Download
slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Transport Layer Security TLS in TWAMP New Mode for Control Protocol PowerPoint Presentation
Download Presentation
Transport Layer Security TLS in TWAMP New Mode for Control Protocol

Transport Layer Security TLS in TWAMP New Mode for Control Protocol

506 Vues Download Presentation
Télécharger la présentation

Transport Layer Security TLS in TWAMP New Mode for Control Protocol

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

    1. Transport Layer Security (TLS) in TWAMP ? New Mode for Control Protocol Al Morton November 9, 2008

    2. 2 Background Security measures were controversial for OWAMP and (quickly revisited for) TWAMP A compromise was reached (AES in CBC and ECB modes with HMAC for integrity protection). Key aspect of the *WAMPs packet loss possible in Test protocol, no retransmit OWAMP Security Considerations discuss why TLS is unsuitable in TEST protocol RFC 4656 OWAMP requires TEST protocol mode to inherit the CONTROL protocol mode.

    3. 3 Enter TWAMP Desire to add Mixed-Security Mode Encrypted Control, Unauthenticated Test Uses current methods AES-CBC & HMAC draft-ietf-ippm-more-twamp-00 @ WGLC? Running TWAMP Test in clear frees resources, Encrypted Control still valuable Question: Do implementers see value in adopting a TLS for the TWAMP-Control protocol? (With TWAMP-Test in the clear)

    4. 4 TLS Mode Investigation The NETCONF wg has reached consensus on a similar effort NETCONF over TLS draft-ietf-netconf-tls Requests a new TCP well-known port NETCONF Manager acts as TLS client NETCONF Agent listens as TLS server TLS Handshake (HS) begins with Manager/client sending TLS ClientHello After TLS HS, exchange NETCONF data

    5. 5 Modes Allowed with TLS ---------------------------------------------------- Protocol | Permissible Mode Combinations ---------------------------------------------------- Control | Unauth. | Encrypted | TLS ---------------------------------------------------- | Unauth. | Unauth. | Unauth. ------------------------------------------- Test | | Auth. | ------------------------------------------- | | Encrypted | ----------------------------------------------------

    6. 6 TLS Mode Feature (w-k port) C-C Server |---------->| TCP SYN (862) |<----------| SYN-ACK |---------->| ACK |<----------| Server Greeting TLS-Mode Feature, bit ? set |---------->| Set-Up-Response (mod) |<--------->| TLS Handshake |<----------| Server Start (mod)

    7. 7 Modes Field Assignment for TLS Value Description Reference/Explanation 0 Reserved 1 Unauthenticated RFC4656, Section 3.1 2 Authenticated RFC4656, Section 3.1 4 Encrypted RFC4656, Section 3.1 8 Unauth. TEST protocol, more-twamp memo (3) Encrypted CONTROL ------------------------------------------------------- ? TLS CONTROL protocol, new bit position (?) Unauth. TEST protocol

    8. 8 TLS Mode Feature (new port) C-C Server |---------->| TCP SYN (86x) |<----------| SYN-ACK (TLS Mode) |---------->| ACK |---------->| TLS ClientHello |<--------->| TLS Handshake |<----------| Server Greeting Only New Features, bits Y,Z set |---------->| Set-Up-Response (mod) |<----------| Server Start (mod)

    9. 9 Summary A way to use TLS on TWAMP-Control protocol is out there can probably count on SEC community to help But do we start on this n-year mission? Many issues raised in section 6.6 of OWAMP Will implementers/users see this as a valuable alternative to what we have now? Is this anybodys Ideal TWAMP ? Are there other questions we should ask? Lets talk about it, now and on the list

    10. Backup

    11. 11 Security Modes MUST Match RFC4656 OWAMP requires TEST to match the CONTROL protocol. All OWAMP-Test sessions that are spawned by an OWAMP-Control session inherit its mode. Maybe clarify with a MUST in Errata