View
216
Download
2
Tags:
Embed Size (px)
Citation preview
University of Murcia (Spain)
The UMU-PBNM
Antonio F. Gomez SkarmetaGregorio Martínez
<skarmeta, [email protected]>
University of MurciaSPAIN
Agenda
Objective and Proposed Architecture
The UMU-PKIv6
UMU-PBNM Design
UMU-PBNM Implementation
Analysis of VPNs over IPv6
References
UMU-PBNM Main Objective Design and set-up a security framework to
manage distributed communication systems using the PBNM paradigm
Features: Flexible Secure Service and application-independent Standard-based IP-based
In collaboration with UCL-CS
Trust ManagementSystem
Policy Management Framework
Network Layer Security Services
CryptographicMiddleware
Java Card
IPsec Security Services
PolicyLanguage
UMU-PKIv6
UMU-PBNM (Policy Console, PMT, PDP,PEP)
Proposed Architecture
UMU-PKIv6 Description Main Objective ... to establish a high
security infrastructure for distributed systems
Main Features: PKI supporting the IPv6 protocol Developed in Java running on every
Operating System Issue, renew and revoke certificates for every
entity belonging to one organisation Final users can use either RAs or Web browsers
to make their own certification operations LDAPv6 directory support
UMU-PKIv6 Description (II) Main Features: (II)
Use of smart cards (file system, RSA or Java Cards) ... allowing user mobility and increasing security
PKI Certification Policy (CPS) support VPN devices certification support (using the
SCEP protocol) Support for the OCSP protocol and Time Stamp Web Administration Supports DNSsec Used in both Euro6IX and 6NET projects (cross-
certification)
UMU-PKIv6 Architecture
WWW Secure Request Server
Data Base
LDAP End User
Certification Authority
Registration Authority
Administrator
IPv6 SSL connection
IPv6 Plain connection
SCEP
VPN Device
WWW Secure Request Server
Data BaseData Base
DNSsecEnd UserEnd User
Certification Authority
Certification Authority
Registration Authority
Registration Authority
Registration Authority
AdministratorAdministrator
SCEPSCEP over IPv6
VPN Device
UMU-PKIv6 Architecture (II)
Certification Authority
OCSPResponder
TimeStampingResponder
Time StampServer
OCSP Server
TSPClient
Certificate
Certificate
OCSP Client
msg_hash
time stamp
cert serial number
status
TSP Message
OCSP Message
COPS Server
PS
IP C
lien
t/S
erve
r
Net
wor
k
Mon
itor
ing
Decision Taking
Policy Enforcement Point (PEP)
PolicyDecision
Point(PDP)
PEP MonitoringPSIP
COPS
UM
U-P
KIv
6PM
TPolicy
DB
PEPsDB
Cer
tifi
cate
V
alid
atio
n
Config.
PolicyAdaptation
CriptographyMangementP
DP
PSIP
OCSP
LDAP
PolicyConsole
PEP
PMTPDP
PrimaryPMT
PMTPDP
PDP
Network Node(with PEP)
Network Node
4
75
6
2
3
1
Policy Management Process
PolicyConsole
PEP
PMTPDP
PMTPrimario
PMTPDP
PDP
Nodo de Red(con PEP)
Nodo de Red
2
3
1
4
Monitoring Process
Relevant Implementation Issues
Policy Console Web Browser Microsoft CSP (Cryptographic Service Provider)
PMT Assistant module to define new policies Managing and storing XML policy documents
according to one XML schema PDP and PEP
Using COPS and COPS-PR from Vocal 1.5 New S-Type for XML (and XML Path) added
PEP-Network Node interaction VPN ETool
IPsec/IKE Solutions Analyzed
Open-Source Solutions FreeS/WAN 1.91 with IPv6 support v0.2 (Linux) USAGI Stable Release 4 (Linux) KAME-integrated in FreeBSD 4.6 (FreeBSD)
Commercial Solutions Microsoft IPv6 (Windows XP) Solaris 9 6WIND 6200 Edge Device
Designed Evaluation Plan Objective: evaluate IPv6 IPsec/IKE
interoperability and conformance Background: TAHI Project
(http://www.tahi.org) But, different objectives:
Given an scenario, which is/are the more suitable implementation/s??
Interoperability tests Test scenarios Test suite Final reports
Configuration and installations guides Test reports
Scenarios Used for TestingHost-2 Host-3
Ethernet
Eth0-H2N42001:0720:1710:24::11
Eth0-H3N42001:0720:1710:24::12
Eth1-SG1N42001:0720:1710:24::1
Net42001:0720:1710:24::/64
Ethernet
Ethernet
Eth0-SG1N32001:0720:1710:23::1
Net32001:0720:1710:23::/64
Net22001:0720:1710:22::/64
Eth0-H1N22001:0720:1710:22::11
Eth0-R2N32001:0720:1710:23::2
Eth1-R2N22001:0720:1710:22::2
AH/ESPTunnel
AH/ESPTransport
Secure Gateway-1
Host-1
Router-2
Example Test Scenario Secure Gateway To Secure Gateway Elements involved in the Scenario:
End Hosts … normal PC (1 GHz of CPU, 128 MGs of Memory) connected to a 10 Mbps Ethernet network
Secure Gateways: PC Routers … normal PC (1 GHz of CPU, 128 MGs of
Memory) connected to a 10 Mbps Ethernet network 6WIND 6200 Edge Router connected to a 10 Mbps
Ethernet network Router: CISCO 2600 connected to a 10 Mbps
Ethernet network Things to measure
Duration of the IKE negotiation (modified daemons) RTT
Example Test Scenario (II)
Secure Gateway To Secure Gateway with ESP in Tunnel Mode
IPSec Implementations SG 1 SG 2
ESP Tunnel
AH Tunnel
AH Transport to ESP Tunnel mode
IPsec Tunnel to IPsec Tunnel mode
FreeS/WAN FreeS/WAN support support -- -- KAME KAME support support support support
Windows Windows -- -- -- -- Solaris Solaris -- -- -- -- 6WIND 6WIND support support support support
FreeS/WAN KAME support support -- -- FreeS/WAN Windows -- -- -- -- FreeS/WAN Solaris -- -- -- -- FreeS/WAN 6WIND support support -- --
KAME Windows -- -- -- -- KAME Solaris -- -- -- -- KAME 6WIND support support support support
Windows Solaris -- -- -- -- Windows 6WIND -- -- -- --
Solaris 6WIND -- -- -- --
Results: Duration of IKE Negotiation
IKE Negotiation
0
200
400
600
800
1.000
1.200
[PSKey] KAME
[PSKey] FreeS/WAN
[PSKey] KAME – F
[PSKey] 6WIND – K
[Cert] KAME
[Cert] 6WIND – K
Results: RTT
0
5
10
15
20
25K
AM
E
6WIN
D –
K
KA
ME
6WIN
D –
K
KA
ME
Fre
eS/W
AN
K –
F
6WIN
D –
K
KA
ME
6WIN
D –
K
IPSec Solution
rtt
inc
rea
se
(%
) Static Keys (3DES-CBC)
Static Keys(3DES-CBC,HMAC_MD5)
Pre-shared Keys(3DES-CBC,HMAC_MD5)
Certificates(3DES-CBC,HMAC_MD5)
Results: Conclusions Duration of the IKE Negotiation
Use of certificates does not increment too much the delay
Interoperability implies a strong increment RTT
Using authentication increases lowly the RTT The use of IPsec increases in 15-20% the RTT
But … It is real that implementations are far
from being mature
Basic References UMU-PKIv6 - Public Key Infrastructure with
IPv6 supporthttps://eriador.dif.um.es/https://pippin.dif.um.es/
VPN Enforcement Tool https://shire.dif.um.es/
UMU-Policy Mangement Tool (old version of the IPsec Policy Schema)https://shire.dif.um.es/pmtool/
University of Murcia (Spain)
The UMU-PBNM
Antonio F. Gomez SkarmetaGregorio Martínez
<skarmeta, [email protected]>
University of MurciaSPAIN