Analysis of Options for Securing the Generic Internet Signaling Transport GIST

1
Analysis of Options for Securing the Generic
Internet Signaling Transport (GIST)

• ltdraft-tschofenig-nsis-gist-security-00.txtgt
• Hannes Tschofenig
• Pasi Eronen
• IETF 64

2
Motivation

• When deploying protocols the deployment
  environment needs to be considered.
• Allow the protocol to use credentials used in
  this environment
• This document
• analyses the usage of different security
  protocols (and credentials) with GIST.
• discusses API considerations
• when the authenticated identity needs to be
  passed from the GIST to NSLPs and
• security policies from the NSLP to GIST.

3
Content

• The usage of the following security mechanisms in
  the context of GIST is discussed
• Transport Layer Security (TLS) with X.509 certs
• Extensible Authentication Protocol (EAP)
• TLS Inner Application
• EAP in NSLP
• 3GPP Generic Bootstrapping Architecture (GBA)

4
Next Steps

• Text for GIST on flexible usage of security
  mechanism will be proposed.
• Further mechanisms will be analysed
• IKE/IPsec with X.509 PKI.
• TLS or IKE/IPsec with manually configured shared
  secrets
• TLS with Cryptographically Generated Addresses
  (CGA)
• IPsec with Host Identity Protocol (HIP)
• Usage of Kerberos within the TLS Handshake
• Integration with SAML/Liberty infrastructure