Institut für Telematik

Secure Signaling in Next Generation Networks with NSIS

Roland Bless, Martin RöhrichtIEEE ICC 2009, Dresden

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

2

IEEE ICC 2009, Dresden

QoS Reservation

Motivation

Signaling protocols important component for Next Generation Networks

Admission control for resource reservationsManagement of network entitiesRSVP NSIS

Security of signaling protocols importantQoS reservationsFirewall configurationsNAT traversal mappings

VideoServer

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

3

IEEE ICC 2009, Dresden

Next Steps in Signaling – Overview

Two-layer approachQoS or NAT/FW NSLPNTLP, i.e. GIST

discovery of next signaling peersignaling message transport (unreliable, reliable, secure)

Channel security mechanisms at GIST levelHop-by-hop based, not end-to-endMultiplex several different sessions over one secured channelNo per-user authentication

QoS NSLP SignalingPossibly secured sections

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

4

IEEE ICC 2009, Dresden

Problem Statement

No per-user or per-session authentication possible

No per-user authorization No reliable and secure accounting

Objective: provide integrity protection for every signaling messageSession Authorization Policy Element

Relies on provision of authorization tokens from trusted third partyOpaque authorization token not sufficient

Not related to any signaling message objects

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

5

IEEE ICC 2009, Dresden

Main Challenges

Add per-user authentication mechanism to Authorization Policy ElementIntegrity protection parts of signaling message

Some objects should still be modifiable by intermediate nodes

E.g. QoS parameter values

Specify light-weight approachSecurity shouldn’t add much additional (setup) delayThousands of signed signaling messages per node

Digital certificates not suitable

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

6

IEEE ICC 2009, Dresden

Proposal towards Authentic NSIS Signaling

Establish binding of authorization object and NSLP messages

not included into HMAC

included into HMAC

SessionAuthorization

Object

Hash-Alg-ID, List of Signed NSLP ObjectsKey-ID for Sk

Signature Data HMAC(Sk, Data)

GIST Objects

QoS NSLP Objects

Protected parts of GIST PDU e.g. Session ID, Message Routing Information

Protected parts of QoS NSLP PDUe.g. INFO_SPEC, QSPEC

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

7

IEEE ICC 2009, Dresden

HMAC-based protection0 7 8 15 16 23 24

Object Length

Length

Type = AUTH_SESSION1 0 0 0 00 0 0

31

AUTH_ENT_ID HMAC_SIGNED

Reserved

Length AUTH_DATA

OctetString (Message Authentication Code – HMAC Data)

Hash Algorithm ID

zero

Length NSLP_OBJ_LIST zero

Number of signed NSLP objects=n

padding

reserved NSLP signed object (1)

Length START_TIME NTP_TIME_STAMP

NTP time stamp (1)

NTP time stamp (2)

Length SOURCE_ADDR IPV4_ADDRESS

IPv4 Source Address

OctetString (Key Identifier)

NSLP signed object (n)reserved

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

8

IEEE ICC 2009, Dresden

Kerberos based Example

Initial Session AuthorizationAssumption: routers are “Kerberized” resources

TGSTGS

NSLPInitiatorNSLP

Initiator

NSLPEntityNSLPEntity

1. Request Session Authorization Object1. Request Session Authorization Object

3. NSLP message with Session Authorization Objects A1 and A2

3. NSLP message with Session Authorization Objects A1 and A2

4. Verifies Session Authorization Objects A1 and A2. Store key Sk extracted from A1.

4. Verifies Session Authorization Objects A1 and A2. Store key Sk extracted from A1.

2. Get Session AuthorizationObject A1 (Resource Ticket)

2. Get Session AuthorizationObject A1 (Resource Ticket)

Hash-Alg-ID,

List of Signed NSLP Objects

Key-ID for Sk

HMAC(Sk, Data)

Kerberos Ticket

(Incl. Session Key Sk)

QoS NSLP objects

A1

A2

GIST objects

not included into HMAC

included into HMAC

Signature Data

AdministrativeDomain

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

9

IEEE ICC 2009, Dresden

NSIS-ka Suite

Open Source C++-based, multi-threaded implementation for Linux

GISTQoS NSLPNATFW NSLP

Well tested at Interop tests against different implementationsCurrently under active development

GIST-aware NAT-GatewaysMobility support for/with MobileIPv6Anticipated HandoversMulticast SupportIntegration into OMNeT++ simulation framework

Code freely available: http://nsis-ka.org

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

10

IEEE ICC 2009, Dresden

Performance Evaluation

Proposed integrity protection implemented and testedBenchmarks to determine overhead of HMAC computation

Intel Pentium IV 2.8GHzReading system clock at specific actions and keeping time stamps in memory50,000 runs measured in µs

Creation of Session Authorization Object including HMAC computation

30.8% overhead (Mean)HMAC verification and deserialization of PDU

31.8% overhead (Mean)

Action Min Max Mean Stddev

Serialization 68.2 701.9 69.1 10.5

Serialization w. HMAC 89.4 718.1 90.4 8.3

Deserialization 74.4 705.6 75.3 8.8

Deserialization w. HMAC 97.6 746.3 99.2 9.8

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

11

IEEE ICC 2009, Dresden

Conclusion & Outlook

Allows for user-based authenticationIntegrity protection of important parts of an NSLP messageUses resource efficient HMAC-based signaturesKey exchange not per session required

Only per user

No further backend communication needed by intermediate nodes for integrity checksLow communication overheadNot restricted to a particular NSLP

Institut für Telematik

Thanks! Questions?

www.tm.uka.de/itm

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

13

IEEE ICC 2009, Dresden

Backup

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

14

IEEE ICC 2009, Dresden

Session Authorization by Policy Decision

Authorizing entity generates Authorization Policy Element

According to framework defined by RFC 3521

Retrieved policy element must be copied into Session Authorization ObjectQNE extracts information

Uses Diameter QoS application or RADIUS QoS protocol to contact Policy Decision Point

AAAAAA

QNIQNIQNEQNE

1. request session authorization object1. request session authorization object

3. NSLP message withsession authorization object3. NSLP message withsession authorization object

4. verifies session authorization object4. verifies session authorization object 2. get session

authorizationobject

2. get session authorizationobject

QNI: QoS NSLP Initiator

QNE: QoS NSLP Entity

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

15

IEEE ICC 2009, Dresden

Generic NSLP object headerA, B – Extensibility flagsType – AUTH_SESSION

List of Session Authorization AttributesX-Type – Authorizing Entity Identifier, Source/Dest. Address, Start/End Time, Authentication DataSubType – Fully Qualified Domain Name, Digital Certificate, IPv4/v6-Address, Kerberos Principal Name, …

Session Authorization Object

Session Authorization Attribute List

310 7 8 15 16 23 24

A LengthB r r r r rType r

310 7 8 15 16 23 24

SubTypeLength X-Type

Value …

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

16

IEEE ICC 2009, Dresden

A worked Example with Kerberos

Session Authorization Object Format

0 7 8 15 16 23 24

Object Length

Length

Type = AUTH_SESSION1 0 0 0 00 0 0

31

AUTH_ENT_ID KRB_PRINCIPAL

OctetString (The principal@realm name)

Length AUTH_DATA zero

OctetString (Key identifier, Resource ticket)

Length START_TIME NTP_TIME_STAMP

NTP time stamp (1)

NTP time stamp (2)

Length SOURCE_ADDR IPV4_ADDRESS

IPv4 Source Address

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

17

IEEE ICC 2009, Dresden

HMAC-based Protection

Use Message Authentication Code to protect parts of NSLP message

New attribute contains list of protected NSLP objectsReceiver computes hash over these objects and all attributes of authorization object

Allow for “crypto agility”Specify identifier for used hash function

Actually used key referenced by 32 bit key IDSign every message but don’t change key for every transaction or flow

Distribution of shared symmetric key requiredE.g. by using Kerberos

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

18

IEEE ICC 2009, Dresden

TLS

UDPUDP TCPTCP SCTPSCTP DCCPDCCP

IPsec

IPv4/IPv6IPv4/IPv6

SignalingApplication 1

(QoS)

SignalingApplication 1

(QoS)

Signaling Application 2

(NAT FW)

Signaling Application 2

(NAT FW)

NSISSignaling Layer(NSLP)

NSISTransportLayer(NTLP)

General Internet Signalling Transport (GIST)

General Internet Signalling Transport (GIST)

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

19

IEEE ICC 2009, Dresden

Length X-Type=NSLP_OBJ_LIST

SubType=zero

Number of signed NSLP objects=n

NSLP signed object (n) padding (if required)

reserved NSLP signed object (1)

reserved

0 7 8 15 16 23 24 31

R. Bless, M. Röhricht Institut für TelematikUniversität Karlsruhe (TH)

www.tm.uka.de

20

IEEE ICC 2009, Dresden

Kerberos based Example

Subsequent Session Authorizations

TGSTGS

1. NSLP message withSession Authorization Object A1. NSLP message withSession Authorization Object A

2. Verifies Session Authorization Object A 2. Verifies Session Authorization Object A

List of Signed NSLP Objects

Hash-Alg-ID, Key-ID for Sk

HMAC(Sk, Data)

QoS NSLP objects

A

GIST objects

not included into HMAC

included into HMAC

NSLPInitiatorNSLP

Initiator

NSLPEntityNSLPEntity

Signature Data