1 / 6

Achieving Local Availability of Group SA

Achieving Local Availability of Group SA. Ya Liu, liuya@huawei.com Bill Atwood, bill@cse.concordia.ca Brian Weis, bew@cisco.com. IETF 70 , Dec 2007, Vancouver. Background. Group security model is used in OSPFv3 IPsec and PIM-SM link-local security.

talmai
Download Presentation

Achieving Local Availability of Group SA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Achieving Local Availability of Group SA Ya Liu, liuya@huawei.com Bill Atwood, bill@cse.concordia.ca Brian Weis, bew@cisco.com IETF 70, Dec 2007, Vancouver

  2. Background • Group security model is used in OSPFv3 IPsec and PIM-SM link-local security. • Please refer to RFC4552 and draft-ietf-pim-sm-linklocal for more details. • Currently, only the manual keying method is proposed. • Manual method is neither scalable nor secure. • It has been proposed to achieve automated group keying for OSPF and PIM using MSEC GKM protocols. • Please refer to draft-liu-ospfv3-automated-keying-req and draft-ietf-pim-sm-linklocal for more details. IETF 70, Dec 2007, Vancouver

  3. A Chicken & Egg Issue • MSEC GKM protocols fail in the OSPF case because they are based on a client/server model. This means these protocols rely on reachability between clients and servers for the clients to obtain the group SA from the key server. In the OSPF case, the GKM is providing protection for OSPF, which is an essential component in providing reachability between the clients and servers. Hence, the client/server model breaks down in this situation. • PIM has no such issue. • Thus, the solution for OSPF also applies to PIM. IETF 70, Dec 2007, Vancouver

  4. Possible Solutions • Locally deploying GCKS • No extensions are needed. • Separating GC/KS, and locally deploying KS while centrally deploying GC • For cost consideration, the KS can be logical. For example, a protocol (e.g., OSPF, PIM) speaking router works as the KS of its listeners. • An extension to specify the protocol between a centralized GC and the individual KS is needed. • Locally deploying delegates, centrally deploying GCKS • An extension to relay group keying service between the centralized GCKS and local group members is needed. IETF 70, Dec 2007, Vancouver

  5. Suggestion • Choose one solution and standardize it. • If extensions to MSEC GKM protocols are necessary, such work SHOULD be done in MSEC. • Both OSPF WG and PIM WG need to write their own I-Ds to profile use of MSEC GKM protocols. • Optionally, MSEC WG may produce an guideline doc to introduce the use of MSEC GKM protocols in other control plane protocols, such as OSPF, PIM, RSVP, etc. IETF 70, Dec 2007, Vancouver

  6. Comments?Thanks! IETF 70, Dec 2007, Vancouver

More Related