The hageu rina-workshop-security-peter
-
Upload
ict-pristine -
Category
Internet
-
view
144 -
download
0
Transcript of The hageu rina-workshop-security-peter
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
Security and RINA
Peter Thompson | CTO | Predictable Network SolutionsSDN World Congress 2016, The Hague, October 2016
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
2
Current networks struggle with managing connectivity/association • Implicit association forces ad-hoc
solutions • 802.1X• NAT/Firewalls
• Managing the configuration of these mechanisms is complex• Errors are easy to make and hard to fix
• Typical node attributes are easily spoofed• E.g. MAC address
RINA provides a framework to control association• RINA protects layers instead of protocols• Addressing scope is contained within
DIFs• DIFs are securable containers, replacing
firewalls
• Policy-based Authentication and Authorisation models• Enrollment in DIF• Connection between processes• All centrally managed via policies
• Allows Capability-based Access Control
Managing connectivity/association
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
3Protecting layers instead of protocols
Operating on the IPCP’s RIB
Access control
Sending/receiving PDUsthrough N-1 DIF
Confidentiality, integrity
N DIF
N-1 DIF
IPC Process
IPC Process
IPC Process
IPC Process Joining a DIF
authentication, access control
Sending/receiving PDUsthrough N-1 DIF
Confidentiality, integrity
Operating on the IPCP’s RIB
Access control
IPC Process
Appl. Process
Access control(DIF members)
Confidentiality, integrity
Authentication
Access controlOperations on RIB
DIF OperationLogging
DIF OperationLogging
The architecture specifies where security-related functions are placed:All layers have the same mechanisms, programmable via policies.
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
4Separation of mechanism from policy
4
IPC API
Data Transfer Data Transfer Control Layer Management
SDU Delimiting
Data Transfer
Relaying and Multiplexing
SDU Protection
Retransmission Control
Flow Control
RIB Daemon
RIB
CDAP Parser/Generator
CACEP
Enrollment
Flow Allocation
Resource Allocation
Routing
Authentication
State VectorState VectorState Vector
Data Transfer Data Transfer
Retransmission ControlRetransmission Control
Flow ControlFlow Control
Namespace Management Security Management
Authentication
Access control (layer mgmt operations) Access control (joining the DIF)
Coordination of security functionsConfidentiality, Integrity
• Don’t specify/implement security protocols, only security policies• Re-use common layer structure, re-use security policies across layers• Only 2 protocols: EFCP for data transfer, CDAP for layer management
• This approach greatly simplifies the network structure, minimizing the cost of security and improving the security level• “Complexity is the worst enemy of security” (B. Schneier)
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
5
Combines:• Adaptive and dynamic nature of
ABAC model and • Fine-grained authorization
provided by the CBAC model.Exploits RINA layer management functions• Generic solution able to secure
any management layer function • E.g. routing or flow allocation
New access control architecture in PRISTINE
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
6
• Key material kept separate• Secure even if the management system is
compromised
• Hierarchical structure• Scalability from delegation• Allows multi-tenant operation• Can integrate with existing key-management
systems
• ‘Key containers’ in the RIB• Contain key state• No private key material
• Physical deployment depends on the level of trust of the environment• Reliable time-of-day clocks?• TPMs?
Key management architecture
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
10
Resilient Routing• Loop-free Alternate (LFA) fast re-route
• Routing table changes driven from RIB events• N-1 flow up• N-1 flow down• Flow State Database changed
• Shown that distributed application exchanging messages between nodes is not affected by failure of links.
• Whatever-cast• Transparent data replication
Load distribution/balancing• No new components required• Server clusters belong to a single DAF
• Exchange loading information• DAPs can be (de)provisioned as required
• Distribution decisions can be taken in several locations• Choice depends on specifics of the scenario• Based on configurable policies
Resiliency in RINA
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
11Demo: Service provider network
• Show that rogue customers / peers could only compromise e-mall DIFs• And to do that they would need access to the key material providing authentication and SDU Protection
policies are in place
• Show asymetric key (RSA) and cryptographic SDU protection policies in action
Access router
PtP DIF
CPE
Edge Service Router
MAN P.E MAN P. E.
MAN Access DIF
PtP DIF PtP DIFPtP DIF
PtP DIF
Host Core Backbone DIF
PtP DIF
Core router Core router EdgeRouter
Edge Router
Customer network ISP 2ISP 1 network
Access Aggregation Service Edge Core Internet Edge
PtP DIF PtP DIF PtP DIF
Service Provider Top Level DIF
E-mall 1 DIF
PtP DIF
E-mall 2 DIF
attacker
attacker attacker
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
12Demo observation pointsLayout of physical systems
• Observe behaviour of authentication and SDU Protection policies
• Flows over e-mall1 DIF• Flows over e-mall2 DIF
© P
redi
ctab
le N
etw
ork
Solu
tions
Ltd
2016
RINA and Security
13
Thank [email protected]
www.pnsol.comhttp://ict-pristine.eu