can challenge the PAA by
sending a RS*
• PAA can kick start this challenge process
by sending a RA* with 0 or low lifetime
15
Secure Network Access
Malicious Networks
RS*
RS*
PAA
PAA
PAA
RA*
RA*
RS*
PaC
Secure Network Access
16
Advantages
• A natural extension to existing protocols
– Semantically fit
• A device goes through router discovery anyways
(efficieny)
• A generic IP solution
– Can be used for IPv4, IPv6, Mobile IPv4, Mobile IPv6
• Optimizations by creating local security
associations
17
Secure Network Access
PANA+
• Enhanced authorization
– Network access parameters
• Go beyond initial client authentication for
network access
– Secure neighbor discovery, ARP
• SNARD will deal with this using key distribution
– Secure router discovery
• SNARD already takes care of this!
18
Secure Network Access
Modern Pirates
19
Secure Network Access
Questions/comments
20
Secure Network Access
Related documents
Psychological Assistant Affiliate Membership
Psychological Assistant Affiliate Membership
PAA-Form - University of Alaska System
PAA-Form - University of Alaska System
CCNA Security – Chapter 3 Case Study © 2009 Cisco Learning
CCNA Security – Chapter 3 Case Study © 2009 Cisco Learning
Wastewater Treatment Wangshu Wei , Bakhtier Farouk
Wastewater Treatment Wangshu Wei , Bakhtier Farouk
CS 2813 - Loyola College
CS 2813 - Loyola College
community service - Career Account Web Pages
community service - Career Account Web Pages
V N G E
V N G E
CCNA Security - Skill Exam 2012
CCNA Security - Skill Exam 2012
Download
advertisement