How To Create A Virtual Network With A Router And Network Operating System (Ip) For A Network (Ipv) (Ip V2) (Netv) And A Virtualization) (Network) (Wired) (Virtual) (Wire)

(1)

Post

Post--IP

IP technologies

technologies

Post

Post--IP

IP technologies

technologies

virtualization

virtualization and

and security

security

Guy

(2)

Virtualization

Virtualization for a post

for a post--IP

IP

Virtualization

Virtualization for a post

for a post--IP

IP

network

(3)

Geni

Intel would like to propose a generic router Intel would like to propose a generic router

Intel proposes to have a generic hardware with Intel proposes to have a generic hardware with virtual network operating system

virtual network operating system virtual network operating system virtual network operating system

A router can support simultaneously CISCO IOS A router can support simultaneously CISCO IOS

d J i

d J i JJ d Ald Al t l OSt l OS d Nd N t l OSt l OS and Juniper

and Juniper JunosJunos and Alcatel OS and Nortel OS, and Alcatel OS and Nortel OS, etc.

etc.

Cisco reaction was to

Cisco reaction was to virtualizevirtualize the different the different releases of IOS.

releases of IOS. releases of IOS. releases of IOS.

(4)

Virtual router

Network A

Network Network B

Network C Network

(5)

Virtualization of the Control Plane

Control algorithms

NOS NOS NOS NOS NOS

NOS Control

1

NOS Control

2

NOS Control

3

NOS Control

4

NOS Control

5

1 2 3 4 5

(6)

Why virtualization?

A better use of the resources A better use of the resources

Sharing of the resources for the routing schemes Sharing of the resources for the routing schemes

S it f th hi i t tt k

Security of the machines against attacks Security of the machines against attacks

Isolation of the traffic in the virtual machines Isolation of the traffic in the virtual machines Isolation of the traffic in the virtual machines Isolation of the traffic in the virtual machines

Management and control Management and control

N d h i

Need an hypervisor Need an hypervisor

How to move the virtual entities (router, etc.) How to move the virtual entities (router, etc.)oo toto o e t eo e t e tua e t t es ( oute , etc )tua e t t es ( oute , etc )

(7)

Virtualization of the Management Plane

NM System

1 2 3 4 5

(8)

Protocol virtualization

A

B B

C

=

D

E

=

E

A = IP stack is mandatory in the core network within the virtual protocol

(9)

Virtualization of the Data Plane

(10)

Virtualization of the Data Plane

(11)

Virtualization of the protocols

A A B A B D E C D E D E A A A A B C D E C D E E A E E

(12)

P

t

P

t IP

IP

it

Post

Post--IP security

IP security

through a strong

g

authentication

and closed traceability

(13)

Why two

Why two--factor authentication is

factor authentication is

needed

Password issues

Attackers can sniff out what's typed on keyboards, Attackers can sniff out what's typed on keyboards, simply by recording keystroke sounds

simply by recording keystroke sounds

Recommendation to enhance security with

Recommendation to enhance security with twotwo--factor factor authentication

authentication that combines passwords with onethat combines passwords with one--time time--password tokens or

password tokens or smartcardssmartcards or with biometric recognitionor with biometric recognition password tokens or

password tokens or smartcardssmartcards, or with biometric recognition, , or with biometric recognition, like fingerprint readers

like fingerprint readers

A well known two

A well known two--factor authentication device is thefactor authentication device is the A well known two

A well known two--factor authentication device is the factor authentication device is the RSA SecurID token

RSA SecurID token

This token works with a proprietary authentication infrastructure This token works with a proprietary authentication infrastructure This token works with a proprietary authentication infrastructure This token works with a proprietary authentication infrastructure

(14)

Two

Two--factor authentication

factor authentication

Our proposal

y

y Tokens are based on the Java CardTokens are based on the Java Card technologyTokensTokens areare basedbased onon thethe JavaJava CardCard technologytechnologytechnology

y

y TheyTheyyy executeexecute JavaJava applicationsapplicationspppp supportedsupportedpppp bybyyy thethe openopenpp codecode p jprojectp jproject

OpenEapSmartcard

OpenEapSmartcard ..

y

y TheThe authenticationauthentication platformplatform isis fullyfully basedbased onon IETFIETF standardsstandards (mainly(mainly thethe

Extensible Authentication Protocol

Extensible Authentication Protocol,, EAP),EAP), nono proprietaryproprietary featuresfeatures

y

y OurOur authenticationauthentication scenarioscenario dealsdeals withwith thethe classicalclassical SSL/TLSSSL/TLS protocolprotocol ((moremore precisely EAP

precisely EAP‐‐TLSTLS),), whichwhich isis widelywidely deployeddeployed throughthrough thethe WEB,WEB, andand whichwhich

relies on

relies on Public Key InfrastructurePublic Key Infrastructure (PKI(PKI)) relies on

(15)

What is EAP ?

EAP i IETF t d d

EAP is an IETF standard

y

y TheThe ExtensibleExtensible AuthenticationAuthentication ProtocolProtocol (EAP)(EAP) waswas introducedintroduced inin 1999,1999,

in order to define a

in order to define a flexibleflexible authenticationauthentication frameworkframework..

◦◦ EAPEAP,, RFCRFC 3748,3748, "Extensible"Extensible AuthenticationAuthentication Protocol,Protocol, (EAP)"(EAP)"

◦◦ EAPEAP‐‐TLSTLS,, RFCRFC 2716,2716, "PPP"PPP EAPEAP TLSTLS AuthenticationAuthentication Protocol“Protocol“ ◦◦ EAPEAP‐‐SIMSIM,, RFCRFC 4186,4186, "" ExtensibleExtensible AuthenticationAuthentication ProtocolProtocol

Method for Global System for Mobile Communications (GSM) Method for Global System for Mobile Communications (GSM) Method for Global System for Mobile Communications (GSM)

Method for Global System for Mobile Communications (GSM)

Subscriber Identity Modules (EAP

Subscriber Identity Modules (EAP‐‐SIM)SIM) ““

◦◦ EAPEAP‐‐AKAAKA,, RFCRFC 4187,4187, "" ExtensibleExtensible AuthenticationAuthentication ProtocolProtocol

Method for 3

(16)

What is EAP ?

1 Request 2 Response 3 Success 4 Failure 1 Identity 2 Notification 3 NAK

4 MD5 challenge 13 EAP-TLS

Packet Length Packet

Identifier

0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Code | Identifier | Length |

18 EAP-SIM

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

(17)

What is EAP ?

An Esperanto for Access Control in IP infrastructures.

y

y WirelessWireless LANLAN

◦◦ WiWi‐‐Fi,Fi, IEEEIEEE 802.1x802.1x

◦◦ WiMAXWiMAX mobile IEEE 802 16e PKMmobile IEEE 802 16e PKM EAPEAP

◦◦ WiMAXWiMAX mobile,mobile, IEEEIEEE 802.16e802.16e ,, PKMPKM‐‐EAPEAP

y

y WiredWired LANsLANs

◦◦ ETHERNET,ETHERNET, IEEEIEEE 802.3802.3

◦◦ PPP,PPP, RFC 1661, “The PointPPP,PPP, RFC 1661, “The Point RFCRFC 1661,1661, TheThe PointPoint to‐‐to Pointtoto‐‐Point Protocol (PPP)”Point Protocol (PPP)”Point ProtocolProtocol (PPP)(PPP)

y

y VPNVPN (Virtual(Virtual PrivatePrivate Network)Network) technologiestechnologies

◦◦ PPTP,PPTP, RFCRFC 26372637 ,, "" PointPoint‐‐toto‐‐PointPoint TunnellingTunnelling ProtocolProtocol ""

◦◦ L2TP,L2TP, RFCRFC 26612661 ,, "" LayerLayer TwoTwo TunnellingTunnelling ProtocolProtocol ""

◦◦ IKEv2,IKEv2, RFCRFC 4306,4306, "Internet"Internet KeyKey ExchangeExchange Protocol“Protocol“

y

y AuthenticationAuthentication ServerServer

◦◦ RADIUS,RADIUS, RFCRFC 3559,3559, “RADIUS“RADIUS (Remote(Remote AuthenticationAuthentication DialDial InIn UserUser Service)Service) SupportSupport ForFor ExtensibleExtensible

Authentication Protocol (EAP)” Authentication Protocol (EAP)” Authentication Protocol (EAP)” Authentication Protocol (EAP)”

(18)

What is EAP ?

EAP components

y

y AccordingAccording toto RFCRFC 3748,3748, EAPEAP implementationsimplementations conceptuallyconceptually

consist of the four following components:

◦◦ 11‐‐ TheThe lowerlower layerlayer isis responsibleresponsible forfor transmittingtransmitting andand receivingreceiving EAPEAP

frames between the peer and authenticator.

◦◦ 22‐‐ The EAP layer receives and transmits EAP packets via the lowerThe EAP layer receives and transmits EAP packets via the lower ◦◦ 22‐‐ TheThe EAPEAP layerlayer receivesreceives andand transmitstransmits EAPEAP packetspackets viavia thethe lowerlower

layer, implements duplicate detection and retransmission, and delivers

and receives EAP messages to and from EAP methods.

3

3 EAPEAP dd hh ii ll BB dd h C d fi ld h EAPh C d fi ld h EAP

◦◦ 33‐‐ EAPEAP peerpeer andand authenticatorauthenticator layers.layers. BasedBased onon thethe CodeCode field,field, thethe EAPEAP

layer de

layer de‐‐multiplexesmultiplexes incomingincoming EAPEAP packetspackets toto thethe EAPEAP peerpeer andand

authenticator layers.

◦◦ 44‐‐ EAPEAP methodsmethods implementimplement thethe authenticationauthentication algorithms,algorithms, andand receivereceive

and transmit EAP messages.

and transmit EAP messages. EAPEAP methodsmethods cancan bebe implementedimplemented inin JavaJava

Card systems.

(19)

What is EAP ?

EAP Java Card

Technology EAP-Peer Layer EAP-Auth. Layer

EAP method EAP method EAP method EAP method

3 4

gy EAP Peer Layer

EAP-Layer

Lower-Layer

EAP Auth. Layer

EAP-Layer 1 2 3 Full Software Implementations

Peer _{Authentication Server}

RADIUS Server

O rdinateur central Implementations

EAP-Peer Layer _{EAP Auth Layer}

EAP JavaCard Client EAP JavaCard Server 3

4 _{EAP Methods}

Partial Software Implementations

EAP Peer Layer EAP-Layer Lower-Layer

EAP-Auth. Layer EAP-Layer

Java Card Enabled 1

2 3

y

(20)

The open platform,

Why open Java Card technology code ?

Internet and WEB technologies are based on

Internet and WEB technologies are based on open codeopen code

Internet and WEB technologies are based on

Internet and WEB technologies are based on openopen codecode..

No proprietary features.

Good security principle that enables code reviewing Good security principle that enables code reviewing

Good security principle that enables code reviewing.

Fair choice among multiple Java Card systems

(21)

OpenEapSmartcard

OpenEapSmartcard..

A hit t O i

(22)

Authentication platform

(23)

The platform

(24)

Summary

We have presented two

We have presented two--factor authentication tokens, pp factor authentication tokens, ,, based on the Java Card technology

based on the Java Card technology

We have introduced the open code project We have introduced the open code project We have introduced the open code project We have introduced the open code project

OpenEapSmartcard

OpenEapSmartcard, which is used by these token, which is used by these token

We have built an authentication architecture fully based We have built an authentication architecture fully based We have built an authentication architecture fully based We have built an authentication architecture fully based on IETF standards.

on IETF standards.

We have shown a real Wi

We have shown a real Wi Fi platform that deals withFi platform that deals with We have shown a real Wi

We have shown a real Wi--Fi platform that deals with Fi platform that deals with these technologies.