using the ipsec architecture for secure multicast communication · 2012-10-03 · multicast...
TRANSCRIPT
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Using the IPSec Architecture for SecureMulticast Communication
Thorsten [email protected]
Christoph [email protected]
Research Establishment for Applied Science
Neuenahrer Straße 20
D-53343 Wachtberg, Germany
ICCRTS 2003 – p.1/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Multicast Communication
• Efficient data transmission from one sender to a groupof receivers
• Examples of usage. Briefing sessions. Database replication. Audio/video conferencing
• Idea: send data once and duplicate it wherenecessary
• Requirement: sophisticated routing infrastructure
• Problem: How to secure the data traffic?
ICCRTS 2003 – p.2/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Important Questions
• Which scenario for group communication?
• How to secure the multicast traffic?
• How to manage the security settings?
ICCRTS 2003 – p.3/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Scenario (Briefing Session)
GroupMulticast
sendreceive
Sender 2Sender n
Receiver (n, 1)
Receiver (n, mn) Receiver (2, m2)
Receiver (2, 1)
Receiver (1, n1)Receiver (1, 1)
Sender 1
ICCRTS 2003 – p.4/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Multicast Security
• Mandatory requirements. Secrecy of the data traffic. Group authentication. Source authentication. Forward/backward security
• Group key exchange. Key agreement protocols collaborative key negotiation
. Key distribution protocols generation & distribution via a key server
ICCRTS 2003 – p.5/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Scenario (Key Exchange)
Key D
istribution Protocol
Key Distribution Protocol
Key
Dis
tribu
tion
Pro
toco
lKeyAgreement
Protocol
Sender 1
Sender 2Sender n
Receiver (n, 1)
Receiver (n, mn) Receiver (2, m2)
Receiver (2, 1)
Receiver (1, n1)Receiver (1, 1)
ICCRTS 2003 – p.6/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Scenario DetailsSender hosts
• Number n ≈ 25
• Send and receive data
• Connected via broadband networks
• Key exchange via agreement
Receiver hosts
• Number mi ≈ 10000
• Only receive data
• Connected via networks with narrow bandwidth
• Key distribution from a designated sender
ICCRTS 2003 – p.7/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Security Concept
• Security: Usage of the IPSec protocol suite. Security at network layer. Multicast support. Algorithms for encryption and group authentication. But: No source authentication
Hope: several IETF drafts (work in progress)
• To solve: Multicast Internet Key Exchange (MIKE). Negotiation of IPSec settings. Key exchange functionality
• Goal: Development of a MIKE daemon
ICCRTS 2003 – p.8/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
MIKE as part of the IPSec frameworkU
ser S
pace
Ker
nel S
pace
Application
SPD MSAD
IPv6TCP UDP
EthernetISDNHF
SAD
Unicast/Multicast IPSec
AF_INET6 PF_KEY 2
MIKEIKE
ICCRTS 2003 – p.9/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
MIKE Design Goals• Two objectives:
. Prototypical implementation
. Simulation environment
• Special focus on military environments. Narrow bandwidth (wireless communication). Emission control (EMCON)
• Design criteria. Separation of key management and application. Robust exchange protocols. Extensibility. Independency from multicast routing mechanisms. Usage of existing standards as far as possible
ICCRTS 2003 – p.10/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
MIKE Architecture
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
ICCRTS 2003 – p.11/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Message Dispatcher
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: transmission of key exchange messages
• Prototypical implementation
. Connection to the Internet
. Configuration of IPSec kernel module
• Simulation environment
. Simulation of packet loss, delays, etc.
. Visualization of key exchange protocols
ICCRTS 2003 – p.12/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Group Management Framework
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: Multicast IPSec management of the host
• Group access control
• Invocation/termination of key managers
• Key exchange message distribution
ICCRTS 2003 – p.13/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Key Manager
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: negotiation of IPSec settings for onemulticast group
• Host authentication and digest validation
• Sender mode
. Key agreement with other senders
. Receiver management
• Receiver mode
. Requesting IPSec settings from thedesignated sender
ICCRTS 2003 – p.14/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Group Policy Database
Group 1Key Manager
Group nKey Manager
Gro
up P
olic
y D
atab
ase
Group Management Framework
Message Dispatcher
MIKE daemon
PF_KEY 2 TCP UDP
• Task: provision of security relevant information
• Type of information dependent on theaccessing component
. Filtering rules message dispatcher
. Group access policy group management framework
. User access control, authentication data key manager
ICCRTS 2003 – p.15/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Implementation Details
• Object oriented approach (C++)
• Open source operating system. Debian Linux. USAGI IPv6/IPSecurity kernel patch
• Development tools. GNU Tools (gcc, make, etc.). Standard Template Library. Crypto++ Library
• Roadmap:. First prototype at the end of 2003. Simulation environment in 2004
ICCRTS 2003 – p.16/17
KIERESEARCH INSTITUTE FOR COMMUNICATION, INFORMATION PROCESSING AND ERGONOMICS
Computer Networks
Conclusion
• Scenario: Briefing sessions
• Security via IPSec architecture
• Setup via Multicast Internet Key Exchange
ICCRTS 2003 – p.17/17