한의약 표준화 발전방안 연구: 한-중 전통의학 표준화 정책 ... · 2016. 11. 3. · 표준화 인프라는 한의약 및 표준 관련 법, 제도, 계획의 정책적
IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 [email protected].
-
date post
22-Dec-2015 -
Category
Documents
-
view
234 -
download
6
Transcript of IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 [email protected].
![Page 2: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/2.jpg)
Outline
• IPSEC 관련 IETF WGs
• IPSEC WG
• IPSRA WG
• IPSP WG
![Page 3: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/3.jpg)
IPSEC 관련 IETF WGs
• IPSEC WG– 1993 년 발족– IP security protocols and algorithms 표준화
• IPSRA WG– 2000.3 월 1st WG meeting– Remote access issue
• IPSP WG– 2000.3 월 1st WG meeting– Policy issue
![Page 4: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/4.jpg)
IPSEC WG
![Page 5: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/5.jpg)
WG Goals
• 네트워크 계층에서– 보안 프로토콜과– 암호 알고리즘 표준을 개발하여– cryptographic security service 제공 :
• Authentication• Integrity• Confidentiality• Access Control
• 응용계층에서 – 네트워크 보안 프로토콜 및 키 관리 지원 프로토콜
![Page 6: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/6.jpg)
IPSEC Protocols
• 네트워크 계층 보안 프로토콜– AH (Authentication Header)– ESP (Encapsulating Security Payload)
• 응용계층 키 관리 프로토콜– IKE (Internet Key Exchange)
![Page 7: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/7.jpg)
AH protocol
• Authentication 알고리즘 이용• Integrity, Data Origin Authentication 서비스 제공
Next Header (8) Payload Length(8) Reserved (16)
SPI (Security Parameters Index) (32)
Sequence Number (32)
Authentication Data (32* n)
IP header AH header TCP, ….
![Page 8: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/8.jpg)
ESP protocol• Encryption 과 Authentication 알고리즘 이용• Integrity, Data Origin Authentication 및 Confidentiality 서비스
제공
Pad Length (8)Padding (0 - 255 Byte)
SPI (Security Parameters Index) (32)
Sequence Number (32)
Payload Data
Next Header (8)
Authentication Data (32* n)
Encry
ptio
nA
uth
entica
tion
IP header ESP header TCP, … Payload ESP Trailer ESP Auth.
![Page 9: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/9.jpg)
Security Association
• Simplex connection between two end-points • Affords security services to the traffic carried by it
AH or
ESP
SA
알고
리즘
AH or
ESP
SA
알고
리즘
Host or Security Gateway Host or Security Gateway
![Page 10: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/10.jpg)
Security Association (cont.)• 트래픽이 양방향이면 , 두개의 SA 필요• Flexible granularity
– 두 SG 간 모든 트래픽에 하나의 Encrypted Tunnel 을 이용 . 또는 , 두 SG 를 경유하는 각 Host 쌍 트래픽 마다 하나씩 여러 Encrypted Tunnel 을 이용
• Two modes– Transport mode SA: 호스트 간에만 적용– Tunnel mode SA: IP tunnel 에 적용
• SA Combination– 트래픽 스트림이 원하는 보안 서비스가 하나의 SA 로는 충족될 수
없을 때 , 두 개이상의 SA 를 결합– 4 가지 기본 결합 방식지원을 의무화
![Page 11: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/11.jpg)
IKE Protocol
• SA and Key Management Protocol– SA 협상 , 생성 , 관리– Key 생성 , 분배 , 갱신
• A hybrid protocol of – ISAKMP : framework, message format, phases– Oakley : key exchange modes– SKEME : public key encryption
![Page 12: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/12.jpg)
Phases of IKE Protocol• Phase I
– Establishment of secure and authenticated communication channel (IKE SA) and authenticated keys
– 4 Authentication methods• Preshared keys• Digital signature• Public key encryption• Revised public key encryption
– Main and aggressive modes
• Phase II– Establishment of IPSEC SA– Quick mode
![Page 13: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/13.jpg)
Main Mode with Signatures
Initiator Responder
HDR, SAHDR, SA
HDR, KE, NiHDR, KE, Nr
HDR*, IDii, [CERT,] SIG-I HDR*, IDir, [CERT,]
SIG-RHDR: Header SA: Security Association KE: Key Exchange
N: Nonce CERT: Certificate SIG: Signature
ID: Identity i: Initiator r: Responder
![Page 14: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/14.jpg)
Aggressive Mode with Signatures
Initiator Responder
HDR, SA, KE, Ni, IDiiHDR, SA, KE, Nr, IDir,
[CERT,] SIG-R HDR, [CERT,] SIG-I
HDR: Header SA: Security Association KE: Key Exchange
N: Nonce CERT: Certificate SIG: Signature
ID: Identity i: Initiator r: Responder
![Page 15: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/15.jpg)
Quick Mode in Phase II
Initiator Responder
HDR*, HASH(1), SA, Ni
[, KE] [, IDci, IDcr]HDR*, HASH(2), SA, Nr
[, KE] [, IDci, IDcr] HDR*, HASH(3) HDR: Header SA: Security Association KE: Key Exchange
N: Nonce ID: Identity
i: Initiator r: Responder
![Page 16: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/16.jpg)
IPSEC and NAT
• Traditional NAT (Network Address Translation)– Home network, SOHO network, etc.
• private addresses vs. globally unique addresses
– Basic NAT :
• one group of IP addresses --> another
– NAPT (Network Address Port Translation) :
• many network addresses/ ports --> single net. Addr/
ports
![Page 17: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/17.jpg)
NAT operation - example
Stub router w/NAT Stub router w/NAT
Regional router
Stub A Stub B
WAN
s = 198.76.29.7
d = 198.76.28.4
LAN
10.33.96.5
s = 10.33.96.5
d = 198.76.28.4
LAN
10.81.13.22
s = 198.76.29.7
d = 10.81.13.22
s = 198.76.29.7
d = 198.76.28.4
WAN
![Page 18: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/18.jpg)
NAPT operation - example
Stub router w/NAPT
Service Provider router
Stub A
WAN
s = 138.76.28.4, sport = 1024
d = 138.76.29.7, dport = 23
LAN
10.0.0.10
s = 10.0.0.10, sport=3017
d = 138.76.29.7, dport = 23
10.0.0.2
s = 138.76.29.7, sport = 23
d = 138.76.28.4, dport = 1024
10.0.0.1
s = 138.76.29.7, sport = 23
d = 10.0.0.10, dport = 3017
![Page 19: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/19.jpg)
Incompatibilities between NAT and IPSEC
• between IPSEC AH and NAT
• between checksums and NAT
• between IKE address identifiers and NAT
• between fixed IKE destination ports and NAPT
• between overlapping SPD entries and NAT
• between IPSEC SPI selection and NAT
• between embedded IP addresses and NAT
![Page 20: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/20.jpg)
Alternative Proposals
• UDP encapsulation– IKE and IPSEC packets are encapsulated in
UDP prior to being sent
• RSIP (Realm Specific IP)– addresses issues of IPSEC SPI demultiplexing
and SPD overlap
• IKE and checksum processing changes
![Page 21: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/21.jpg)
IPSRA WG
![Page 22: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/22.jpg)
Background
• Typical remote access in recent past– dial-up users via PSTN to network access server– PPP-based protocol – access control, authorization, and accounting functions
• RADIUS, TACACS, etc.
• Growing internet access via ISP • Advent of IPSEC• Remote access in future
– IPsec-based
![Page 23: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/23.jpg)
Problems to be solved• User authentication requires human interaction• IPSEC IKE supports authentication methods based on
public- key technology• Public key infrastructure for authentication of individual
human users will take longer time to be deployed• Legacy authentication systems will continue to exist for
a while– OTP, username/password, H/W authentication token, etc
• And remote host configuration and security access control issues must be solved
![Page 24: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/24.jpg)
WG Goals
• To define requirements and architecture– as an informational RFC
• To define user authentication mechanism– running IKE using legacy authentication mechanisms– standard track
• To define remote host configuration mechanism– standard track
• To define access control mechanism– security policy configuration– standard track
![Page 25: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/25.jpg)
Past Meetings
• 1st BOF• 2nd BOF
– Washington, 1999.11
• 1st WG meeting– 47th IETF, Adelaide, Australia, 2000.3
• 2nd WG meeting– 48th IETF, Pittsburgh, USA, 2000.8
• Next WG meeting– San Diego, next week
![Page 26: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/26.jpg)
Drafts
• No RFC• 3 WG drafts• Requirements draft (1)• Authentication drafts (2)
• Configuration draft (IPSEC WG draft)
• Some other drafts
![Page 27: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/27.jpg)
Requirement draft
• Currently, 02 version (2000.11)• Understanding requirements in a number of differing remote
scenarios– Some shared and some unique requirements
• Requirement categories– Endpoint Authentication– Remote host configuration– Security Policy configuration– Auditing– Intermediary Traversal
![Page 28: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/28.jpg)
Reference picture
Remote Access Client (IRAC)
Security Gateway (SGW/ IRAS)
Target network
Internet
![Page 29: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/29.jpg)
Endpoint Authentication
• Refers to verification of the identities of the communication partners – e.g., IRAC and IRAS
• Machine-level authentication• User-level authentication• Combined User/ Machine authentication
• Remote access authentication– typically asymmetric– good deal of variation in authentication requirements
for differing scenarios
![Page 30: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/30.jpg)
Remote Host Configuration
• Refers to network-related device configuration of the client system
• Parameters– IP address, subnet mask, broadcast address, host name,
domain name servers, default routers, MTU, default TTL, etc.
• Virtual address– virtual presence on the corporate network via an IPsec
tunnel
![Page 31: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/31.jpg)
Security Policy Configuration
• Refers to IPsec policy configuration of both the IRAC and IRAS
• For examples,– block the internet access to IRAC from outside world– For IRAS, particular user’s access could be controlled
via policies based upon the particular address (or the address from a specific pool)
![Page 32: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/32.jpg)
Auditing
• Refers to the generation and collection of connection status information
• Some accounting information– connection start time– connection end time– incoming octets– outgoing octets
• Maintains security and integrity of the connected network
![Page 33: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/33.jpg)
Intermediary Traversal
• Refers to the ability to pass secured traffic across intermediaries such as NAPT and firewalls
![Page 34: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/34.jpg)
Scenarios
• Telecommuters• Corporate to remote extranet• Extranet laptop to home corporate net• Extranet desktop to home corporate net• Remote dialup laptop (Road warrior) access• Public system to corporate network
![Page 35: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/35.jpg)
Telecommuters(Dialup/DSL/Cable modem)
IRAC
Corporate network
InternetModem ISP SGW
• Dialup/DSL/Cable modem telecommuters using their own home systems to access corporate resources
![Page 36: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/36.jpg)
Corporate to Remote Extranet
Corporate B
Internet SGW/FW
• Extranet users using their corporate desktop systems to access the remote company network of a business partner
SGW/FW
My Corporate A
User
![Page 37: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/37.jpg)
Extranet Laptop to Home Corporate Net
Corporate B
Internet SGW/FW
• Extranet users using their own laptop within another company’s network to access their home corporate network
SGW/FW
My Corporate A
Pop
FTP
Corp-A laptop
![Page 38: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/38.jpg)
Extranet Desktop to Home Corporate Net
Corporate B
Internet SGW/FW
• Extranet users using a business partner’s system (on that partner’s network) to access their home corporate network
SGW/FW
My Corporate A
Pop
FTP
Corp-A desktop
![Page 39: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/39.jpg)
Remote Dialup Laptop (Road Warrior) Acces
• Road warriors using their own laptop systems to access corporate resources via an arbitrary ISP dialup connection
• Virtually indistinguishable from the telecommuter scenario• Typically dialup is short-lived
![Page 40: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/40.jpg)
Public System to Corporate Network
• Remote users using a borrowed system (e.g., an airport kiosk) to access corporate resources
![Page 41: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/41.jpg)
Scenario Commonalities• User authentication is required in almost all cases• Machine authentication for IRAC is generally only useful
when combined with user authentication. Combined user and machine authentication is useful in some scenarios
• Machine authentication for IRAS is required in all scenarios
• Device configuration mechanism is required in most cases• Dynamic IRAC policy configuration is useful in several
scenarios• Most Scenarios require auditing• An intermediary traversal mechanism may be required in
any of the scenarios
![Page 42: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/42.jpg)
Authentication drafts
• Two proposals– Pre-IKE Credential Provisioning Protocol
• PIC draft
– Client Certificate and Key Retrieval for IKE• getcert draft
![Page 43: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/43.jpg)
PIC draft
• One of approaches of integrating legacy authentication mechanisms into IKE
• WG draft• Currently 01 version (2000.9)
– Switched from XAuth to EAP for legacy authentication
• Use simplified ISAKMP/ IKE • Use EAP (Extensible Authentication Protocol,
RFC 2284) • No modification to IKE
![Page 44: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/44.jpg)
PIC Architecture
Client/User
Authentication Server (AS)
Legacy Authentication Server (LAS)
Security Gateway (SGW)
Optional Link
![Page 45: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/45.jpg)
PIC Protocol• Three main stages in PIC protocol (Btw Client and AS)
– establish one-way trust relationship. A secure channel from the client to the AS is created (Server authenticated)
– Legacy authentication is performed over this channel. Use EAP tunneled within ISKMP (User authenticated)
– The AS sends the client a (typically short-term) credential which can be used in subsequent IKE exchanges
• The credential can be thought as– a certificate, – a private key generated or stored by the AS and
accompanied by a corresponding certificate, or – symmetric secret key
![Page 46: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/46.jpg)
Getcert draft• The architecture is similar to PIC’s
– integrate legacy authentication into IKE– use the separated AS
• The differences is in the details:– use TLS and HTTP rather than EAP, ISAKMP/IKE
• Client-side certificate generation option was selected by straw poll, among 4 proposals
• approved as a WG draft in 2000.11• Currently 00 version
![Page 47: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/47.jpg)
Configuration (DHCP) draft• Virtual presence is useful
– using virtual IP address and then tunneling
• DHCP meets requirements of a host with IPSEC tunnel mode interface
• No modification to DHCP is required• draft is stable (currently 08, 현재 WG last call 진행중 )
Virtual host
SGW/ DHCP relay
Target network
Internet
DHCP server
Remote host virtual presence
Externally visible host
![Page 48: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/48.jpg)
Configuration Steps
• Establish IKE SA between IRAC and IRAS• Establish DHCP SA between IRAC and IRAS• Exchange DHCP messages between IRAC and
DHCP server– using IRAS as a DHCP relay
• Establish IPSEC SA and start to communicate
![Page 49: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/49.jpg)
Topic of next week
• Requirement– report update
• PIC and getcert– no agreement yet
• DHCP– near closure
![Page 50: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/50.jpg)
IPSP WG
![Page 51: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/51.jpg)
Backgrounds• Rapid growth of the need to control access to
network resources(BW, routers, hosts,…)
• The scope of IPSEC IKE limits the protocol to the authenticated exchange of keying material and associated policy information between the end-points of a security association
• However, along the path of a communication, there may be administrative entities ...
![Page 52: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/52.jpg)
WG Goals
• To specify information model and data model for supporting IP security policies
• To develop an policy specification language• To provides guidelines for the provisioning of
IPSEC policies using existing policy distribution protocols– profiles for LDAP, COPS, SNMP and FTP
• To develop a policy exchange and negotiation protocol– discovering policy servers, distributing and negotiating
policy, and resolving policy conflicts
![Page 53: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/53.jpg)
Past Meetings
• BOF– 1999.3
• 1st WG meeting– 47th IETF, Adelaide, Australia, 2000.3
• 2nd WG meeting– 48th IETF, Pittsburgh, USA, 2000.8
![Page 54: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/54.jpg)
Drafts
• No RFC and 7 Internet drafts
• Policy Specification Language draft• Model draft• SPP draft• Architecture draft• Requirement draft• PIB draft• Roadmap draft
![Page 55: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/55.jpg)
Simple Scenario
• Host A wishes to communicate with Host B, using a strong encryption
• Host A needs to determine– what its local policy (w.r.t. the comm. with B) is– what B’s policy (w.r.t. the same comm.) is– what SGs if any are in between A and B– what their policies (w.r.t. that comm.) is
Host A Host BSG1 SG2
![Page 56: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/56.jpg)
Simple Scenario (cont.)• Depending on the individual policies involved ,
Host A may establish any combination of these SAs:– SA between Host A and Host B– SA between Host A and SG1– SA between Host A and SG2 – SA between SG1 and SG2– SA between SG1 and Host B– SA between SG2 and Host B
![Page 57: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/57.jpg)
IPSP Architecture• Use of SPP protocol for SG discovery and policy
distribution
• Use of trust management to resolve policies
• Use of language to exchange policies
• Most of the burden of discovering and processing policy is placed on the initiator.– Such as policy resolution operation
• IPsec policy is defined in terms of local policy and signed policy statements from trusted entities
![Page 58: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/58.jpg)
Security Policy Protocol
• Protocol for discovering, accessing and processing the security policy information
Host A Host BSG1 SG2
Policy Server A
Policy Server B
Q1/R1 Q2/R2
Q2/R2
Q2/R2 Q3/R3
![Page 59: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/59.jpg)
SPP Message• Message = header + payload
• 6 message types– Query, Reply, Policy, Policy Ack, Transfer, KeepAlive
• 3 Payload types– Query: SG, Comsec, Certificate– Record: SG, Comsec, SA, Certificate, Policy
server, Transfer– Signature: RSA, DSA
• 메시지는 전자서명으로 인증
![Page 60: IPSEC 표준화 동향 이 계 상 정보통신공학과 동의대학교 ksl@dongeui.ac.kr.](https://reader036.fdocuments.net/reader036/viewer/2022081512/56649d7a5503460f94a5e9a3/html5/thumbnails/60.jpg)
Summary
• IPSEC 관련 IETF WG 작업 내용 요약– IPSEC WG– IPSRA WG– IPSP WG
• Remote access 는 IPSEC 구축의 중요 부분
• 자동적이고 효율적인 IPSEC Policy management 는 망 운영에 매우 중요