KIE RESEARCH INSTITUTE FOR COMMUNICATION,INFORMATION PROCESSING AND ERGONOMICS Computer Networks Using the IPSec Architecture for Secure Multicast Communication Thorsten Aurisch [email protected] Christoph Karg [email protected] Research Establishment for Applied Science Neuenahrer Straße 20 D-53343 Wachtberg, Germany ICCRTS 2003 – p.1/17
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Using the IPSec Architecture for SecureMulticast Communication
Thorsten [email protected]
Christoph [email protected]
Research Establishment for Applied Science
Neuenahrer Straße 20
D-53343 Wachtberg, Germany
ICCRTS 2003 – p.1/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Multicast Communication
• Efficient data transmission from one sender to a groupof receivers
• Examples of usage. Briefing sessions. Database replication. Audio/video conferencing
• Idea: send data once and duplicate it wherenecessary
• Requirement: sophisticated routing infrastructure
• Problem: How to secure the data traffic?
ICCRTS 2003 – p.2/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Important Questions
• Which scenario for group communication?
• How to secure the multicast traffic?
• How to manage the security settings?
ICCRTS 2003 – p.3/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Scenario (Briefing Session)
GroupMulticast
sendreceive
Sender 2Sender n
Receiver (n, 1)
Receiver (n, mn) Receiver (2, m2)
Receiver (2, 1)
Receiver (1, n1)Receiver (1, 1)
Sender 1
ICCRTS 2003 – p.4/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Multicast Security
• Mandatory requirements. Secrecy of the data traffic. Group authentication. Source authentication. Forward/backward security
• Group key exchange. Key agreement protocols collaborative key negotiation
. Key distribution protocols generation & distribution via a key server
ICCRTS 2003 – p.5/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Scenario (Key Exchange)
Key D
istribution Protocol
Key Distribution Protocol
Key
Dis
tribu
tion
Pro
toco
lKeyAgreement
Protocol
Sender 1
Sender 2Sender n
Receiver (n, 1)
Receiver (n, mn) Receiver (2, m2)
Receiver (2, 1)
Receiver (1, n1)Receiver (1, 1)
ICCRTS 2003 – p.6/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Scenario DetailsSender hosts
• Number n ≈ 25
• Send and receive data
• Connected via broadband networks
• Key exchange via agreement
Receiver hosts
• Number mi ≈ 10000
• Only receive data
• Connected via networks with narrow bandwidth
• Key distribution from a designated sender
ICCRTS 2003 – p.7/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Security Concept
• Security: Usage of the IPSec protocol suite. Security at network layer. Multicast support. Algorithms for encryption and group authentication. But: No source authentication
Hope: several IETF drafts (work in progress)
• To solve: Multicast Internet Key Exchange (MIKE). Negotiation of IPSec settings. Key exchange functionality
• Goal: Development of a MIKE daemon
ICCRTS 2003 – p.8/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
MIKE as part of the IPSec frameworkU
ser S
pace
Ker
nel S
pace
Application
SPD MSAD
IPv6TCP UDP
EthernetISDNHF
SAD
Unicast/Multicast IPSec
AF_INET6 PF_KEY 2
MIKEIKE
ICCRTS 2003 – p.9/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
MIKE Design Goals• Two objectives:
. Prototypical implementation
. Simulation environment
• Special focus on military environments. Narrow bandwidth (wireless communication). Emission control (EMCON)
• Design criteria. Separation of key management and application. Robust exchange protocols. Extensibility. Independency from multicast routing mechanisms. Usage of existing standards as far as possible
ICCRTS 2003 – p.10/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
MIKE Architecture
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
ICCRTS 2003 – p.11/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Message Dispatcher
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: transmission of key exchange messages
• Prototypical implementation
. Connection to the Internet
. Configuration of IPSec kernel module
• Simulation environment
. Simulation of packet loss, delays, etc.
. Visualization of key exchange protocols
ICCRTS 2003 – p.12/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Group Management Framework
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: Multicast IPSec management of the host
• Group access control
• Invocation/termination of key managers
• Key exchange message distribution
ICCRTS 2003 – p.13/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Key Manager
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: negotiation of IPSec settings for onemulticast group
• Host authentication and digest validation
• Sender mode
. Key agreement with other senders
. Receiver management
• Receiver mode
. Requesting IPSec settings from thedesignated sender
ICCRTS 2003 – p.14/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Group Policy Database
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: provision of security relevant information
• Type of information dependent on theaccessing component
. Filtering rules message dispatcher
. Group access policy group management framework
. User access control, authentication data key manager
ICCRTS 2003 – p.15/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Implementation Details
• Object oriented approach (C++)
• Open source operating system. Debian Linux. USAGI IPv6/IPSecurity kernel patch
• Development tools. GNU Tools (gcc, make, etc.). Standard Template Library. Crypto++ Library
• Roadmap:. First prototype at the end of 2003. Simulation environment in 2004
ICCRTS 2003 – p.16/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Conclusion
• Scenario: Briefing sessions
• Security via IPSec architecture
• Setup via Multicast Internet Key Exchange
ICCRTS 2003 – p.17/17
Related Documents
