IETF Security Work Magnus Nyström Technical Director, RSA Security
advertisement
International Telecommunication Union IETF Security Work Magnus Nyström Technical Director, RSA Security Presentation made on behalf of the IETF ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation Background ITU-T Internet Engineering Task Force o International standards organization o Open process with worldwide participation o No membership fees o Operates by consensus among participants o Primary focus is protocols for the Internet ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 2 Some IETF Security Activities ITU-T o IETF is organized into seven working areas o One area completely devoted to security o The security area comprises 20+ working groups, each focusing on some securityrelated protocol and/or problem o This presentation will briefly present a few of the IETF’s security initiatives • EAP, IPSec, TLS, SRTP, S/MIME, DNSSEC, RPSEC, PKIX ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 3 Security Protocols – Which OSI Layer? ITU-T o OSI Layer 2 • Protects link hop-by-hop • IP headers can be hidden from eavesdropper • Protects against traffic analysis • Example IETF protocol providing security services: EAP (within PPP) o OSI Layer 3 and 4 • Protects end-to-end real-time conversation • Example IETF protocols providing security services: IPSec (level 3), TLS (level 4) ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 4 Security Protocols – Which OSI Layer? ITU-T o OSI Layers 5 and higher • Protects application-specific messages • Supports store-and-forward communication • Example IETF protocol providing security services: S/MIME, SRTP o Infrastructure Protection • Protocol-specific protection for Internet infrastructure ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 5 OSI Layer 3 vs. OSI Layer 4 ITU-T o Security services in OSI layer 3 • Do not change applications or their APIs • OS provides security protocol o Security services in OSI layer 4 • Do not change OS • Application program provides security protocol • Perhaps by linking with a library • Typically security services run on top of layer 4 protocol (e.g. SSL/TLS) ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 6 EAP ITU-T o Extensible Authentication Protocol (EAP) provides framework for authentication between node and network • Primarily used in PPP, IEEE 802.11, and IEEE 802.16, but also in IPSEC (IKEv2) o Many different authentication methods are supported with an AAA server • Some provide session keying material, mutual authentication • Extremely useful in WiFi environments ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 7 IPsec ITU-T o For establishment of secure IP connections, typically VPN or conditional access multicast o Internet Protocol Security (IPsec) recently updated the whole suite of documents • Architecture – Explains all of the parts as well as access control processing • IKEv2 – Application layer key management protocol – utilizes EAP for some authentication methods • ESP – Authentication, integrity, and encryption of IP datagram • AH – Authentication and integrity of IP datagram and some IP header fields (optional) ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 8 TLS ITU-T o “The” protocol for securing HTTP communication, and many other higher-layer protocol sessions o Transport Layer Security (TLS) is making a minor update, and a new protocol for connectionless transport is coming • TLS – Client-server protocol to protect a session • DTLS – Datagram TLS to accommodate applications that use connectionless transport protocols like UDP ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 9 SRTP ITU-T o Secure Real-time Transport Protocol (SRTP) provides security for the RTP transport protocol • SRTP – Authentication, integrity, and encryption of an RTP stream, such as VoIP o Increasingly used also in DRM scenarios ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 10 S/MIME ITU-T o Secure MIME (S/MIME) offers protection of any MIME entity, supporting secure email, SIP security, location privacy, and other MIMEbased protocols • application/pkcs7-mime – MIME body part signature, encryption, and/or compression • multipart/signed – signature over one MIME body part is carried in an associated, but detached, MIME body part ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 11 PKIX ITU-T o Public-Key Infrastructure for the Internet o Has developed numerous PKI-supporting protocols, e.g. • Certificate enrollment and lifecycle management (CMP, CMC) • Online certificate status (OCSP) o X.509 certificate profiles for interoperability o Current work focusing on certificate access protocols, as well as refinements ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 12 Infrastructure Protection ITU-T o Domain Name System Security (DNSSEC) • Enables trust in DNS services and information • Digital signature on DNS records • Public keys stored as signed DNS records o Routing Protocol Security (RPSEC) • Security analysis and requirements for Internet routing protocols • Finished generic routing security analysis, still working on: • BGP security analysis and requirements • Generic routing security requirements ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 13 BGP Security ITU-T o RPSEC Working Group • BGP security analysis and attack tree • Considers security services such as • Authorization of prefix origination • AS_PATH authentication • Transport security • Select security mechanisms • Consider remaining threats and operational aspects o Two proposals have been made • soBGP (secure origin BGP) • S-BGP (secure BGP) ITU- T Cybersecurity II Symposium 29 March 2005, Moscow, Russian Federation dates 14
