1 / 37

IPSEC 표준화 동향

IT 포럼 코리아 2001. IPSEC 표준화 동향. 이 계 상 정보통신공학과 동의대학교 http://www.dongeui.ac.kr/~ksl. 목 차. 50 차 IETF Minneapolis 회의 주요 내용 IPSEC WG IPSP WG IPSRA WG Mobile IPv6 Security issue. IP Security 관련 IETF WGs. IPSEC WG 1993 년 발족 IP security protocols and algorithms 표준화 IPSP WG

amish
Download Presentation

IPSEC 표준화 동향

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT 포럼 코리아 2001 IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 http://www.dongeui.ac.kr/~ksl

  2. 목 차 • 50차 IETF Minneapolis 회의 주요 내용 • IPSEC WG • IPSP WG • IPSRA WG • Mobile IPv6 Security issue

  3. IP Security 관련 IETF WGs • IPSEC WG • 1993년 발족 • IP security protocols and algorithms 표준화 • IPSP WG • 2000.3월, 1st WG meeting • Policy issue • IPSRA WG • 2000.3월, 1st WG meeting • Remote access issue • 50차 IETF 회의 (미국 미니애폴리스) • 2001.3.18 - 23

  4. IPSEC WG

  5. IPsec MIB 문서 • 다음 세 문서를 곧 WG last call 함 • Draft-ietf-ipsec-isakmp-di-mon-mib-03.txt • Draft-ietf-ipsec-ike-monitor-mib-02.txt • Draft-ietf-ipsec-monitor-mib-04.txt

  6. Announcement • Next IPsec Bakeoff (Workshop) • Espoo, Finland (near Helsinki) • 2001.8.13 – 19 (런던 IETF 회의 바로 다음주)

  7. IPV6 and IPsec - ICMPv6 이슈 • ICMPv6 messages • Destination Unreachable • Packet Too Big • Time Exceeded • Parameter Problem • Echo Request/ Reply • Redirect • Router Solicit/ Advert • Neighbor Solicit/ Advert • Router Renumbering

  8. ICMPv6 Problem 예 • 호스트 A가 호스트 B와 보안 통신 희망 • 모든 트래픽 보안 • IKE message  UDP  ICMPv6 msg (neighbor solicit for ARP)  IKE ??? • IKE를 통한 자동 SA 사용 못함 A B

  9. ICMPv6와 IKE • ICMPv6 message와 IKE 사용 관계 • Destination Unreachable may (Use of IKE?) • Packet Too Big may • Time Exceeded may • Parameter Problem may • Echo Request/ Reply may • Redirect should not • Router Solicit/ Advert must not • Neighbor Solicit/ Advert must not • Router Renumbering may

  10. Solution • ICMPv6 메시지 보호용으로, 수동 IPsec SA를 사용하는 제안 논의 • 수동 설정에 따른 오버헤드 감소 방법도 같이 제안 • 문서 • draft-arkko-icmpv6-ike-effects-00.txt • draft-arkko-manual-icmpv6-sas-00.txt • More discussion on the list

  11. Secure MPLS • MPLS: Sub-IPArea, mpls WG • 두 문서 • Draft-tsenevir-smpls-doi-00.txt • Draft-tsenevir-smpls-01.txt • SMPLS-AH • SMPLS-ESP • Ok to run IKE over RSVP ? • Requirements ?

  12. IPsec and NAT • 두 문서 • IPsec NAT-Traversal draft-stenberg-ipsec-nat-traversal-02.txt • IPsec ESP Encapsulation in UDP for NAT Traversal draft-huttunen-ipsec-esp-in-udp-01.txt • 위 두 문서를 결합하여 논의함 • 곧 새로운 문서 post 예정

  13. Son of IKE • To fix bugs, not to add any features • Need to be implementation preserving • A proposal is to combine the three documents into a new draft • Unnessarily long, duplicate, … • More discussion

  14. IPSP WG

  15. Past Meetings • BOF • 1999.3 • 1st WG meeting • 47th IETF, Adelaide, Australia, 2000.3 • 2nd WG meeting • 48th IETF, Pittsburgh, USA, 2000.8 • 3rd WG meeting • 49th IETF, San Diego, USA, 2000.12 • 4th WG meeting • 50th IETF, Minneapolis, USA, 2001.3

  16. Drafts • No RFC • 5 WG drafts • A Roadmap for IPsec Policy Management • IPSP Requirements • IPsec Configuration Policy Model • IPsec Policy Configuration MIB • IPSec Policy Information Base

  17. 주요 논의 문서 • Policy Management Roadmap • Requirement draft • Draft-ietf-ipsp-requirement-00.txt • No change, no comments since last meeting • Configuration policy model • Draft-ietf-config-policy-model-02.txt • Policy Framework WG의 PCIM extension draft와 부합 여부 보고 • 이들 세 문서를 곧 last call 예정

  18. 주요 논의 문서 (계속) • IPsec configuration MIB • Draft-ipsp-ipsec-config-mib-00.txt • IPsec policy information Base (PIB) • Draft-ipsp-ipsecpib-02.txt • Next Step • PF_Policy draft, SG discovery protocol 설계, Security policy specification language

  19. IPSRA WG

  20. Past Meetings • 1st BOF • 2nd BOF • Washington, 1999.11 • 1st WG meeting • 47th IETF, Adelaide, Australia, 2000.3 • 2nd WG meeting • 48th IETF, Pittsburgh, USA, 2000.8 • 3rdWG meeting • San Diego, 2000.12 • 4th WG meeting • 50th IETF, Minneapolis, USA, 2001.3

  21. Drafts • No RFC • 4WG drafts • Requirements draft • DHCP Configuration draft • Two Authentication drafts

  22. 주요 문서 현황 • Requirement draft • Currently 03 version • No comment since last meeting • L2TP ext WG에 comment 요청 • To informational RFC • DHCP 09 draft • IETF last call (for proposed standard RFC)

  23. Remote User Authentication • Two proposals • Pre-IKE Credential Provisioning Protocol • PIC draft : draft-ietf-ipsra-pic-01.txt • Client Certificate and Key Retrieval for IKE • getcert draft : draft-ietf-ipsra-getcert-00.txt • Recent Straw Poll • 6:7 • 참여 수가 너무 적어 결정 못 내림 • 메일링 리스트에서 계속 논의 (new straw poll)

  24. PIC draft • One of approaches of integrating legacy authentication mechanisms into IKE • Switched from XAuth to EAP for legacy authentication • EAP (Extensible Authentication Protocol, RFC 2284) • EAP tunneled within ISAKMP • No modification to IKE

  25. PIC Architecture Authentication Server (AS) Legacy Authentication Server (LAS) Client/User Optional Link Security Gateway (SGW)

  26. PIC Protocol • Three main stages in PIC protocol (Btw Client and AS) • establish one-way trust relationship. A secure channel from the client to the AS is created (Server authenticated) • Legacy authentication is performed over this channel. Use EAP tunneled within ISKMP (User authenticated) • The AS sends the client a (typically short-term) credential which can be used in subsequent IKE exchanges • The credential can be thought as • a certificate, • a private key generated or stored by the AS and accompanied by a corresponding certificate, or • symmetric secret key

  27. PIC Protocol Exchanges HDR, SA, KE, Ni 서버인증 HDR, SA, KE, Nr, IDir, [ CERT,] SIG_R, HASH, <EAP> [, <EAP>…] HDR*, HASH, EAP, [EAP …] [CREDENTIAL-REQUEST] 사용자인증 HDR*, HASH, EAP, [EAP …] [CREDENTIAL] SIG-R is derived from HASH-R HASH-R = prf(SKEYID_a, g^xr | g^xi |CKY-R | CKY-I | Sar_b | IDir_b)

  28. Getcert draft • The architecture is similar to PIC’s • integrate legacy authentication into IKE • use the separated AS • The differences is in the details: • use TLS and HTTP • However, recently changed to EAP

  29. Mobile IPv6 Security Issue

  30. Mobile IPv6 Operation Mobile Node R R Internet Home Agent R Correspondent Node

  31. Binding messages Mobile Node R Binding Update R Internet Binding Acknowledgement Home Agent R Correspondent Node

  32. Triangle Routing Mobile Node R R Internet Home Agent R Correspondent Node

  33. Route Optimization Mobile Node R R Binding Update Internet Binding Ack Home Agent R Correspondent Node

  34. Route Optimization (cont.) Mobile Node R R Internet Home Agent R Correspondent Node

  35. Authentication of Binding msg • IPsec을 이용하려 했으나 • AH, ESP • Mobile 환경에서는 IPsec 프로토콜을 적용하기어려운 것으로 밝혀짐 • IPsec policy는 트래픽 스트림의 모든 패킷에 적용 • IKE의 public key 기반 및 heavy processing • 새로운 Authentication 프로토콜 대안 적시 개발 필요 • 이동 통신 사업자의 All-IP 망 구축

  36. Purpose-Built Key (PBK) • Operation Correspondent node Mobile node i) Create a public/ private key pair (PBK) ii) Endpoint ID = hash (public part of PBK) iii) Send EID Initial Packet (EID) ~~~ iv) Node moves v) Send pubic key Pubic key vi) Send binding message signed by private key Binding message along with EID

  37. Purpose-Built Key (cont.) • Pros and Cons • Lighter-weight method of authorizing binding messages • Jeff Schiller (Security Area Co-chair), Scott Brader, Allison Mankin (Transport Area Co-chair) • However, less security than IPsec • Man-in-the-middle attack 가능 • Not user authentication, but machine authentication • IPv6 proponents fear that mobile WG adopt PBK approach

More Related