1 / 11

Transport Layer Security TLS in TWAMP New Mode for Control Protocol

2. Background. Security measures were controversial for OWAMP and (quickly revisited for) TWAMPA compromise was reached (AES in CBC and ECB modes with HMAC for integrity protection).Key aspect of the

holt
Download Presentation

Transport Layer Security TLS in TWAMP New Mode for Control Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Transport Layer Security (TLS) in TWAMP ? New Mode for Control Protocol Al Morton November 9, 2008

    2. 2 Background Security measures were controversial for OWAMP and (quickly revisited for) TWAMP A compromise was reached (AES in CBC and ECB modes with HMAC for integrity protection). Key aspect of the “ *WAMPs” packet loss possible in Test protocol, no retransmit OWAMP Security Considerations discuss why TLS is unsuitable in TEST protocol RFC 4656 OWAMP requires TEST protocol mode to inherit the CONTROL protocol mode.

    3. 3 Enter TWAMP Desire to add Mixed-Security Mode Encrypted Control, Unauthenticated Test Uses current methods AES-CBC & HMAC draft-ietf-ippm-more-twamp-00 @ WGLC? Running TWAMP Test in clear frees resources, Encrypted Control still valuable Question: Do implementers see value in adopting a TLS for the TWAMP-Control protocol? (With TWAMP-Test in the clear)

    4. 4 TLS Mode Investigation The NETCONF wg has reached consensus on a similar effort NETCONF over TLS draft-ietf-netconf-tls Requests a new TCP well-known port NETCONF Manager acts as TLS client NETCONF Agent listens as TLS server TLS Handshake (HS) begins with Manager/client sending TLS ClientHello After TLS HS, exchange NETCONF data

    5. 5 Modes Allowed with TLS ---------------------------------------------------- Protocol | Permissible Mode Combinations ---------------------------------------------------- Control | Unauth. | Encrypted | TLS ---------------------------------------------------- | Unauth. | Unauth. | Unauth. ------------------------------------------- Test | | Auth. | ------------------------------------------- | | Encrypted | ----------------------------------------------------

    6. 6 TLS Mode Feature (w-k port) C-C Server |---------->| TCP SYN (862) |<----------| SYN-ACK |---------->| ACK |<----------| Server Greeting TLS-Mode Feature, bit ? set |---------->| Set-Up-Response (mod) |<--------->| TLS Handshake |<----------| Server Start (mod)

    7. 7 Modes Field Assignment for TLS Value Description Reference/Explanation 0 Reserved 1 Unauthenticated RFC4656, Section 3.1 2 Authenticated RFC4656, Section 3.1 4 Encrypted RFC4656, Section 3.1 8 Unauth. TEST protocol, more-twamp memo (3) Encrypted CONTROL ------------------------------------------------------- ? TLS CONTROL protocol, new bit position (?) Unauth. TEST protocol

    8. 8 TLS Mode Feature (new port) C-C Server |---------->| TCP SYN (86x) |<----------| SYN-ACK (TLS Mode) |---------->| ACK |---------->| TLS ClientHello |<--------->| TLS Handshake |<----------| Server Greeting Only New Features, bits Y,Z set |---------->| Set-Up-Response (mod) |<----------| Server Start (mod)

    9. 9 Summary A way to use TLS on TWAMP-Control protocol is “out there” can probably count on SEC community to help But do we start on this n-year mission? Many issues raised in section 6.6 of OWAMP Will implementers/users see this as a valuable alternative to what we have now? Is this anybody’s “Ideal TWAMP” ? Are there other questions we should ask? Let’s talk about it, now and on the list…

    10. Backup

    11. 11 Security Modes MUST Match RFC4656 OWAMP requires TEST to match the CONTROL protocol. “All OWAMP-Test sessions that are spawned by an OWAMP-Control session inherit its mode.” Maybe clarify with a MUST in Errata…

More Related