A CGA based Source Address Authorization and Authentication (CSA) for First Layer-3 Hop - PowerPoint PPT Presentation

About This Presentation
Title:

A CGA based Source Address Authorization and Authentication (CSA) for First Layer-3 Hop

Description:

Host-granularity checking based on the knowledge of address assignment (to adapt ... The author gratefully acknowledges the contributions of Fred Baker, Jari Arkko, ... – PowerPoint PPT presentation

Number of Views:17
Avg rating:3.0/5.0
Slides: 19
Provided by: neta158
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: A CGA based Source Address Authorization and Authentication (CSA) for First Layer-3 Hop


1
A CGA based Source Address Authorization and
Authentication (CSA) for First Layer-3 Hop
  • IETF 72 Meeting, Dublin
  • July 28, 2008
  • SAVI Working Group
  • Jun Bi ltjunbi_at_cernet.edu.cngt
  • Jianping Wultjianping_at_cernet.edu.cngt
  • Guang Yao ltyaog_at_netarchlab.tsinghua.edu.cngt

2
Basic Ideas
  • Phase 1 Address Authorization
  • Host-granularity checking based on the knowledge
    of address assignment (to adapt all address
    allocation ways)
  • Host Identifier (CGA Identifier) without PKI
  • Binding Host Identifier and address at the first
    Layer-3 hop (not binding port/MAC/IP, in case
    there is no one-one mapping between the port and
    host e.g. a hub uplinks to an Ethernet switch
    port and downlinks multiple hosts)
  • Secure Shared Secret Exchange (Signature Seed
    used in Authentication phase between the host and
    router, to transfer the ID/Address binding to a
    more lightweight Address/Signature binding)
  • Phase 2 Address Authentication
  • Light-weight signature generation
  • Light-weight signature adding and removal
  • Light-weight signature verification

3
Overview of Procedure
  • Phase1 Address Authorization (5 steps)

(4) Check whether identifier H can use the
required address A
(2) An identifier is used to show the applicant
is H
(5) Return a signature seed for future
authentication
(1) Prepare an address A
(3) Im H and I require to use address A
4
Overview of Procedure
  • Phase2 Address Authentication

Check Signature and Remove it
Add Signature
Generate Signature based on signature seed
5
Phase1 Address Authorization
  • Step 1 Address Preparation
  • The Node gets an address through the appointed
    address assignment mechanism
  • Host in IPv4 Manual Configuration, DHCP
  • Host in IPv6 DHCP, Stateless Auto-configuration
    (SAC), Manual Configuration, Cryptographically
    Generated Address (CGA), Privacy

6
Address Authorization
  • Step 2 Identifier Generation
  • Node generates a secure identifier
  • For anonymity address owner (DHCP,SCA,CGA,Privacy)
    , identifier hash(Public Key) Described in
    CGA
  • For any address allocation mechanism involving
    manual configuration,
  • identifier hash(Public Key Shared Secret ).
  • The Shared Secret is a bit string allocated to
    the node with address by network administrator.

7
Address Authorization
  • Step 3 Address Authorization Request
  • Nodes send a request
  • packet to the first L3 hop
  • Currently designed as
  • an ICMP packet, to be
  • designed as SEND extension
  • Source address is the address
  • prepared in step 1
  • The CGA option and
  • RSA signature option are
  • the same as described in
  • SEND

8
Address Authorization
  • Step 4 First L3 Hop Authorizing Address
  • Router checks whether the request node has the
    right to use the address.
  • The knowledge is based on address allocation
    mechanism.
  • Manual Configuration Re-compute the identifier
    using the shared secret of the address owner.
  • SAC/Privacy/CGA The address has not been
    registered by another node. In CGA case, the
    request address must be a correct CGA address
    computed on the public key.
  • DHCP The identifier in the request packet must
    be the one which had been used to apply
    address/prefix from DHCP server/router. See next
    page

9
Address Allocation in DHCP Case
Record the CGA identifier
Source address set to the CGA identifier
Snoop and record address allocated. Bind the
identifier /assigned address.
DHCP Solicitation
10
Address Authorization
  • Step 5 Signature Seed Assignment
  • The router returns a bit string named signature
    seed to the host, encrypted by the hosts public
    key that was carried in the authorization request
    packet.
  • Node decrypts the signature seed and will use
    it in the Phase 2.

11
Phase 2 Address Authentication
  • Signature Generation (All based on the shared
    secret signature seed)
  • HMAC
  • Pseudo Random Number (Preference)
  • Signature sequence, hard to guess and replay
  • Using the sliding window to handle the packet
    re-order (not a big deal in local subnet)
  • Signature Adding (3 choices to implement)
  • IPSEC Authentication Header
  • A new option header (e.g. Hop-by-hop)
  • Address Rewrite (The signature is used as local
    address, the router rewrite with the authorized
    address for outside world, to save the cost of
    memory copy and locating the extension header)
  • Signature Verification (matching the random
    number)

12
Phase 2 Address Authentication
  • Consideration
  • Authentication based on signature always costs
    much.
  • Reduce the cost of
  • Signature generation (random number sequence)
  • Signature adding and signature removal (by
    reducing the overhead)
  • Signature verification (by matching a number)
  • to be close to the cost of routing table lookup.

13
Compliant to SAVI Charter
  • Charter compliant
  • All address allocation methods
  • Special cases
  • Static address
  • Multiple IP addresses on one interface (meet
    because it doesnt rely on L1/L2 info.)
  • Multiple link layer addresses on one interface
  • Multiple interfaces to the same link
  • Node changes port
  • Node is router, NAT, switch
  • SEND
  • Anycast address
  • Charter none-compliant
  • Host Change
  • The address authorization can be designed as the
    extension of SEND
  • Actually, host change might be always required
    in the case if there is no strict one-one mapping
    between switch port and host (L1/L2/L3 strict
    mapping).

14
Applicability and benefits
  • Working scenario for the situation there is no
    strict port/host one-one mapping (if there is
    strict mapping, port/MAC/IP binding is more
    efficient).
  • Economy do not need to replace/update all ports
    in a network to L3-aware switches (which might be
    more expensive)
  • Flexibility works in networks without port based
    switches, e.g., wireless LAN
  • The Linux prototype is being tested in Tsinghua
    testbed
  • Expect a larger scale testing by real users in
    the real campus network (net a testbed) in
    Tsinghua

15
Acknowledgements
  • The author gratefully acknowledges the
    contributions of Fred Baker, Jari Arkko,
    Christian Vogt, Pekka Savola, Lixia Zhang, Mark
    Williams, Paul Ferguson, et.al., to this draft or
    a previous version draft-bi-sava-solution-ipv6-edg
    e-network-signature-00

16
  • Thank You!

17
Traditional Signature Mechanism
Send Process
Receive Process
Packet
Packet
Packet
Packet
Packet
Locate the option header
Locate
add
Remove
Signature
Signature
Packet
Packet
18
Address Rewrite
  • Escape the memory copy and option header
    location, more efficent

Send Process
Receive Process
Packet
Change the source address field to be the
signature
Packet
Packet
Rewrite the source address field to the source
address
Mapping table from signature to address
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A CGA based Source Address Authorization and Authentication (CSA) for First Layer-3 Hop" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!