Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

IPSEC-IT

VIEWS: 0 PAGES: 37

									IT 포럼 코리아 2001




            IPSEC 표준화 동향


                    이계상
                  정보통신공학과
                   동의대학교
                 http://www.dongeui.ac.kr/~ksl


                                                 1
                  목차
• 50차 IETF Minneapolis 회의 주요 내용
  – IPSEC WG
  – IPSP WG
  – IPSRA WG
• Mobile IPv6 Security issue




                                  2
  IP Security 관련 IETF WGs
• IPSEC WG
  – 1993년 발족
  – IP security protocols and algorithms 표준화
• IPSP WG
  – 2000.3월, 1st WG meeting
  – Policy issue
• IPSRA WG
  – 2000.3월, 1st WG meeting
  – Remote access issue
• 50차 IETF 회의 (미국 미니애폴리스)
  – 2001.3.18 - 23
                                               3
IPSEC WG




           4
            IPsec MIB 문서
• 다음 세 문서를 곧 WG last call 함
  – Draft-ietf-ipsec-isakmp-di-mon-mib-03.txt
  – Draft-ietf-ipsec-ike-monitor-mib-02.txt
  – Draft-ietf-ipsec-monitor-mib-04.txt




                                                5
           Announcement
• Next IPsec Bakeoff (Workshop)
  – Espoo, Finland (near Helsinki)
  – 2001.8.13 – 19 (런던 IETF 회의 바로 다음주)




                                     6
 IPV6 and IPsec - ICMPv6 이슈
• ICMPv6 messages
  –   Destination Unreachable
  –   Packet Too Big
  –   Time Exceeded
  –   Parameter Problem
  –   Echo Request/ Reply
  –   Redirect
  –   Router Solicit/ Advert
  –   Neighbor Solicit/ Advert
  –   Router Renumbering

                                 7
        ICMPv6 Problem 예
• 호스트 A가 호스트 B와 보안 통신 희망
  – 모든 트래픽 보안
• IKE message  UDP  ICMPv6 msg (neighbor
  solicit for ARP)  IKE ???
• IKE를 통한 자동 SA 사용 못함

          A                  B



                                             8
                  ICMPv6와 IKE
• ICMPv6 message와 IKE 사용 관계
 –   Destination Unreachable    may (Use of IKE?)
 –   Packet Too Big             may
 –   Time Exceeded              may
 –   Parameter Problem          may
 –   Echo Request/ Reply        may
 –   Redirect                   should not
 –   Router Solicit/ Advert     must not
 –   Neighbor Solicit/ Advert   must not
 –   Router Renumbering         may



                                                    9
                  Solution
• ICMPv6 메시지 보호용으로, 수동 IPsec
  SA를 사용하는 제안 논의
• 수동 설정에 따른 오버헤드 감소 방법도
  같이 제안
• 문서
  – draft-arkko-icmpv6-ike-effects-00.txt
  – draft-arkko-manual-icmpv6-sas-00.txt
• More discussion on the list
                                            10
                  Secure MPLS
• MPLS: Sub-IP Area, mpls WG
• 두 문서
    – Draft-tsenevir-smpls-doi-00.txt
    – Draft-tsenevir-smpls-01.txt
•   SMPLS-AH
•   SMPLS-ESP
•   Ok to run IKE over RSVP ?
•   Requirements ?
                                        11
               IPsec and NAT
•   두 문서
    –   IPsec NAT-Traversal
        draft-stenberg-ipsec-nat-traversal-02.txt
    –   IPsec ESP Encapsulation in UDP for NAT
        Traversal
        draft-huttunen-ipsec-esp-in-udp-01.txt

•   위 두 문서를 결합하여 논의함
    –   곧 새로운 문서 post 예정

                                                    12
                Son of IKE
• To fix bugs, not to add any features
• Need to be implementation preserving
• A proposal is to combine the three
  documents into a new draft
  – Unnessarily long, duplicate, …
• More discussion


                                         13
IPSP WG




          14
               Past Meetings
• BOF
  – 1999.3
• 1st WG meeting
  – 47th IETF, Adelaide, Australia, 2000.3
• 2nd WG meeting
  – 48th IETF, Pittsburgh, USA, 2000.8
• 3rd WG meeting
  – 49th IETF, San Diego, USA, 2000.12
• 4th WG meeting
  – 50th IETF, Minneapolis, USA, 2001.3

                                             15
                    Drafts
• No RFC
• 5 WG drafts
  –   A Roadmap for IPsec Policy Management
  –   IPSP Requirements
  –   IPsec Configuration Policy Model
  –   IPsec Policy Configuration MIB
  –   IPSec Policy Information Base

                                              16
             주요 논의 문서
• Policy Management Roadmap
• Requirement draft
  – Draft-ietf-ipsp-requirement-00.txt
  – No change, no comments since last meeting
• Configuration policy model
  – Draft-ietf-config-policy-model-02.txt
  – Policy Framework WG의 PCIM extension draft와
    부합 여부 보고
• 이들 세 문서를 곧 last call 예정

                                                 17
      주요 논의 문서 (계속)
• IPsec configuration MIB
  – Draft-ipsp-ipsec-config-mib-00.txt
• IPsec policy information Base (PIB)
  – Draft-ipsp-ipsecpib-02.txt

• Next Step
  – PF_Policy draft, SG discovery protocol 설계,
    Security policy specification language

                                                 18
IPSRA WG




           19
               Past Meetings
• 1st BOF
• 2nd BOF
  – Washington, 1999.11
• 1st WG meeting
  – 47th IETF, Adelaide, Australia, 2000.3
• 2nd WG meeting
  – 48th IETF, Pittsburgh, USA, 2000.8
• 3rd WG meeting
  – San Diego, 2000.12
• 4th WG meeting
  – 50th IETF, Minneapolis, USA, 2001.3
                                             20
                   Drafts

• No RFC
• 4 WG drafts
  – Requirements draft
  – DHCP Configuration draft
  – Two Authentication drafts




                                21
            주요 문서 현황
• Requirement draft
  – Currently 03 version
  – No comment since last meeting
     • L2TP ext WG에 comment 요청
  – To informational RFC
• DHCP 09 draft
  – IETF last call (for proposed standard RFC)

                                                 22
   Remote User Authentication

• Two proposals
  – Pre-IKE Credential Provisioning Protocol
     • PIC draft : draft-ietf-ipsra-pic-01.txt
  – Client Certificate and Key Retrieval for IKE
     • getcert draft : draft-ietf-ipsra-getcert-00.txt
• Recent Straw Poll
  – 6:7
  – 참여 수가 너무 적어 결정 못 내림
  – 메일링 리스트에서 계속 논의 (new straw poll)



                                                         23
                PIC draft

• One of approaches of integrating legacy
  authentication mechanisms into IKE
• Switched from XAuth to EAP for legacy
  authentication
  – EAP (Extensible Authentication Protocol, RFC
    2284)
• EAP tunneled within ISAKMP
• No modification to IKE
                                                   24
              PIC Architecture
                                              Legacy
                   Authentication
                                           Authentication
                    Server (AS)
                                           Server (LAS)


Client/User
                                Optional
                                Link


                     Security
                     Gateway
                     (SGW)
                                                       25
                 PIC Protocol
• Three main stages in PIC protocol (Btw Client and AS)
   – establish one-way trust relationship. A secure channel
     from the client to the AS is created (Server
     authenticated)
   – Legacy authentication is performed over this channel.
     Use EAP tunneled within ISKMP (User authenticated)
   – The AS sends the client a (typically short-term)
     credential which can be used in subsequent IKE
     exchanges
• The credential can be thought as
   – a certificate,
   – a private key generated or stored by the AS and
     accompanied by a corresponding certificate, or
   – symmetric secret key                                     26
           PIC Protocol Exchanges
           HDR, SA, KE, Ni
                                 서버인증
                                            HDR, SA, KE, Nr, IDir, [ CERT,]
                                            SIG_R, HASH, <EAP> [, <EAP>…]

HDR*, HASH, EAP, [EAP …]
[CREDENTIAL-REQUEST]
                                 사용자인증
                                            HDR*, HASH, EAP, [EAP …]
                                            [CREDENTIAL]


  SIG-R is derived from HASH-R
  HASH-R = prf(SKEYID_a, g^xr | g^xi |CKY-R | CKY-I | Sar_b | IDir_b)

                                                                              27
                  Getcert draft
• The architecture is similar to PIC’s
   – integrate legacy authentication into IKE
   – use the separated AS
• The differences is in the details:
   – use TLS and HTTP
• However, recently changed to EAP




                                                28
Mobile IPv6 Security Issue




                             29
        Mobile IPv6 Operation


                                    Mobile
                                    Node
                           R

           R    Internet

Home
Agent                      R
                                Correspondent
                                Node

                                           30
        Binding messages


                                 Mobile
                                 Node
                         R

        R     Internet

Home
Agent                    R
                             Correspondent
                             Node

                                        31
        Triangle Routing


                                 Mobile
                                 Node
                         R

        R     Internet

Home
Agent                    R
                             Correspondent
                             Node

                                        32
        Route Optimization


                                  Mobile
                                  Node
                          R

         R     Internet

Home
Agent                     R
                              Correspondent
                              Node

                                         33
        Route Optimization (cont.)


                                      Mobile
                                      Node
                              R

             R     Internet

Home
Agent                         R
                                  Correspondent
                                  Node

                                             34
 Authentication of Binding msg
• IPsec을 이용하려 했으나
  – AH, ESP
• Mobile 환경에서는 IPsec 프로토콜을 적용하기
  어려운 것으로 밝혀짐
  – IPsec policy는 트래픽 스트림의 모든 패킷에 적용
  – IKE의 public key 기반 및 heavy processing
• 새로운 Authentication 프로토콜 대안 적시 개발
  필요
  – 이동 통신 사업자의 All-IP 망 구축

                                            35
        Purpose-Built Key (PBK)
• Operation
                                                                  Correspondent node
 Mobile node

 i) Create a public/ private key pair (PBK)

 ii) Endpoint ID = hash (public part of PBK)

 iii) Send EID
                                               Initial Packet (EID)



 iv) Node moves
                                                     ~~~
 v) Send pubic key
                                                  Pubic key


 vi) Send binding message signed by private key
                                          Binding message along with EID
                                                                                       36
     Purpose-Built Key (cont.)
• Pros and Cons
  – Lighter-weight method of authorizing binding messages
     • Jeff Schiller (Security Area Co-chair), Scott Brader, Allison
       Mankin (Transport Area Co-chair)
  – However, less security than IPsec
     • Man-in-the-middle attack 가능
  – Not user authentication, but machine authentication
• IPv6 proponents fear that mobile WG adopt PBK
  approach

                                                                       37

								
To top