update on the umu dynamic vpn r&d work – november 2003
DESCRIPTION
Update on the UMU Dynamic VPN R&D Work – November 2003. Antonio F. Gomez Skarmeta Gregorio Martinez University of Murcia (UMU) SPAIN. Agenda. Reminder from the July’03 Meeting UMU-PKIv6: Update on the Status UMU-PBNM: Update on the Status - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/1.jpg)
Update on the UMU Dynamic VPN R&D Work – November 2003
Antonio F. Gomez SkarmetaGregorio Martinez
<skarmeta, [email protected]>
University of Murcia (UMU)SPAIN
![Page 2: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/2.jpg)
2
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
![Page 3: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/3.jpg)
3
UMU-PBNM Main Objective• Design and set-up a security framework to manage
distributed communication systems using the PBNM paradigm
• Features:– Flexible– Secure– Service and application-independent – Standard-based– IP-based
• In collaboration with UCL-CS (through Euro6IX- 6NET project collaboration, SEINIT project)
![Page 4: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/4.jpg)
4
Trust ManagementSystem
Policy Management Framework
Network Layer Security Services
CryptographicMiddleware
Java Card
IPsec Security Services
PolicyLanguage
UMU-PKIv6
UMU-PBNM (Policy Console, PMT, PDP, PEP)
UMU-PBNM Proposed Architecture
![Page 5: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/5.jpg)
General Architecture
![Page 6: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/6.jpg)
![Page 7: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/7.jpg)
![Page 8: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/8.jpg)
![Page 9: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/9.jpg)
1
2
3
4
5
6
7
Policy Management
Process
![Page 10: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/10.jpg)
2
4
3
1
Monitoring Process
![Page 11: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/11.jpg)
11
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
![Page 12: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/12.jpg)
12
UMU-PKIv6 v7.1.2• Installation process highly improved (thanks to
feedback from UCL-CS, and NRNS/DRDC-RDDC)• Version 7.1.2, supporting
– WinCE-compatible devices (PDAs, mobile phones, etc.)– SSH/SCP PKCS#10 and KEYGEN (Netscape) requests– Support of DNSsec– New debug mode
• New version (v7.2.0) will be released this week– OCSP and TSP applets automatically signed during the
installation process– Log management from the web
![Page 13: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/13.jpg)
13
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
![Page 14: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/14.jpg)
14
Policy Language• Definition of XML schemas from the IETF IPsec PIB• Extension of the UMU-PBNM to support IPsec
policies for:– Linux FreeS/WAN (in both IPv4 and IPv6)– FreeBSD (in both IPv4 and IPv6)
![Page 15: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/15.jpg)
15
UMU-PBNM Internal Components• COPS:
– Porting of VOCAL 1.5 COPS implementation to IPv6 (in C++)
– UMU-jCOPS (University of Murcia – Java COPS) implementation
• Definition of all the COPS and COPS-PR messages • Definition of two APIs, allowing the definition of any kind of
(security, QoS, mobility, routing, etc.) PDP or PEP:– At the message level– At the functionality level
• Interoperable with VOCAL 1.5 COPS implementation
![Page 16: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/16.jpg)
16
UMU-PBNM Internal Components (and II)• UMU-jCOPS packages: brief description
![Page 17: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/17.jpg)
17
Agenda• Reminder from the July’03 Meeting• UMU-PKIv6: Update on the Status• UMU-PBNM: Update on the Status • Collaboration Plans
![Page 18: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/18.jpg)
18
X-Bone v3.0-beta UMU-PKIv6 UMU-PBNM• X-Bone v3.0-beta being tested in our labs• Evaluation plan:
– With UMU-PKIv6• Using UMU-PKIv6 certificates (with IPv6 addresses in the DN field) in
every X-Bone node• Check how the DNSsec support of both systems can be
integrated• Analyse the use of attribute certificates in the X-Bone
– With UMU-PBNM• Analysing elements in X-Bone that can be dynamically managed by the
UMU-PBNM proposed architecture– Inter-site testbed
• Interest from UCL-CS and UMU to set-up an inter-site testbed over IPv6• Any other interested??
![Page 19: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/19.jpg)
19
DVC UMU-PKIv6• DVC 0.0.2a being tested in our labs• DVC needs:
– Provision of PKI + KMS functionalities– IPv6 support
• DVC required features: automated …– certificate enrolment– certificate renewal– certificate revocation– certificate status checking– cross-certification
![Page 20: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/20.jpg)
20
DVC UMU-PKIv6 (II)• UMU-PKIv6 currently offers:
– Automated certificate enrolment and revocation• SCEP server (SCEP draft version 0.5)• SSH server
– Certificate status checking• CRLs published in LDAP servers• OCSP server
– Cross-Certification– Certificate renewal missing!!
• Additional components:– UMU-jSCEP: Java SCEP client– UMU-jOCSP: Java OCSP– Java SSH client
• Being currently used with:– CISCO routers (SCEP-based)– 6WIND routers (SSH-based)
![Page 21: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/21.jpg)
21
DVC UMU-PKIv6 (and III)• Decisions to be taken:
– Support of ARLs (Authority Revocation Lists)• Why?: provide the status of cross-certificates• DVC: have to evaluate the need of supporting them• UMU-PKIv6: have to improve its support of ARLs
– Use of DNSsec• Why?: dynamic provision of security information• DVC: have to study the interest on this• UMU-PKIv6: feature already supported
– The use of PKIX-CMP protocol• Why?: providing complete certificate lifecycle management• DVC: defined as an interesting feature• UMU-PKIv6: implementation already started (both modes: simple and full)
![Page 22: Update on the UMU Dynamic VPN R&D Work – November 2003](https://reader031.vdocuments.net/reader031/viewer/2022020423/56814499550346895db14031/html5/thumbnails/22.jpg)
22
For anyone Interested in Collaborating, Integrating and/or Testing …• The UMU-PKIv6 v7.2.0• The UMU-PBNM, or any of its components (e.g. VPN
Enforcement Tool, UMU-jCOPS, etc.)• Any other idea/line regarding the dynamic management of
VPNs
please, send us an email to
Antonio F. Gomez Skarmeta <[email protected]> and/or Gregorio Martinez <[email protected]>
Thanks!!!