update on the umu dynamic vpn r&d work – november 2003
DESCRIPTION
Update on the UMU Dynamic VPN R&D Work – November 2003. Antonio F. Gomez Skarmeta Gregorio Martinez University of Murcia (UMU) SPAIN. Agenda. Reminder from the July’03 Meeting UMU-PKIv6: Update on the Status UMU-PBNM: Update on the Status - PowerPoint PPT PresentationTRANSCRIPT
Update on the UMU Dynamic VPN R&D Work – November 2003
Antonio F. Gomez SkarmetaGregorio Martinez
<skarmeta, [email protected]>
University of Murcia (UMU)SPAIN
2
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
3
UMU-PBNM Main Objective• Design and set-up a security framework to manage
distributed communication systems using the PBNM paradigm
• Features:– Flexible– Secure– Service and application-independent – Standard-based– IP-based
• In collaboration with UCL-CS (through Euro6IX- 6NET project collaboration, SEINIT project)
4
Trust ManagementSystem
Policy Management Framework
Network Layer Security Services
CryptographicMiddleware
Java Card
IPsec Security Services
PolicyLanguage
UMU-PKIv6
UMU-PBNM (Policy Console, PMT, PDP, PEP)
UMU-PBNM Proposed Architecture
General Architecture
1
2
3
4
5
6
7
Policy Management
Process
2
4
3
1
Monitoring Process
11
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
12
UMU-PKIv6 v7.1.2• Installation process highly improved (thanks to
feedback from UCL-CS, and NRNS/DRDC-RDDC)• Version 7.1.2, supporting
– WinCE-compatible devices (PDAs, mobile phones, etc.)– SSH/SCP PKCS#10 and KEYGEN (Netscape) requests– Support of DNSsec– New debug mode
• New version (v7.2.0) will be released this week– OCSP and TSP applets automatically signed during the
installation process– Log management from the web
13
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
14
Policy Language• Definition of XML schemas from the IETF IPsec PIB• Extension of the UMU-PBNM to support IPsec
policies for:– Linux FreeS/WAN (in both IPv4 and IPv6)– FreeBSD (in both IPv4 and IPv6)
15
UMU-PBNM Internal Components• COPS:
– Porting of VOCAL 1.5 COPS implementation to IPv6 (in C++)
– UMU-jCOPS (University of Murcia – Java COPS) implementation
• Definition of all the COPS and COPS-PR messages • Definition of two APIs, allowing the definition of any kind of
(security, QoS, mobility, routing, etc.) PDP or PEP:– At the message level– At the functionality level
• Interoperable with VOCAL 1.5 COPS implementation
16
UMU-PBNM Internal Components (and II)• UMU-jCOPS packages: brief description
17
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
18
X-Bone v3.0-beta UMU-PKIv6 UMU-PBNM• X-Bone v3.0-beta being tested in our labs• Evaluation plan:
– With UMU-PKIv6• Using UMU-PKIv6 certificates (with IPv6 addresses in the DN field) in
every X-Bone node• Check how the DNSsec support of both systems can be
integrated• Analyse the use of attribute certificates in the X-Bone
– With UMU-PBNM• Analysing elements in X-Bone that can be dynamically managed by the
UMU-PBNM proposed architecture– Inter-site testbed
• Interest from UCL-CS and UMU to set-up an inter-site testbed over IPv6• Any other interested??
19
DVC UMU-PKIv6• DVC 0.0.2a being tested in our labs• DVC needs:
– Provision of PKI + KMS functionalities– IPv6 support
• DVC required features: automated …– certificate enrolment– certificate renewal– certificate revocation– certificate status checking– cross-certification
20
DVC UMU-PKIv6 (II)• UMU-PKIv6 currently offers:
– Automated certificate enrolment and revocation• SCEP server (SCEP draft version 0.5)• SSH server
– Certificate status checking• CRLs published in LDAP servers• OCSP server
– Cross-Certification– Certificate renewal missing!!
• Additional components:– UMU-jSCEP: Java SCEP client– UMU-jOCSP: Java OCSP– Java SSH client
• Being currently used with:– CISCO routers (SCEP-based)– 6WIND routers (SSH-based)
21
DVC UMU-PKIv6 (and III)• Decisions to be taken:
– Support of ARLs (Authority Revocation Lists)• Why?: provide the status of cross-certificates• DVC: have to evaluate the need of supporting them• UMU-PKIv6: have to improve its support of ARLs
– Use of DNSsec• Why?: dynamic provision of security information• DVC: have to study the interest on this• UMU-PKIv6: feature already supported
– The use of PKIX-CMP protocol• Why?: providing complete certificate lifecycle management• DVC: defined as an interesting feature• UMU-PKIv6: implementation already started (both modes: simple and full)
22
For anyone Interested in Collaborating, Integrating and/or Testing …• The UMU-PKIv6 v7.2.0• The UMU-PBNM, or any of its components (e.g. VPN
Enforcement Tool, UMU-jCOPS, etc.)• Any other idea/line regarding the dynamic management of
VPNs
please, send us an email to
Antonio F. Gomez Skarmeta <[email protected]> and/or Gregorio Martinez <[email protected]>
Thanks!!!