1 / 11

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt)

Authors: Hannes Tschofenig Henning Schulzrinne. Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt). Scope. NSIS also aims to signaling non-QoS information Signaling NAT and firewall information is a possible NSIS application.

acuellar
Download Presentation

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authors: Hannes Tschofenig Henning Schulzrinne Implications of Trust Relationships for NSIS Signaling(draft-tschofenig-nsis-casp-midcom.txt)

  2. Scope • NSIS also aims to signaling non-QoS information • Signaling NAT and firewall information is a possible NSIS application. • Focus: Security issues for signaling in-path NAT/firewall information. • Builds on previous TIST activities

  3. Possible Trust Relationships Peer-to-Peer Trust Relationships (e.g. RSVP Integrity Object) Router 1 Router 2 Router 3 Node A Node B

  4. Possible Trust Relationships End-to-Middle Trust Relationship (might be required for accounting, origin authentication, etc.; ) Router 1 Router 2 Router 3 Node A Node B

  5. Possible Trust Relationships Middle-to-Middle Trust Relationship (e.g. local objects;authorization tokens) Router 1 Router 2 Router 3 Node A Node B

  6. Possible Trust Relationships End-to-End Trust Relationship Router 1 Router 2 Router 3 Node A Node B

  7. Peer-to-Peer Security only Administrative Domain A Core Network Administrative Domain B Security protection between end hosts and networks depends on scenario (=> Secure Network Access) Node A Node B

  8. Intra-domain Trust Relationship Administrative Domain A Router • Edge routers must receive particular attention • Intra-domain signaling message protection is still required to “separated” NSIS nodes from non-NSIS nodes (by signaling message protection) Edge Router A Edge Router B PDP Router

  9. End-to-Middle Authentication Administrative Domain A Core Network Administrative Domain B • In a firewall traversal environment user authentication might also be required to intermediate networks. User Credentials Node A Node B

  10. Missing Trust Administrative Domain A Core Network Administrative Domain B • Without protection of signaling messages between the two networks a signaling message exchange might not be possible. • Alternatives: • Authorization Tokens • Signaling only at the local access network • Receiver-initiated signaling No Trust / No Security Protection Node A Node B

  11. Differences What is the difference between signaling firewall and QoS information? • Trust relationships and authorization seem to be more important for firewall signaling (because of the nature of a firewall) • For QoS signaling accounting and charging is a very important issue (for firewall signaling probably not) • Lower number of devices need to store state / are affected by a firewall signaling protocol NAT handling • is also different to firewall signaling • must be addressed by NSIS to let the protocol operate correctly.

More Related