1 / 11

The Future role of HIP in Secure Data Signaling

Aalto University February 1, 2011 Robert Moskowitz Verizon. The Future role of HIP in Secure Data Signaling. RFC 1925 The Twelve Truths of Networking. 12 ) In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away.

Download Presentation

The Future role of HIP in Secure Data Signaling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Aalto University February 1, 2011 Robert Moskowitz Verizon The Future role of HIPin Secure Data Signaling

  2. RFC 1925The Twelve Truths of Networking 12 ) In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away.

  3. Topics • The prevalence of unsecured data signaling • The characteristics of a signaling channel • Narrowing the path into a control system • Why a unique secure protocol • How HIP meets the requirements

  4. The Prevalence of Unsecured Data Signaling • In Internet control systems • Manufacturing control systems • Utility Control Systems

  5. The Characteristics of a Signaling Channel • Structured data • Short, infrequent transmissions • Always exceptions like routing table updates

  6. Narrowing the Path into the Control System • Traditional (i.e. non-internet) signaling channels ONLY supported the defined signals • The more paths (that is protocols and ports) the more attack vectors • “In a house of 100 windows, a crook only needs one open.” • “Future Proofing” cuts both ways • Supports new uses and new attacks • Minimalistic design

  7. Why not Secure Data Objects • Significant opportunity for errors before object integrity is proved • Cryptographically expensive • See prior lecture • Sometimes needed • Utility rate

  8. Why a Unique Secure Protocol • General purpose protocols can generally be used for attacks • Purpose built protocols SHOULD be limited in scope • But can end up being just another tunnel, like TCP/IP over HTTP • Attacks can only be within the security framework • Easier to study and correct

  9. How HIP meets the requirements • Only HIP frames processed by HIP state machine • HIP UPDATE • The UPDATE frame is fully protected • May included Encrypted TLV • Any payload possible with TLV • Caveat: limited size, large content may require chaining • HIPCUP may be an alternative • HIT allows for easy implementation of ACL for control access

  10. How HIP meets the requirements • Application SHOULD be ignorant of lower layers • Not really true in TCP developed applications like HTTP • UDP applications tend to be more independent • No reason to rely totally on HIP • Commands to allow for limited use of IP protocols • e.g. command with UPDATE may be to open UDP and start tftp download of new firmware

  11. Designing for Secure Signaling • No reliance on transport characteristics • Features of TCP like retransmissions and large data support • Data size issue is major complication • Where does fragmentation get recognized and handled? • Argument for application management and avoid lower layer complexities • Assume secure • Trust, but validate • Security context signaling required

More Related