May 2005 - Mentor

Download Report

Transcript May 2005 - Mentor

May 2005
doc.: IEEE 802.11-05/0373r0
Secure Mobile Architecture
Date: 2005-03-13
Authors:
Name
Company
Richard Paine
Boeing
Address
Phone
email
206-854-8199
[email protected]
om
Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in
this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE
Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit
others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement
"IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents
essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is
essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair
<[email protected]> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being
developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <[email protected]>.
Submission
Slide 1
Richard Paine, Boeing
May 2005
doc.: IEEE 802.11-05/0373r0
SMA Demonstration
Dec. 2004
SMA Demo Team
Math & Computing Technologies
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 2
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004
May 2005
Agenda
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Video Introduction
• Motivation and Problem Statement
• Overview of SMA Components
• PKI, HIP, NDS, LENS
• Demonstration
•
•
•
•
•
Component overview
Provisioning
Mobility (IP Address change)
Location-based Policy enforcement
Rule-based policy enforcement
• Application to Boeing Enterprise
• CY’05 plans
• Q&A
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 3
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
|3
May 2005
Agenda
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Video Introduction
• Motivation and Problem Statement
• Overview of SMA Components
• PKI, HIP, NDS, LENS
• Demonstration
•
•
•
•
•
Component overview
Provisioning
Mobility (IP Address change)
Location-based Policy enforcement
Rule-based policy enforcement
• Application to Boeing Enterprise
• CY’05 plans
• Q&A
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 4
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
|4
May 2005
What
is “SMA”?
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Secure Cryptographic identities are associated
with each and every packet.
Mobile Mobility-driven address changes transparent to applications & connections.
ArchitectureSignificantly improves our Enterprise
network architecture by providing:
• Improved flexibility and agility
• Network-enforced, end-to-end security
• Centralized access control with delegated
authority
• Reduced operational cost and complexity
• Uniform internal/external access method
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 5
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
|5
2005
SoMay
what
is the problem?
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Cost and complexity of managing current network
infrastructure is quickly becoming unmanageable
• We have a growing need for flexibility, mobility and
user diversity
• We are quickly becoming an ISP for our suppliers, vendors
and customers
– How do we affordably enforce AAA requirements for this diverse
population?
• Wireless networking is revolutionizing our factory and office
environments
– How do we support the needs of emerging e-enabled factories,
products, and mobile workers?
• We need a secure, agile network infrastructure that can
quickly adapt to new requirements and emerging
network technologies.
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 6
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
|6
May 2005
Agenda
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Video Introduction
• Motivation and Problem Statement
• Overview of SMA Elements
• PKI, HIP, NDS, LENS
• Demonstration
•
•
•
•
•
Component overview
Provisioning
Mobility (IP Address change)
Location-based Policy enforcement
Rule-based policy enforcement
• Application to Boeing Enterprise
• CY’05 plans
• Q&A
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 7
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
|7
May 2005
SMA
Elements
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 8
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
|8
May 2005
SMA
Elements: PKI
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 9
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
|9
May 2005
SMA
Elements: PKI
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Boeing has begun deployment of a PKI using
• A hierarchical trust chain of x.509 certificates
• “Server”, “Personal” and “SecureBadge” certificates
• Certificates contain:
• Identity (user, machine, etc.)
• Public Key
• Cryptographic signature by trusted authority
• Private Key:
• Holder is “owner” of certificate identity
• Usually protected by a password or PIN
• Soft Certificates (“SoftCerts”):
• File-based private key
• Hard Certificates (“HardCerts”)
• Private key on hardware token (Smartcard, SIM, etc.)
• Signing/decrypting done with on-board computing resources
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 10
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 10
May 2005
SMA
Elements: PKI
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• HardCert advantages
• Difficult to subvert or duplicate
• Portable — user can carry token between computers
• HardCert disadvantages
• Limited on-board computing speed and communications
• Use “TempCerts” to bridge this gap:
• A SoftCert with delegated, short time-validity
• Issued to a user/machine after HardCert authentication
• Advantages
• Reduced exposure to SoftCert subversion/duplication
• SoftCert performance
– Needed for HIP security associations
• Quickly installable/removable on “shared devices”
• Useful in “ factory tool room” type shared device domain
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 11
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 11
May 2005
SMA
Elements: PKI
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
TempCert Provisioning Process
1
Badge
cert
SSL/TLS
Tunnel
RA
Client
2
SLDAP
Temp
cert
Boeing PKI
1) Badge used for Client Auth; TempCert request sent to RA
2) RA issues TempCert
3) Client has TempCert available for up to 8 hours
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 12
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 12
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 13
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 13
May 2005
SMA
Elements: HIP
Boeing Technology | Phantom Works
doc.: IEEE 802.11-05/0373r0
E&IT | Mathematics and Computing Technology
HIP Overview
• Background
• Original concept developed by Bob Moskowitz
• Currently exists as IETF “Experimental RFC”
• Boeing heavily involved in RFC development
– Linux implementation released as Open Source
– Windows implementation soon to be released
• Other major players: Cisco, Ericsson, NEC, Siemens, NTT
DoCoMo, universities
• HIP provides opportunistic pair-wise SA’s
• Somewhat like IPSec
• Client Cert retrieved from DNS or LDAP directory
• SA based on identity, not IP address
• SA established/managed by a IP control channel
• SA data flows through ESP-IP packets
• Mobility events handled in Slide
IP stack
via HIP READDR
packets
Submission
14
Richard
Paine, Boeing
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 14
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
HIP-Enabled Secure Communications
Responder
Initiator
Application
User
Space
PF_INET
HIP Daemon
PF_RAW
HIP Handshake
PF_KEY
HIP Daemon
PF_KEY
PF_RAW
Application
PF_INET
Kernel
Space
IP Stack
IPSec
Key
Engine
Key
Engine
IP Stack
IPSec
IPSec ESP Data – Identified by SPI, not IP Address
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 15
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 15
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
HIP Handshake
Initiator
Responder
Simple packet, contains
compressed (hashed)
version of Host Identities
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 16
Opportunity
for DoS attack
(e.g. TCP SYN
flood)
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 16
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
HIP Handshake
Initiator
Responder
Reply with
stock packet
and cookie
challenge
(No state kept)
Contains:
1. Diffie-Hellman public value
2. Cookie puzzle
3. Encryption negotiation
4. Responder’s Host Identity
Is signed by Responder’s Host Identity
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 17
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 17
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
HIP Handshake
Initiator
1. Solve cookie puzzle
2. Generate key material
Responder
Contains:
1. Diffie-Hellman public value
2. Cookie solution
3. Encryption negotiation
4. IPsec SPI
5. (Encrypted) Host Identity
6. (optional) piggybacked data
Is signed by Initiator’s Host Identity
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 18
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 18
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
HIP Handshake
Initiator
Responder
1. Validate cookie puzzle
2. Generate key material
3. Install IPsec SA
Contains:
1. IPsec SPI
2. (option) piggybacked data
Is signed by Responder’s Host Identity
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 19
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 19
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
HIP Handshake
Initiator
Responder
Install IPsec SA
All further packets in IPsec ESP envelope
(Host Identity is implied by the SPI)
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 20
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 20
May 2005
SMA
Elements: HIP
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Host Identity (HI) is public/private key pair:
IP header
Identity defined
by holder of
private key
Public key used
by others
to authenticate
control messages
SHA-1 hash of public key forms a
“Host Identity Tag (HIT)”
- used where 128 bit fields are needed
- self-referential (i.e., HIT can be
securely used instead of HI)
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 21
IPSec (ESP)
HIT is
implied
by the SPI
value in
IPsec header
Encrypted
Header and
Transport
Payload
HIP incurs
no per-packet
overhead
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 21
May 2005
SMA
Elements: NDS
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 22
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 22
May 2005
SMA
Elements: NDS
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Directory Information Flow
• Support for real-time endpoint mobility & location data
• Future integration with Boeing DNS and directory (CED,
NAMS-ng) infrastructure
Policy Decision
Daemon
Location Server
DNS Proxy
Middleboxes
Directory
Enterprise
Security Perimeter
Client
SLDAP
Client
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 23
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 23
May 2005
SMA
Elements: NDS
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Directory Schema
• Three separate LDAP root directories
• People
– Similar to CED/BLUES
• Hosts
– Similar to DNS host data
– Includes Certificate and HIT and current Location
• Policy
– Currently Allowed/Not-Allowed location regions in building
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 24
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 24
May 2005
SMA
Elements: NDS
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Two-Stage Client Provisioning
Enterprise Provisioning Process
Generic ISP Provisioning Process
Directory
SLDAP
AAA
Server
DHCP
Server
SLDAP
RA
Access Point
DNS
802.11
1
Client
2
Client
1) HardCert authentication for TempCert
2) Identity  IP Update in Directory
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 25
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 25
May 2005
SMA
Elements: LENS
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 26
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 26
May 2005
SMA
Elements: LENS
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Location Tracking
• Identity associated with connections
– So we already know the “who”, just need the “where”
• Several competing wireless location technologies
–
–
–
–
Airespace
Pango
AeroScout
Wherenet
• Confusion between 802.11 tracking and RFID tag tracking
– We are focusing on 802.11 tracking including 802.11 active tags
• Location Services
• Required E911 services
• Smart services: Printing, paging, workflow tracking
• Location policy enforcement
– E.g., No wireless access outside of Boeing property line
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 27
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 27
May 2005
SMA
Elements: LENS
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Location Architecture
Boeing
Intranet
Passive Tag Gate
Location
Computation
Server
Location
Distribution
Server & Policy
Directory
Location
Requesting
Client
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 28
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 28
May 2005
SMA
Elements
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
PKI  Public Key Infrastructure
HIP  Host Identity Protocol
NDS  Network Directory Services
+
LENS  Location-Enabled Network Services
SMA  Secure Mobile Architecture
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 29
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 29
May 2005
Agenda
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Video Introduction
• Motivation and Problem Statement
• Overview of SMA Components
• PKI, HIP, NDS, LENS
• Demonstration
•
•
•
•
•
Component overview
Provisioning
Mobility (IP Address change)
Location-based Policy enforcement
Rule-based policy enforcement
• Application to Boeing Enterprise
• CY’05 plans
• Q&A
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 30
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 30
May 2005
Demonstration
Infrastructure
Boeing Technology | Phantom Works
doc.: IEEE 802.11-05/0373r0
E&IT | Mathematics and Computing Technology
Boeing Intranet
Router
130.42.32.0/24
Subnet
AP
DHCP
AP
Airespace
TempCert RA
DNS
Location
Server
Test RADIUS
Server (33-12)
…
Directory
AAA Server
AP
LPDD
smamobile1
sma4
DNS Namespace:
mobile.tl.boeing.com
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 31
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 31
May 2005
Demonstration
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Two-Stage Provisioning Process
ISP Provisioning Process
Directory
RADIUS
Security
Perimeter
RA
1
SLDAP
Airespace
SLDAP
DHCP
Server
Enterprise Provisioning Process
DNS
2
smamobile1
smamobile1
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
1) HardCert authentication for delegated
TempCert
Slide 32 2) Identity  IP Update Richard Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 32
May 2005
Demonstration
Boeing Technology | Phantom Works
doc.: IEEE 802.11-05/0373r0
E&IT | Mathematics and Computing Technology
Mobility Event
• Wireless client experiences address change
•
•
•
•
Address change forced by DHCP server for demo
Client auto-updates Directory/DNS with new IP
Client notifies existing SA peers using HIP READDR packets
Ssh from Windows to wireless client dies after address
change
• TELNET session data continues after address change
• Future:
• Faster address change
• Multi-homed clients
• Anticipatory readdressing (802.11k)
• Legacy client shim to support
UDP “connections”Richard Paine, Boeing
Submission
Slide 33
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 33
May 2005
Demonstration
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Location Policy Enforcement
• Wireless client “moves” into disallowed location zone
• Airespace location server not working
• We simulate location changes today using prototype GUI
• Peer’s location policy enforcement
•
•
•
•
Peer’s PED sees new location in disallowed region
Peer deletes existing SA
Peer refuses new client SA requests from disallowed regions
Peer moves back into allowed region
– SA automatically re-established
• Future
• Improved location server capabilities
• Middlebox policy enforcement—don’t depend on peers
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 34
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 34
May 2005
Demonstration
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Rule-Based Policy Enforcement
• Simple case:
• All connections associated with particular employee are
invalidated
• Manual “GUI” interface used for now
• Future:
• Particular identities limited to particular connections
– Factory Autonomous Wireless Devices (AWD’s)
– Suppliers, vendors, guests/visitors
– Machines not up-to-date with AV s/w only allowed to reach AV
update server
• Limitations:
– This only limits pair-wise peer connections
– Does not address file-content limitations (e.g., ITAR documents)
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 35
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 35
May 2005
Agenda
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Video Introduction
• Motivation and Problem Statement
• Overview of SMA Components
• PKI, HIP, NDS, LENS
• Demonstration
•
•
•
•
•
Component overview
Provisioning
Mobility (IP Address change)
Location-based Policy enforcement
Rule-based policy enforcement
• Application to Boeing Enterprise
• CY’05 plans
• Q&A
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 36
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 36
May 2005
Application
to Boeing Enterprise
Boeing Technology | Phantom Works
doc.: IEEE 802.11-05/0373r0
E&IT | Mathematics and Computing Technology
Advantages
• Secure, identity-based client-to-client communications
• Allows moving most hosts outside of security perimeter
• Office/home/Starbucks Connections essentially identical
• Backwards compatible
• Works within existing IP network and routing architecture
• Non HIP-aware hosts could still be allowed, depending on
network policy
• Mobile
• HIP’s Multi-homing capability allows hosts to seamlessly
cross subnet boundaries or even wireless domains (802.11,
cellular, etc.)
• Key enabler for VOIP over WLAN (“VoWLAN”)
– High-speed roaming across subnets and network domains
– Inexpensive IP telephony for the factory
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 37
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 37
May 2005
Application
to Boeing Enterprise
Boeing Technology | Phantom Works
doc.: IEEE 802.11-05/0373r0
E&IT | Mathematics and Computing Technology
Advantages (Cont.)
• Network-based policy enforcement using middleboxes
• Allows connectivity limits using identity, not IP or MAC
– Smarter, easier to manage than ACL’s
• Allows special policies/limitations for classes of hosts/users
– AWD’s like printers, machine tools, etc.
– Users like vendors, suppliers, guests
• Delegatible authorization through PKI
• Supervisor can set up new AWD machine tool on network with
predefined limited access
– No NCC interaction required
• Cross-trust relationships with vendors, suppliers, DoD, etc.
automatically reflected in network policy
• Works seamlessly across IPv4IPv6 connections
• Applications use DNS namespace for connections, not IP
addresses
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 38
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 38
May 2005
Application
to Boeing Enterprise
Boeing Technology | Phantom Works
doc.: IEEE 802.11-05/0373r0
E&IT | Mathematics and Computing Technology
Challenges
• Bringing HIP into IETF Standards track
• Much depends on success of early adopters
• Integrating SMA architecture into Boeing Enterprise
• Affects Directory Services, Perimeter Security, Wireless
Services, NAMS[ng], etc.
• Windows modules would have to be included in standard
computing images
• Backwards compatibility hardware needed for legacy
equipment
• Scalability
• DNS/Directory query traffic
– Publish/Subscribe architecture for location & PDP/PEP?
– Reverse lookups
• Rendezvous Server implementation
• NAT support
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 39
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 39
May 2005
Agenda
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Video Introduction
• Motivation and Problem Statement
• Overview of SMA Components
• PKI, HIP, NDS, LENS
• Demonstration
•
•
•
•
•
Component overview
Provisioning
Mobility (IP Address change)
Location-based Policy enforcement
Rule-based policy enforcement
• Application to Boeing Enterprise
• CY’05 plans
• Q&A
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 40
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 40
May 2005
CY’05
Plans
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
• Development Activities
•
•
•
•
•
•
Integration of Windows HIP client
Preliminary implementation of new HIP API
Legacy API shim for Windows and Linux platforms
Publish/subscribe architecture for directory changes
SIM-chip-based wireless bridge device prototype for AWD’s
Prototype middlebox for network policy enforcement
• Pilot SMA evaluations in Bellevue and Everett
• Move to production DNS namespace (mobile.boeing.com)
• 802.11 Location services interoperating with Cisco
infrastructure (probably Aeroscout)
• Security review and buy-off for external access
• Detailed business case development and analysis
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 41
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 41
May 2005
doc.: IEEE 802.11-05/0373r0
Boeing Technology | Phantom Works
E&IT | Mathematics and Computing Technology
Q&A
Submission
BOEING is a trademark of Boeing Management Company.
Copyright © 2004 Boeing. All rights reserved.
Slide 42
Richard
Paine, Boeing
NGI_SMA_Demoslides-rev7.ppt
NGI_SMA_DemoSlides 9-Apr-17
| 12/6/2004
| 42