secure mobile architecture notice: this document has been prepared to assist ieee 802.11. it is...
TRANSCRIPT
![Page 1: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/1.jpg)
Secure Mobile Architecture
Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein.
Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.11.
Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures <http:// ieee802.org/guides/bylaws/sb-bylaws.pdf>, including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard." Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair <[email protected]> as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802.11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at <[email protected]>.
Date: 2005-03-13
Name Company Address Phone email Richard Paine Boeing 206-854-8199 [email protected]
om
Authors:
May 2005 doc.: IEEE 802.11-05/0373r0
Richard Paine, BoeingSlide 1Submission
![Page 2: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/2.jpg)
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
May 2005
Richard Paine, BoeingSlide 2
doc.: IEEE 802.11-05/0373r0
Submission
SMA DemonstrationDec. 2004
SMA Demo TeamMath & Computing Technologies
![Page 3: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/3.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 3
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 3Submission
May 2005 doc.: IEEE 802.11-05/0373r0Agenda
• Video Introduction• Motivation and Problem Statement• Overview of SMA Components
• PKI, HIP, NDS, LENS• Demonstration
• Component overview• Provisioning• Mobility (IP Address change)• Location-based Policy enforcement• Rule-based policy enforcement
• Application to Boeing Enterprise• CY’05 plans• Q & A
![Page 4: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/4.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 4
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 4Submission
May 2005 doc.: IEEE 802.11-05/0373r0Agenda
• Video Introduction• Motivation and Problem Statement• Overview of SMA Components
• PKI, HIP, NDS, LENS• Demonstration
• Component overview• Provisioning• Mobility (IP Address change)• Location-based Policy enforcement• Rule-based policy enforcement
• Application to Boeing Enterprise• CY’05 plans• Q & A
![Page 5: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/5.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 5
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 5Submission
May 2005 doc.: IEEE 802.11-05/0373r0What is “SMA”?
ecure Cryptographic identities are associated with each and every packet.
obile Mobility-driven address changes trans-parent to applications & connections.
rchitecture Significantly improves our Enterprise network architecture by providing:
• Improved flexibility and agility• Network-enforced, end-to-end security• Centralized access control with delegated
authority• Reduced operational cost and complexity• Uniform internal/external access method
SMA
![Page 6: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/6.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 6
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 6Submission
May 2005 doc.: IEEE 802.11-05/0373r0So what is the problem?
• Cost and complexity of managing current network infrastructure is quickly becoming unmanageable
• We have a growing need for flexibility, mobility and user diversity
• We are quickly becoming an ISP for our suppliers, vendors and customers
– How do we affordably enforce AAA requirements for this diverse population?
• Wireless networking is revolutionizing our factory and office environments
– How do we support the needs of emerging e-enabled factories, products, and mobile workers?
• We need a secure, agile network infrastructure that can quickly adapt to new requirements and emerging network technologies.
![Page 7: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/7.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 7
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 7Submission
May 2005 doc.: IEEE 802.11-05/0373r0Agenda
• Video Introduction• Motivation and Problem Statement• Overview of SMA Elements
• PKI, HIP, NDS, LENS• Demonstration
• Component overview• Provisioning• Mobility (IP Address change)• Location-based Policy enforcement• Rule-based policy enforcement
• Application to Boeing Enterprise• CY’05 plans• Q & A
![Page 8: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/8.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 8
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 8Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
![Page 9: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/9.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 9
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 9Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: PKI
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
![Page 10: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/10.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 10
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 10Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: PKI
• Boeing has begun deployment of a PKI using• A hierarchical trust chain of x.509 certificates• “Server”, “Personal” and “SecureBadge” certificates
• Certificates contain:• Identity (user, machine, etc.)• Public Key• Cryptographic signature by trusted authority
• Private Key:• Holder is “owner” of certificate identity• Usually protected by a password or PIN
• Soft Certificates (“SoftCerts”):• File-based private key
• Hard Certificates (“HardCerts”)• Private key on hardware token (Smartcard, SIM, etc.)• Signing/decrypting done with on-board computing resources
![Page 11: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/11.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 11
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 11Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: PKI
• HardCert advantages• Difficult to subvert or duplicate• Portable — user can carry token between computers
• HardCert disadvantages• Limited on-board computing speed and communications
• Use “TempCerts” to bridge this gap:• A SoftCert with delegated, short time-validity• Issued to a user/machine after HardCert authentication
• Advantages• Reduced exposure to SoftCert subversion/duplication• SoftCert performance
– Needed for HIP security associations• Quickly installable/removable on “shared devices”• Useful in “ factory tool room” type shared device domain
![Page 12: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/12.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 12
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 12Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: PKI
Badgecert
Tempcert
ClientRA
SSL/TLSTunnel
1
2
Boeing PKI
SLDAP
1) Badge used for Client Auth; TempCert request sent to RA2) RA issues TempCert3) Client has TempCert available for up to 8 hours
TempCert Provisioning Process
![Page 13: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/13.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 13
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 13Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
![Page 14: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/14.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 14
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 14Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
HIP Overview• Background
• Original concept developed by Bob Moskowitz• Currently exists as IETF “Experimental RFC”• Boeing heavily involved in RFC development
– Linux implementation released as Open Source– Windows implementation soon to be released
• Other major players: Cisco, Ericsson, NEC, Siemens, NTT DoCoMo, universities
• HIP provides opportunistic pair-wise SA’s• Somewhat like IPSec• Client Cert retrieved from DNS or LDAP directory• SA based on identity, not IP address• SA established/managed by a IP control channel• SA data flows through ESP-IP packets• Mobility events handled in IP stack via HIP READDR packets
![Page 15: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/15.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 15
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 15Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
UserSpace
KernelSpace
Application
IP StackIPSec
HIP Daemon
PF_INET PF_KEYPF_RAW
KeyEngine
Initiator Responder
HIP-Enabled Secure Communications
Application
IP StackIPSec
HIP Daemon
PF_INETPF_KEY PF_RAW
KeyEngine
HIP Handshake
IPSec ESP Data – Identified by SPI, not IP Address
![Page 16: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/16.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 16
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 16Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
Initiator ResponderI1 packet
Opportunityfor DoS attack(e.g. TCP SYNflood)
Simple packet, contains compressed (hashed)version of Host Identities
HIP Handshake
![Page 17: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/17.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 17
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 17Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
Initiator ResponderI1 packet
R1 packet
Reply withstock packetand cookiechallenge(No state kept)
Contains:1. Diffie-Hellman public value2. Cookie puzzle3. Encryption negotiation4. Responder’s Host Identity
Is signed by Responder’s Host Identity
HIP Handshake
![Page 18: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/18.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 18
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 18Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
Initiator ResponderI1 packet
R1 packet
I2 packet
1. Solve cookie puzzle2. Generate key material Contains:
1. Diffie-Hellman public value2. Cookie solution3. Encryption negotiation4. IPsec SPI5. (Encrypted) Host Identity6. (optional) piggybacked data
Is signed by Initiator’s Host Identity
HIP Handshake
![Page 19: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/19.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 19
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 19Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
Initiator ResponderI1 packet
R1 packet
I2 packet
R2 packet
1. Validate cookie puzzle2. Generate key material3. Install IPsec SA
Contains:1. IPsec SPI2. (option) piggybacked data
Is signed by Responder’s Host Identity
HIP Handshake
![Page 20: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/20.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 20
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 20Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
Initiator Responder
Install IPsec SA
I1 packet
All further packets in IPsec ESP envelope(Host Identity is implied by the SPI)
R1 packet
I2 packet
R2 packet
HIP Handshake
![Page 21: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/21.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 21
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 21Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: HIP
IP header
IPSec (ESP)
Encrypted Header and Transport Payload
Host Identity (HI) is public/private key pair:
Identity definedby holder of private key
Public key usedby others to authenticatecontrol messages
SHA-1 hash of public key forms a“Host Identity Tag (HIT)”- used where 128 bit fields are needed - self-referential (i.e., HIT can besecurely used instead of HI)
HIT isimplied
by the SPIvalue in
IPsec header
HIP incursno per-packet
overhead
![Page 22: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/22.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 22
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 22Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: NDS
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
![Page 23: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/23.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 23
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 23Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: NDS
• Support for real-time endpoint mobility & location data• Future integration with Boeing DNS and directory (CED,
NAMS-ng) infrastructure
Enterprise
DNS Proxy
Security Perimeter
Directory
SLDAPClient
Policy DecisionDaemon
Middleboxes
Client
DNSDDNS
Location Server
Directory Information Flow
![Page 24: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/24.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 24
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 24Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: NDS
• Three separate LDAP root directories• People
– Similar to CED/BLUES• Hosts
– Similar to DNS host data– Includes Certificate and HIT and current Location
• Policy– Currently Allowed/Not-Allowed location regions in building
Directory Schema
![Page 25: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/25.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 25
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 25Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: NDS
Generic ISP Provisioning Process
DHCPServer
AAAServer
Client
802.11
Access Point
Enterprise Provisioning Process
RA
Client
TLS
Directory
1 2
1) HardCert authentication for TempCert2) Identity IP Update in Directory
Two-Stage Client Provisioning
DNS
SLD
AP
SLD
AP
![Page 26: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/26.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 26
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 26Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: LENS
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
![Page 27: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/27.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 27
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 27Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: LENS
• Location Tracking• Identity associated with connections
– So we already know the “who”, just need the “where”• Several competing wireless location technologies
– Airespace– Pango– AeroScout– Wherenet
• Confusion between 802.11 tracking and RFID tag tracking– We are focusing on 802.11 tracking including 802.11 active tags
• Location Services• Required E911 services• Smart services: Printing, paging, workflow tracking• Location policy enforcement
– E.g., No wireless access outside of Boeing property line
![Page 28: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/28.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 28
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 28Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements: LENS
LocationComputationServer
Directory
Location DistributionServer & Policy
LocationRequestingClient
Passive Tag Gate BoeingIntranet
Location Architecture
![Page 29: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/29.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 29
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 29Submission
May 2005 doc.: IEEE 802.11-05/0373r0SMA Elements
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
![Page 30: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/30.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 30
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 30Submission
May 2005 doc.: IEEE 802.11-05/0373r0Agenda
• Video Introduction• Motivation and Problem Statement• Overview of SMA Components
• PKI, HIP, NDS, LENS• Demonstration
• Component overview• Provisioning• Mobility (IP Address change)• Location-based Policy enforcement• Rule-based policy enforcement
• Application to Boeing Enterprise• CY’05 plans• Q & A
![Page 31: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/31.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 31
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 31Submission
May 2005 doc.: IEEE 802.11-05/0373r0
Router
Demonstration Infrastructure
smamobile1
Boeing Intranet
AAA ServerAP
AP
AP
…
sma4
DNS Namespace:mobile.tl.boeing.com
130.42.32.0/24
Subnet
Test RADIUS Server (33-12)
DHCP
Directory
DNS
Airespace
TempCert RA
LocationServer
LPDD
![Page 32: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/32.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 32
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 32Submission
May 2005 doc.: IEEE 802.11-05/0373r0Demonstration
ISP Provisioning Process
DHCPServer
RADIUS
smamobile1
WP
A(E
AP
/TLS
)
Enterprise Provisioning Process
1) HardCert authentication for delegated TempCert
2) Identity IP Update
SecurityPerimeter
AirespaceRA
smamobile1
TLSDirectory
1 2
DNS
SLD
AP
SLD
AP
Two-Stage Provisioning Process
![Page 33: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/33.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 33
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 33Submission
May 2005 doc.: IEEE 802.11-05/0373r0Demonstration
• Wireless client experiences address change• Address change forced by DHCP server for demo• Client auto-updates Directory/DNS with new IP• Client notifies existing SA peers using HIP READDR packets• Ssh from Windows to wireless client dies after address
change
• TELNET session data continues after address change
• Future:• Faster address change• Multi-homed clients• Anticipatory readdressing (802.11k)• Legacy client shim to support UDP “connections”
Mobility Event
![Page 34: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/34.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 34
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 34Submission
May 2005 doc.: IEEE 802.11-05/0373r0Demonstration
• Wireless client “moves” into disallowed location zone• Airespace location server not working• We simulate location changes today using prototype GUI
• Peer’s location policy enforcement• Peer’s PED sees new location in disallowed region• Peer deletes existing SA• Peer refuses new client SA requests from disallowed regions• Peer moves back into allowed region
– SA automatically re-established• Future
• Improved location server capabilities• Middlebox policy enforcement—don’t depend on peers
Location Policy Enforcement
![Page 35: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/35.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 35
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 35Submission
May 2005 doc.: IEEE 802.11-05/0373r0Demonstration
• Simple case:• All connections associated with particular employee are
invalidated• Manual “GUI” interface used for now
• Future:• Particular identities limited to particular connections
– Factory Autonomous Wireless Devices (AWD’s)– Suppliers, vendors, guests/visitors– Machines not up-to-date with AV s/w only allowed to reach AV
update server• Limitations:
– This only limits pair-wise peer connections– Does not address file-content limitations (e.g., ITAR documents)
Rule-Based Policy Enforcement
![Page 36: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/36.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 36
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 36Submission
May 2005 doc.: IEEE 802.11-05/0373r0Agenda
• Video Introduction• Motivation and Problem Statement• Overview of SMA Components
• PKI, HIP, NDS, LENS• Demonstration
• Component overview• Provisioning• Mobility (IP Address change)• Location-based Policy enforcement• Rule-based policy enforcement
• Application to Boeing Enterprise• CY’05 plans• Q & A
![Page 37: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/37.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 37
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 37Submission
May 2005 doc.: IEEE 802.11-05/0373r0Application to Boeing Enterprise
• Secure, identity-based client-to-client communications• Allows moving most hosts outside of security perimeter• Office/home/Starbucks Connections essentially identical
• Backwards compatible• Works within existing IP network and routing architecture• Non HIP-aware hosts could still be allowed, depending on
network policy• Mobile
• HIP’s Multi-homing capability allows hosts to seamlessly cross subnet boundaries or even wireless domains (802.11, cellular, etc.)
• Key enabler for VOIP over WLAN (“VoWLAN”)– High-speed roaming across subnets and network domains– Inexpensive IP telephony for the factory
Advantages
![Page 38: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/38.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 38
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 38Submission
May 2005 doc.: IEEE 802.11-05/0373r0Application to Boeing Enterprise
• Network-based policy enforcement using middleboxes• Allows connectivity limits using identity, not IP or MAC
– Smarter, easier to manage than ACL’s• Allows special policies/limitations for classes of hosts/users
– AWD’s like printers, machine tools, etc.– Users like vendors, suppliers, guests
• Delegatible authorization through PKI• Supervisor can set up new AWD machine tool on network
with predefined limited access– No NCC interaction required
• Cross-trust relationships with vendors, suppliers, DoD, etc. automatically reflected in network policy
• Works seamlessly across IPv4IPv6 connections• Applications use DNS namespace for connections, not IP
addresses
Advantages (Cont.)
![Page 39: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/39.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 39
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 39Submission
May 2005 doc.: IEEE 802.11-05/0373r0Application to Boeing Enterprise
• Bringing HIP into IETF Standards track• Much depends on success of early adopters
• Integrating SMA architecture into Boeing Enterprise• Affects Directory Services, Perimeter Security, Wireless
Services, NAMS[ng], etc.• Windows modules would have to be included in standard
computing images• Backwards compatibility hardware needed for legacy
equipment• Scalability
• DNS/Directory query traffic– Publish/Subscribe architecture for location & PDP/PEP?– Reverse lookups
• Rendezvous Server implementation• NAT support
Challenges
![Page 40: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/40.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 40
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 40Submission
May 2005 doc.: IEEE 802.11-05/0373r0Agenda
• Video Introduction• Motivation and Problem Statement• Overview of SMA Components
• PKI, HIP, NDS, LENS• Demonstration
• Component overview• Provisioning• Mobility (IP Address change)• Location-based Policy enforcement• Rule-based policy enforcement
• Application to Boeing Enterprise• CY’05 plans• Q & A
![Page 41: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/41.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 41
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 41Submission
May 2005 doc.: IEEE 802.11-05/0373r0CY’05 Plans
• Development Activities• Integration of Windows HIP client• Preliminary implementation of new HIP API• Legacy API shim for Windows and Linux platforms• Publish/subscribe architecture for directory changes• SIM-chip-based wireless bridge device prototype for AWD’s• Prototype middlebox for network policy enforcement
• Pilot SMA evaluations in Bellevue and Everett• Move to production DNS namespace (mobile.boeing.com)• 802.11 Location services interoperating with Cisco
infrastructure (probably Aeroscout)• Security review and buy-off for external access• Detailed business case development and analysis
![Page 42: Secure Mobile Architecture Notice: This document has been prepared to assist IEEE 802.11. It is offered as a basis for discussion and is not binding on](https://reader034.vdocuments.net/reader034/viewer/2022042822/56649ea45503460f94ba89f9/html5/thumbnails/42.jpg)
NGI_SMA_DemoSlides Apr 19, 2023 | 42
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
NGI_SMA_Demoslides-rev7.ppt | 12/6/2004BOEING is a trademark of Boeing Management Company.Copyright © 2004 Boeing. All rights reserved.
Richard Paine, BoeingSlide 42Submission
May 2005 doc.: IEEE 802.11-05/0373r0
Q & A