Add to collection(s) Add to saved
  1. No category

The MSEC Extensions to IP Security

advertisement 
The MSEC Extensions
to IP Security
Brian Weis, Cisco Systems
George Gross, IdentAware™ Security
Dragan Ignjatic, Polycom
IETF-63, Paris, France, August 2nd 2005
8/02/2005
IETF-63 MSEC IPsec extensions
page 1
RFC2401-bis IP Security Profile
• RFC2401-bis: ASM and SSM multicast SA,
ESP, tunnel mode, IKE-v2 crypto-suite
• Concurrent co-existence with IKE-v2,
requires SPD/SAD policy coordination
• SPD/SAD configurable by GO to three
dominant multicast service models
• Require multiple speakers with anti-replay
8/02/2005
IETF-63 MSEC IPsec extensions
page 2
Examples of IPsec Policy Objects
• Policy filters, a match triggers an action(s)
– 5-tuple traffic selector filter
– compound filter: prioritized filters sequence
• Policy actions
–
–
–
–
8/02/2005
discard/log packet or allow packet to proceed
apply IPsec Group SA processing
multicast packet distributor
compound action: actions sequenced in a list
IETF-63 MSEC IPsec extensions
page 3
Security Associations Modes
• Transport
• Tunnel – must be supported by a GW,
optional for a host implementation
8/02/2005
IETF-63 MSEC IPsec extensions
page 4
Routing
• Address preservation
– Destination address should have SPD-S PFP
flag set
– Some SSM implementations may need source
address SPD-S PFP flag set as well
– A new flag is introduced to copy remote
address to the tunnel header remote address
8/02/2005
IETF-63 MSEC IPsec extensions
page 5
SPD
• Directionality attribute
– Common (as in 2401bis)
– Send only
– Receive only
• Both send / receive only should support multicast
destination addresses
• Discard & bypass policies applied to the send only
should only create entries in SPD-O
• Likewise, applied to receive only should only
create entries in SPD-I
8/02/2005
IETF-63 MSEC IPsec extensions
page 6
Traffic Processing
• Inbound traffic – SA’s point to their parent
SPD entries
• Outbound traffic – any multicast destined
traffic should be matched against SPD send
only entries
8/02/2005
IETF-63 MSEC IPsec extensions
page 7
SAD
• Replay protection is needed for multi sender
SA’s - TBD
8/02/2005
IETF-63 MSEC IPsec extensions
page 8
PAD
• Needs to be extended for peers with specific
roles:
–
–
–
–
8/02/2005
GCKS
Group Speaker
Group Member
Root Certs used by the group
IETF-63 MSEC IPsec extensions
page 9
NAT’s
• SSM adversely impacted by it
– GCKS can not be preconfigured with NAT
mappings
– SSM routing depends on the source address that
NAT changes
– ESP cloaks its payloads from NAT gw
– UDP checksum depends on source address
– AH can not be used
8/02/2005
IETF-63 MSEC IPsec extensions
page 10
Related documents
Star2Star Communications
Star2Star Communications
Final Exam Review
Final Exam Review
Network Connectivity Options
Network Connectivity Options
Quiz questions
Quiz questions
Problem Set 3
Problem Set 3
3_2_Emergency Services Mobile Communications Programme
3_2_Emergency Services Mobile Communications Programme
Chapter-10
Chapter-10
Lecture Notes - Computing and Information Studies
Lecture Notes - Computing and Information Studies
MSEC Working Group B. Weis Internet-Draft Cisco
MSEC Working Group B. Weis Internet-Draft Cisco
Internet Engineering Task Force George Gross (IdentAware
Internet Engineering Task Force George Gross (IdentAware
Download
advertisement