University of Murcia (Spain)

The UMU-PBNM

Antonio F. Gomez SkarmetaGregorio Martínez

<skarmeta, gregorio@dif.um.es>

University of MurciaSPAIN

Agenda

Objective and Proposed Architecture

The UMU-PKIv6

UMU-PBNM Design

UMU-PBNM Implementation

Analysis of VPNs over IPv6

References

University of Murcia (Spain)

Objective and Proposed Architecture

UMU-PBNM Main Objective Design and set-up a security framework to

manage distributed communication systems using the PBNM paradigm

Features: Flexible Secure Service and application-independent Standard-based IP-based

In collaboration with UCL-CS

Trust ManagementSystem

Policy Management Framework

Network Layer Security Services

CryptographicMiddleware

Java Card

IPsec Security Services

PolicyLanguage

UMU-PKIv6

UMU-PBNM (Policy Console, PMT, PDP,PEP)

Proposed Architecture

University of Murcia (Spain)

The UMU-PKIv6

UMU-PKIv6 Description Main Objective ... to establish a high

security infrastructure for distributed systems

Main Features: PKI supporting the IPv6 protocol Developed in Java running on every

Operating System Issue, renew and revoke certificates for every

entity belonging to one organisation Final users can use either RAs or Web browsers

to make their own certification operations LDAPv6 directory support

UMU-PKIv6 Description (II) Main Features: (II)

Use of smart cards (file system, RSA or Java Cards) ... allowing user mobility and increasing security

PKI Certification Policy (CPS) support VPN devices certification support (using the

SCEP protocol) Support for the OCSP protocol and Time Stamp Web Administration Supports DNSsec Used in both Euro6IX and 6NET projects (cross-

certification)

UMU-PKIv6 Architecture

WWW Secure Request Server

Data Base

LDAP End User

Certification Authority

Registration Authority

Administrator

IPv6 SSL connection

IPv6 Plain connection

SCEP

VPN Device

WWW Secure Request Server

Data BaseData Base

DNSsecEnd UserEnd User

Certification Authority

Certification Authority

Registration Authority

Registration Authority

Registration Authority

AdministratorAdministrator

SCEPSCEP over IPv6

VPN Device

UMU-PKIv6 Architecture (II)

Certification Authority

OCSPResponder

TimeStampingResponder

Time StampServer

OCSP Server

TSPClient

Certificate

Certificate

OCSP Client

msg_hash

time stamp

cert serial number

status

TSP Message

OCSP Message

University of Murcia (Spain)

UMU-PBNM Design

PDP

PDP

PolicyConsole

PolicyConsole

PEP PEP

Network Nodes

PMT

PMT

Network Node(PEP)

Network Node

COPS Server

PS

IP C

lien

t/S

erve

r

Net

wor

k

Mon

itor

ing

Decision Taking

Policy Enforcement Point (PEP)

PolicyDecision

Point(PDP)

PEP MonitoringPSIP

COPS

UM

U-P

KIv

6PM

TPolicy

DB

PEPsDB

Cer

tifi

cate

V

alid

atio

n

Config.

PolicyAdaptation

CriptographyMangementP

DP

PSIP

OCSP

LDAP

PolicyConsole

PEP

PMTPDP

PrimaryPMT

PMTPDP

PDP

Network Node(with PEP)

Network Node

4

75

6

2

3

1

Policy Management Process

PolicyConsole

PEP

PMTPDP

PMTPrimario

PMTPDP

PDP

Nodo de Red(con PEP)

Nodo de Red

2

3

1

4

Monitoring Process

University of Murcia (Spain)

UMU-PBNM Implementation

Relevant Implementation Issues

Policy Console Web Browser Microsoft CSP (Cryptographic Service Provider)

PMT Assistant module to define new policies Managing and storing XML policy documents

according to one XML schema PDP and PEP

Using COPS and COPS-PR from Vocal 1.5 New S-Type for XML (and XML Path) added

PEP-Network Node interaction VPN ETool

University of Murcia (Spain)

Analysis of VPNs over IPv6

IPsec/IKE Solutions Analyzed

Open-Source Solutions FreeS/WAN 1.91 with IPv6 support v0.2 (Linux) USAGI Stable Release 4 (Linux) KAME-integrated in FreeBSD 4.6 (FreeBSD)

Commercial Solutions Microsoft IPv6 (Windows XP) Solaris 9 6WIND 6200 Edge Device

Designed Evaluation Plan Objective: evaluate IPv6 IPsec/IKE

interoperability and conformance Background: TAHI Project

(http://www.tahi.org) But, different objectives:

Given an scenario, which is/are the more suitable implementation/s??

Interoperability tests Test scenarios Test suite Final reports

Configuration and installations guides Test reports

Designed Test Scenarios

Scenarios Used for TestingHost-2 Host-3

Ethernet

Eth0-H2N42001:0720:1710:24::11

Eth0-H3N42001:0720:1710:24::12

Eth1-SG1N42001:0720:1710:24::1

Net42001:0720:1710:24::/64

Ethernet

Ethernet

Eth0-SG1N32001:0720:1710:23::1

Net32001:0720:1710:23::/64

Net22001:0720:1710:22::/64

Eth0-H1N22001:0720:1710:22::11

Eth0-R2N32001:0720:1710:23::2

Eth1-R2N22001:0720:1710:22::2

AH/ESPTunnel

AH/ESPTransport

Secure Gateway-1

Host-1

Router-2

Example Test Scenario Secure Gateway To Secure Gateway Elements involved in the Scenario:

End Hosts … normal PC (1 GHz of CPU, 128 MGs of Memory) connected to a 10 Mbps Ethernet network

Secure Gateways: PC Routers … normal PC (1 GHz of CPU, 128 MGs of

Memory) connected to a 10 Mbps Ethernet network 6WIND 6200 Edge Router connected to a 10 Mbps

Ethernet network Router: CISCO 2600 connected to a 10 Mbps

Ethernet network Things to measure

Duration of the IKE negotiation (modified daemons) RTT

Example Test Scenario (II)

Secure Gateway To Secure Gateway with ESP in Tunnel Mode

IPSec Implementations SG 1 SG 2

ESP Tunnel

AH Tunnel

AH Transport to ESP Tunnel mode

IPsec Tunnel to IPsec Tunnel mode

FreeS/WAN FreeS/WAN support support -- -- KAME KAME support support support support

Windows Windows -- -- -- -- Solaris Solaris -- -- -- -- 6WIND 6WIND support support support support

FreeS/WAN KAME support support -- -- FreeS/WAN Windows -- -- -- -- FreeS/WAN Solaris -- -- -- -- FreeS/WAN 6WIND support support -- --

KAME Windows -- -- -- -- KAME Solaris -- -- -- -- KAME 6WIND support support support support

Windows Solaris -- -- -- -- Windows 6WIND -- -- -- --

Solaris 6WIND -- -- -- --

Results: Duration of IKE Negotiation

IKE Negotiation

0

200

400

600

800

1.000

1.200

[PSKey] KAME

[PSKey] FreeS/WAN

[PSKey] KAME – F

[PSKey] 6WIND – K

[Cert] KAME

[Cert] 6WIND – K

Results: RTT

0

5

10

15

20

25K

AM

E

6WIN

D –

K

KA

ME

6WIN

D –

K

KA

ME

Fre

eS/W

AN

K –

F

6WIN

D –

K

KA

ME

6WIN

D –

K

IPSec Solution

rtt

inc

rea

se

(%

) Static Keys (3DES-CBC)

Static Keys(3DES-CBC,HMAC_MD5)

Pre-shared Keys(3DES-CBC,HMAC_MD5)

Certificates(3DES-CBC,HMAC_MD5)

Results: Conclusions Duration of the IKE Negotiation

Use of certificates does not increment too much the delay

Interoperability implies a strong increment RTT

Using authentication increases lowly the RTT The use of IPsec increases in 15-20% the RTT

But … It is real that implementations are far

from being mature

University of Murcia (Spain)

References

Basic References UMU-PKIv6 - Public Key Infrastructure with

IPv6 supporthttps://eriador.dif.um.es/https://pippin.dif.um.es/

VPN Enforcement Tool https://shire.dif.um.es/

UMU-Policy Mangement Tool (old version of the IPsec Policy Schema)https://shire.dif.um.es/pmtool/

University of Murcia (Spain)

The UMU-PBNM

Antonio F. Gomez SkarmetaGregorio Martínez

<skarmeta, gregorio@dif.um.es>

University of MurciaSPAIN