Company Offices Standards

Download Report

Transcript Company Offices Standards 

May 2007
doc.: 21-07-0212-00-0000
Secure Mobile
Architecture SMA
Basics
for IEEE 802.21
May 2007
SMA Demo Team
Math & Computing Technologies
Submission
Slide 1
Richard Paine, Boeing
May 2007
doc.: IEEE 802.21-07/0212r0
IEEE 802.21 presentation release statements
This document has been prepared to assist the IEEE 802.21 Working
Group. It is offered as a basis for discussion and is not binding on
the contributing individual(s) or organization(s). The material in this
document is subject to change in form and content after further
study. The contributor(s) reserve(s) the right to add, amend or
withdraw material contained herein.
The contributor grants a free, irrevocable license to the IEEE to
incorporate material contained in this contribution, and any
modifications thereof, in the creation of an IEEE Standards
publication; to copyright in the IEEE’s name any IEEE Standards
publication even though it may include portions of this
contribution; and at the IEEE’s sole discretion to permit others to
reproduce in whole or in part the resulting IEEE Standards
publication. The contributor also acknowledges and accepts that
this contribution may be made public by IEEE 802.21.
The contributor is familiar with IEEE patent policy, as outlined in
Section 6.3 of the IEEE-SA Standards Board Operations Manual
<http://standards.ieee.org/guides/opman/sect6.html#6.3> and in
Understanding Patent Issues During IEEE Standards Development
http://standards.ieee.org/board/pat/guide.html>
Submission
Slide 2
Richard Paine, Boeing
May 2007
Agenda
doc.: IEEE 802.21-07/0212r0
• Motivation and Problem Statement
• Review of SMA Components
•
•
•
•
Public Key Infrastructure (PKI)
Host Identity Protocol (HIP)
Network Directory Service (NDS)
Location Enabled Network Service (LENS)
Submission
Slide 3
Richard Paine, Boeing
May 2007
SMA
Motivation and Problem Statement doc.: IEEE 802.21-07/0212r0
• BCAG Business Segment Need is Total Secure
Communications in the Factory (Cellular/WLAN/Fixed
Wireless/Cable Replacements/Roam across Subnets)
• IDS Business Segment Need is Secure Mobile
Communications (multi-level security, ad hoc, crosssubnet roaming, discovery)
• Works with any MAC, has Uniform Method of Security
and Handles Layer 2 Mobility
• Utilizes Cryptographic Identities and Authorization
• Addresses most major Communications and Security
Concerns in Networking
• Need to Treat IP as an Insecure Transport Layer
• Secures both Wired and Wireless (as in VOIP calls)
Submission
Slide 4
Richard Paine, Boeing
May 2007
What
is “SMA”?
doc.: IEEE 802.21-07/0212r0
Secure Cryptographic identities are associated
with each and every packet.
Mobile Mobility-driven address changes transparent to applications & connections.
ArchitectureSignificantly improves our Enterprise
network architecture by providing:
• Improved flexibility and agility
• Network-enforced, end-to-end security
• Centralized access control with delegated
authority
• Reduced operational cost and complexity
• Uniform internal/external access method
Submission
Slide 5
Richard Paine, Boeing
May 2007
Agenda
doc.: IEEE 802.21-07/0212r0
• Motivation and Problem Statement
• Review of SMA Components
•
•
•
•
Public Key Infrastructure (PKI)
Host Identity Protocol (HIP)
Network Directory Service (NDS)
Location Enabled Network Service (LENS)
Submission
Slide 6
Richard Paine, Boeing
May 2007
SMA
Elements
doc.: IEEE 802.21-07/0212r0
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
Slide 7
Richard Paine, Boeing
May 2007
SMA
Elements: PKI
doc.: IEEE 802.21-07/0212r0
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
Slide 8
Richard Paine, Boeing
May 2007
SMA
Elements: PKI
doc.: IEEE 802.21-07/0212r0
TempCert Provisioning Process
1
Badge
cert
SSL/TLS
Tunnel
RA
Client
2
SLDAP
Temp
cert
Boeing PKI
1) Badge used for Client Auth; TempCert request sent to RA
2) RA issues TempCert
3) Client has TempCert available for 8-16 hours
Submission
Slide 9
Richard Paine, Boeing
May 2007
SMA
Elements: HIP
doc.: IEEE 802.21-07/0212r0
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
Slide 10
Richard Paine, Boeing
May 2007
SMA
Elements: HIP
doc.: IEEE 802.21-07/0212r0
HIP Overview
• Background
• Original concept developed by Bob Moskowitz
• Experimental RFCs now in last call in the IETF
• Boeing heavily involved in RFC development (Tom
Henderson)
– Linux implementation released as Open Source
– Windows implementation soon to be released
• Other major players: Cisco, Ericsson, NEC, Siemens, NTT
DoCoMo, universities
• HIP provides opportunistic pair-wise SA’s
• Somewhat like IPSec
• Client Cert retrieved from LDAP directory
• SA based on identity, not IP address
• SA established/managed by a IP control channel
• SA data flows through ESP-IP packets
• Mobility events handled in Slide
IP stack
via HIP UPDATE
packets
Submission
11
Richard
Paine, Boeing
May 2007
SMA
Elements: HIP
doc.: IEEE 802.21-07/0212r0
HIP-Enabled Secure Communications
Responder
Initiator
Application
User
Space
PF_INET
HIP Daemon
PF_RAW
HIP Handshake
PF_KEY
HIP Daemon
PF_KEY
PF_RAW
Application
PF_INET
Kernel
Space
IP Stack
IPSec
Key
Engine
Key
Engine
IP Stack
IPSec
IPSec ESP Data – Identified by SPI, not IP Address
Submission
Slide 12
Richard Paine, Boeing
May 2007
SMA
Elements: HIP
doc.: IEEE 802.21-07/0212r0
Host Identity (HI) is public/private key pair:
IP header
Identity defined
by holder of
private key
Public key used
by others
to authenticate
control messages
SHA-1 hash of public key forms a
“Host Identity Tag (HIT)”
- used where 128 bit fields are needed
- self-referential (i.e., HIT can be
securely used instead of HI)
Submission
Slide 13
IPSec (ESP)
HIT is
implied
by the SPI
value in
IPsec header
Encrypted
Header and
Transport
Payload
HIP incurs
no per-packet
overhead
Richard Paine, Boeing
May 2007
SMA
Elements: NDS
doc.: IEEE 802.21-07/0212r0
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
Slide 14
Richard Paine, Boeing
May 2007
SMA
Elements: NDS
doc.: IEEE 802.21-07/0212r0
Directory Information Flow
• Support for real-time endpoint mobility & location data
• Future integration with Boeing DNS and directory (CED,
NAMS-ng) infrastructure
Policy Decision
Daemon
Location Server
DNS Proxy
Middleboxes
Virtual Directory
Enterprise
Security Perimeter
Client
SLDAP
Client
Submission
Slide 15
Richard Paine, Boeing
May 2007
SMA
Elements: NDS
doc.: IEEE 802.21-07/0212r0
Two-Stage Client Provisioning
Enterprise Provisioning Process
Generic ISP Provisioning Process
Directory
SLDAP
AAA
Server
DHCP
Server
SLDAP
RA
Access Point
DNS
802.11
1
Client
2
Client
1) HardCert authentication for TempCert
2) Identity  IP Update in Directory
Submission
Slide 16
Richard Paine, Boeing
May 2007
SMA
Elements: LENS
doc.: IEEE 802.21-07/0212r0
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
Slide 17
Richard Paine, Boeing
May 2007
SMA
Elements: LENS
doc.: IEEE 802.21-07/0212r0
Location Architecture
Boeing
Intranet
Passive Tag Gate
Location
Computation
Server
Location
Distribution
Server & Policy
Directory
AAA Server
Submission
Slide 18
Location
Requesting
Client
Richard Paine, Boeing
May 2007
SMA
Elements
doc.: IEEE 802.21-07/0212r0
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
Slide 19
Richard Paine, Boeing
May 2007
doc.: IEEE 802.21-07/0212r0
What
has Changed between 2004 and 2006
Demos
2004
PKI
2005
PKI
Smart Cards
Temp Certs
Boeing PKI
HIP
PKI
No Change
TCG Recommendations
HIP
Linux Client (Opensource)
HIP Web Server
NDS
HIP
Windows XP Client (Opensource)
Endbox
Cellular to WLAN Handoffs
NDS
Location-Based Policy Enforcement
(Polling LDAP)
LENS
Submission
Mobile Demo
Secure SCADA on 777 Crawlers
VOIP Handoffs
NDS
Location-Based Policy Enforcement
(Pub-Sub Using IBM MQ Series)
Scales to Enterprise
LENS
Simulated Location Server
2006
No Change
LENS
Aeroscout Location Server (Blv & 40-26)
Location Events thru Pub-Sub
Live Location Updates
Slide 20
Network Location Service (NLS)
Richard Paine, Boeing
May 2007
Agenda
doc.: IEEE 802.21-07/0212r0
• SMA Technology Transfer
•
•
•
•
•
•
Location
Secure Layer 2 Mobility
Pub-Sub
SMA Policy-Based Networking Using Location
Endbox
Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace
• CY’07 plans
• Q&A
Submission
Slide 21
Richard Paine, Boeing
May 2007
Everett
Manufacturing Site
doc.: IEEE 802.21-07/0212r0
WLAN 802.11-based RTLS/LENS Pilot
Submission
Slide 22
Richard Paine, Boeing
May 2007
Everett
40-26 (TDOA)
doc.: IEEE 802.21-07/0212r0
Time Synchronizers
TDOA Location Devices
Submission
Slide 23
Richard Paine, Boeing
May 2007
RFID
Components
doc.: IEEE 802.21-07/0212r0
• Active tags send an identifier string
• AeroScout: Unique 802.11 MAC address
• Programmable “chirp” rate
• Location is computed using a combination of
• Signal strength measurements
– Both Cisco AP’s and AeroScout “Location Receivers”
• Time-of-Flight triangulation
– AeroScout “Location Receivers” only
– We expect this capability to be added to Cisco AP’s in a few
years
Submission
Slide 24
Richard Paine, Boeing
May 2007
Everett
Location Policy Enforcement
doc.: IEEE 802.21-07/0212r0
N
Submission
Slide 25
Richard Paine, Boeing
May 2007
C17
Factory
Submission
doc.: IEEE 802.21-07/0212r0
Slide 26
Richard Paine, Boeing
May 2007
F15/F18
Factory
Submission
doc.: IEEE 802.21-07/0212r0
Slide 27
Richard Paine, Boeing
May 2007
Other
Factories to Get NLS
doc.: IEEE 802.21-07/0212r0
• Fredrickson
• Auburn
• Everett
Submission
Slide 28
Richard Paine, Boeing
May 2007
Agenda
doc.: IEEE 802.21-07/0212r0
• SMA Technology Transfer
•
•
•
•
•
•
Location
Secure Layer 2 Mobility
Pub-Sub
SMA Policy-Based Networking Using Location
Endbox
Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace
• CY’07 plans
• Q&A
Submission
Slide 29
Richard Paine, Boeing
May 2007
2005
SMA Cellular to WLAN Handoff
doc.: IEEE 802.21-07/0212r0
• Real-time WLANCellular mobility demonstration
Bellevue
130.42.32.0/24
PKI
AP
PW Namespace:
mct.phantomworks.org
…
Directory
Cisco
Switch
AAA
Server
AP
TempCert RA
AP
LPDD
X
Netscreen
IP Address A
SMAmobile
Submission
MSC
IP Address
B
Slide 30
Internet
Richard Paine, Boeing
May 2007
2006
SMA Secure VOIP Handoff
Router
AP
Twr
DNS
Twr
Location
Server
Cellular
Smamobile
Submission
AP
Robot
Controller
LPDD
Location
Server
HIP SA
Robots
DNS
LPDD
smaX
AP
Directory
TempCert RA
SMAx
VOIP
smamobiles
HIP SA
Slide 31
Navy
PKI
HIP SA
TempCert RA
AAA
Server
…
…
Directory
Twr
WiMAX
Switch
WiFi
Switch
Msg Brkr
HIP SA
Msg Brkr
doc.: IEEE 802.21-07/0212r0
DNS Namespace:
mobile.tl.boeing.com
Smamobiles
VOIP
Richard Paine, Boeing
May 2007
2007
SMA VoWLAN for FactoryNet
doc.: IEEE 802.21-07/0212r0
Boeing Intranet
Router
AP
Twr
DNS
TempCert RA
Twr
Location
Server
HIP SA
AP
Robot
Controller
LPDD
Location
Server
smaX
Robots
DNS
LPDD
Cellular
Smamobile
Submission
Directory
HIP SA
TempCert RA
SMAx
VOIP
smamobiles
HIP SA
Slide 32
Internet
Navy
PKI
AP
…
…
Directory
Twr
WiMAX
Switch
WiFi
Switch
Msg Brkr
HIP SA
Msg Brkr
AAA
Server
DNS Namespace:
mobile.tl.boeing.com
Smamobiles
VOIP
Richard Paine, Boeing
May 2007
Agenda
doc.: IEEE 802.21-07/0212r0
• SMA Technology Transfer
•
•
•
•
•
•
Location
Secure Layer 2 Mobility
Pub-Sub
SMA Policy-Based Networking Using Location
Endbox
Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace
• CY’07 plans
• Q&A
Submission
Slide 33
Richard Paine, Boeing
May 2007
2004
SMA Directory Service
doc.: IEEE 802.21-07/0212r0
Status
Updates
Client
• 2004
Client
IP
Status
Updates
LDAP
DNS
Policies
Locations
Decision
Daemon
Submission
Slide 34
Status
Locations
Sim LS
Richard Paine, Boeing
May 2007
doc.: IEEE 802.21-07/0212r0
Prototype
Pub-Sub Messaging Architecture
RDBMS
Connector
Connector
Message
Broker
Infrastructure
Barcode
Scanner Connector
DCS
Event
Consumer
Possible Future Enhancement
Submission
Content
Connector Subscription
Manager
Content
Subscriptions
Passive
Tag
DCS
SQL
RTLS
Location Connector
Server
Slide 35
Richard Paine, Boeing
May 2007
Pub-Sub
Detail for FactoryNet
doc.: IEEE 802.21-07/0212r0
Initial Query Response
HIPD
• RTLS Location
RTLS
Location Connector
Server
Initial Query Response
HIPD
Status
Updates
LDAP
Status
Updates
Connector
Policy
Decision
Locations Daemon
Status
Connector
RFID
Server
Connector
Submission
Message
Broker
Infrastructure
First Year:
Polling
Second Year:
Pub-Sub
Slide 36
Interest
Content
Connector Subscription
Manager
Content
Subscriptions
Sensor
Server
Updates
Event
Consumer
Richard Paine, Boeing
May 2007
Agenda
doc.: IEEE 802.21-07/0212r0
• SMA Technology Transfer
•
•
•
•
•
•
Location
Secure Layer 2 Mobility
Pub-Sub
SMA Policy-Based Networking Using Location
Endbox
Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace
• CY’07 plans
• Q&A
Submission
Slide 37
Richard Paine, Boeing
May 2007
doc.: IEEE 802.21-07/0212r0
Asset Tracking and Supply Chain Vision
E&IT | Mathematics and Computing Technology
Boeing Technology | Phantom Works
Passive Tag Gate(s)
• 866-957MHz Passive Tag RFID Systems (Internationally
Available frequencies)
• RFID RF Containment Device
• Tags only have innocuous number unless they are equipped
with encryption processor on tag
• Wireless Baseline Scans for every installation
• Integrity protection
Boeing
Intranet
Location
Computation
Server
• Enterprise RLAN/RFID Management Council
• Enterprise RLAN/RFID Technical Council
RFID
Information
Repository
Location
Distribution
Server & Policy
Directory
AAA Server
•
•
•
•
WPA or WPA2
IEEE 802.11 or 802.15.4 915MHz Sensors
IEEE 802.11 Active RFID Tags (innocuous number)
Encourage new serial cable replacements to those that use WPA
Submission
Copyright©
2004 Boeing. All rights reserved.
Slide 38
Location
Requesting
Client
Richard Paine, Boeing
Wireless_Application_Group_(WAG)_Vision_and_Arch_6
-9- 05.ppt | 43
May 2007
Agenda
doc.: IEEE 802.21-07/0212r0
• SMA Technology Transfer
•
•
•
•
•
•
Location
Secure Layer 2 Mobility
Pub-Sub
SMA Policy-Based Networking Using Location
Endbox
Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace
• CY’07 plans
• Q&A
Submission
Slide 39
Richard Paine, Boeing
May 2007
Endbox
(Crawlers)
doc.: IEEE 802.21-07/0212r0
• HIP Endbox
• Uses robust wireless network infrastructure securely
• Strong one factor authentication using SIM chip
SMA End-to-End Security Association over Enterprise WLAN
Controller
HIP Bridge
Submission
Slide 40
Richard Paine, Boeing
May 2007
2005
SMA Endbox Demonstration
doc.: IEEE 802.21-07/0212r0
• Real-time SMA Endbox mobility demonstration
Bellevue
130.42.32.0/24
TempCert RA
PKI
AP
Boeing Namespace:
Mobile.tl.boeing.com
…
Directory
Cisco
Switch
AAA
Server
AP
AP
LPDD
SMAmobile Robot
Submission
Slide 41
HIP SA
SMAmobile Robot
Controller
Richard Paine, Boeing
May 2007
Crawler
Connected to WLAN w SMA
Submission
Slide 42
doc.: IEEE 802.21-07/0212r0
Richard Paine, Boeing
May 2007
Present
Tech Transitions from SMA
doc.: IEEE 802.21-07/0212r0
• Network Location Service (NLS) deployed by Boeing IT
• 777 Crawlers – SMA/HIP Endbox (FactoryNet)
• HIP Bridge – enables legacy Ethernet equipment to use
SMA in the factory (FactoryNet)
• Any Controller to Robot mobile secure
communications in the factory (FactoryNet)
• Secure Handoff Using End-to-End HIP-Enabled
Security Association (SA)
Submission
Slide 43
Richard Paine, Boeing
May 2007
Lessons
for 802.21
doc.: IEEE 802.21-07/0212r0
• Secure mobile handoff is possible using HIP
• Seamless secure mobility is possible
• SCADA solutions being deployed
• Discussions ongoing about securing governmental
utility infrastructure using mobile secure methods
Submission
Slide 44
Richard Paine, Boeing