1 / 10

Composite Cryptographic Groups for Multicast IPsec

This document discusses the definition, requirements, motivation, and implementation of composite cryptographic groups for multicast IPsec. It explores the advantages and drawbacks of using composite groups and proposes their inclusion in the MSEC working group.

enolan
Download Presentation

Composite Cryptographic Groups for Multicast IPsec

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multicast IPsec Composite Cryptographic Groups George Gross IdentAware™ Multicast Security gmgross@IdentAware.com IETF-66, Montreal, Canada July 11th 2006 IETF-66 MSEC IPsec composite groups page 1

  2. Composite Cryptographic Groups • Definition: The logical group formed from union of two or more sub-groups, each sub-group supporting different cryptographic properties (e.g. IPsec software version). • Composite groups occur when large-scale groups contains multiple protocol versions or multiple partially interoperable vendors. • e.g. retiring 3-DES, migrating to AES • software bug fixes IETF-66 MSEC IPsec composite groups page 2

  3. IPsec SubsystemComposite Group Requirements • Multicast application is unaware of sub-groups, it only sends one packet to the composite group, not each sub-group. • Must provide a mechanism where each data packet gets replicated for each sub-group, and treated with the respective sub-group’s IPsec cryptographic policy. • IPsec policy per sub-group, set by its GCKS IETF-66 MSEC IPsec composite groups page 3

  4. Motivation for Composite Groups • Can not easily upgrade a large-scale group, no “flag day” is allowed • Cryptographic algorithms age or break, need strategy to move to new ones • witness recent attacks on MD5, SHA-1 • Parallel vendor-specific sub-groups support different feature sets, want best combination • Straddle IPv4 and IPv6 sub-groups IETF-66 MSEC IPsec composite groups page 4

  5. Transport Mode IPsec Transport mode multicast data security association Group Speaker Host IPsec Subsystem A2 A1 A0 A5 A3 B2 A4 B4 Sub-Group A B1 B0 B5 B3 Internet Sub-Group B IETF-66 MSEC IPsec composite groups page 5

  6. Composite Cryptographic Group IPsec Transport Mode • End-to-end security, no plain-text on wire • Supports Native, BITS, and BITW architectural modes • Requires IPsec subsystem replicate each data SA packet for each sub-group before applying its cryptographic algorithms • do not want the multicast application to be aware of the cryptographic sub-groups IETF-66 MSEC IPsec composite groups page 6

  7. Application data sent unencrypted across multicast LAN to security gateways Tunnel Mode IPsec Group Speaker multicast-capable LAN IPsec Tunnel Endpoint IPsec Tunnel Endpoint IPsec Security Gateway IPsec Security Gateway Internet A2 A1 B2 A0 A5 B4 A3 B1 A4 Sub-Group A B0 B5 B3 Sub-Group B IETF-66 MSEC IPsec composite groups page 7

  8. Composite Cryptographic GroupIPsec Tunnel Mode • Application multicasts its data to two or more IPsec security gateways, one gateway per sub-group. • Advantage: simply bolt together as many gateways as there are sub-groups • Drawback: Unencrypted data must transit a trusted network to reach the gateways IETF-66 MSEC IPsec composite groups page 8

  9. Composite Groups Proposed for Experimental Track • Request that draft-gross-ipsec-composite-group-00.txt become a MSEC WG item • Publish as an IETF experimental RFC • Revise and transition to a proposed standard RFC after: • additional operational experience • wider recognition by industry that this provides a solution that merits full standardization IETF-66 MSEC IPsec composite groups page 9

  10. Background Reading • draft-gross-msec-ipsec-composite-group-00.txt • draft-ietf-msec-ipsec-extensions-02.txt • RFC4301 - IP security architecture IETF-66 MSEC IPsec composite groups page 10

More Related