IPv6 distributed security requirements - - PowerPoint PPT Presentation

ipv6 distributed security requirements
SMART_READER_LITE
LIVE PREVIEW

IPv6 distributed security requirements - - PowerPoint PPT Presentation

Nov 27, 2022 581 likes •664 views

IPv6 distributed security requirements <draft-palet-v6ops-ipv6security-00.txt> Jordi Palet (jordi.palet@consulintel.es) Alvaro Vives (alvaro.vives@consulintel.es) Gregorio Martinez (gregorio@dif.um.es) Antonio Skarmeta

slide-1
SLIDE 1

59th IETF, Seoul draft-palet-v6ops-ipv6security-00.txt 1

IPv6 distributed security requirements

<draft-palet-v6ops-ipv6security-00.txt> Jordi Palet (jordi.palet@consulintel.es) Alvaro Vives (alvaro.vives@consulintel.es) Gregorio Martinez (gregorio@dif.um.es) Antonio Skarmeta (skarmeta@dif.um.es)

slide-2
SLIDE 2

59th IETF, Seoul draft-palet-v6ops-ipv6security-00.txt 2

Motivation

  • Current security policies doesn’t longer apply for

end-to-end security with IPv6

– Border firewall = bottleneck

  • Users and devices start to be “nomadic”

– “Static” security setup-ups are a wrong approach

  • Different visited networks have different security

requirements

– Manual changes are dangerous – Will not be acceptable for the network manager

  • Increase in security means increase in

processing power

– Distribution of security “overhead” could be a solution

slide-3
SLIDE 3

59th IETF, Seoul draft-palet-v6ops-ipv6security-00.txt 3

Approach for Solution

  • Extensive use of “personal firewalls”

– Can cope with “interior” security

  • Personal firewalls should be enabled by default
  • They should look for a security policy manager in

the visited network

– Acquire and implement the required local policy – If their processing capabilities are exceeded, then rely

  • n a distributed firewall approach
  • If IDS are present, the “local” security policy

manager can get feedback from it, and suggest security changes to the complete network

  • Can we cope with virus and spam ?
slide-4
SLIDE 4

59th IETF, Seoul draft-palet-v6ops-ipv6security-00.txt 4

Concepts

  • Attack/Threat: Either passive or active
  • Security (S): Protection against attacks+IPsec
  • Policy Management Tool (PMT): Used by the

network administrator to edit the policies

  • Policy Decision Points (PDP): Entity which

distribute S policies

  • Security Policy (SP): Information used by PDP

to provide S

  • Policy Enforcement Points (PEP): Apply S

(Clients)

slide-5
SLIDE 5

59th IETF, Seoul draft-palet-v6ops-ipv6security-00.txt 5

Actual Security Scheme

I NTERNET

THREAT Security Policy 1 Security Policy 2 PDP

SERVERS CLIENTS

slide-6
SLIDE 6

59th IETF, Seoul draft-palet-v6ops-ipv6security-00.txt 6

Distributed Security Scheme

I NTERNET

THREAT Security Policy 1 Security Policy 2 PDP

ALERT DEFAULT TRUST ON SEC. POLICY SERVERS (PEP) CLIENTS (PEP) PDP

slide-7
SLIDE 7

59th IETF, Seoul draft-palet-v6ops-ipv6security-00.txt 7

Distributed Security Example

I NTERNET

THREAT Security Policy 1 Security Policy 2 PDP

ALERT DEFAULT TRUST ON SEC. POLICY SP SERVER OFFICE HOT-SPOT HOME