A Firewall Control Protocol FCON draftsolimanfirewallcontrol00 Hesham Soliman Greg Daley Suresh Kris - PowerPoint PPT Presentation

About This Presentation
Title:

A Firewall Control Protocol FCON draftsolimanfirewallcontrol00 Hesham Soliman Greg Daley Suresh Kris

Description:

... setup based on PK or Certificate exchange between the end ... Either trusted certificates or Public keys generated by the end node can be used, or both. ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 7
Provided by: brendag4
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: A Firewall Control Protocol FCON draftsolimanfirewallcontrol00 Hesham Soliman Greg Daley Suresh Kris


1
A Firewall Control Protocol (FCON)draft-soliman-f
irewall-control-00Hesham SolimanGreg
DaleySuresh Krishnanhesham_at_elevatemobile.com
2
Objective
  • Allow end nodes to request traffic to pass
    through the firewall
  • Allow end nodes to discover the node that they
    send their requests to (Rolicy Decision Point,
    PDP) in a dynamic manner.
  • Strong Authorisation model
  • Allow for different deployment scenarios
  • Multiple firewalls within a network
  • Different firewalls for different network paths
  • Firewalls located anywhere in the network
    including the access router.

3
Protocol Architecture
Out of scope
Firewall
PDP
Firewall
DHCP
FCON
4
Protocol details
  • Request-Response protocol that runs over ICMPv6
  • PDP address discovery through DHCP
  • End nodes do not communicate directly with the
    Firewall. Communication is between the end node
    and the PDP
  • Allows for request of IPv4 address allocation
  • Protocol features
  • Security Association setup based on PK or
    Certificate exchange between the end node and the
    PDP
  • Future requests are authenticated and protected
    against replay attacks.
  • Requests contain one or more entries that
    describe the flow and request particular actions
  • Authorisation of the requests takes place in the
    PDP based on Security credentials and local
    policies.
  • Once authorised, the PDP updates the firewall(s)
    based on the end nodes request.

5
Security
  • Different deployment models require different
    levels of authorisation. Either trusted
    certificates or Public keys generated by the end
    node can be used, or both.
  • Use of Cryptographically Generated Addresses
    (CGAs) to prove address ownership. CGAs are
    already used in other protocols (e.g. SEND, or
    HBAs in shim6)
  • Liveness checks included for reachability checks.

6
Whats new? Pros and Cons
  • Authorisation model using CGAs
  • Binary protocols that uses ICMP as transport (as
    opposed to SIMCOs ABNF encoding)
  • Signaling to a generic PDP, which knows local
    policies and chooses the appropriate firewall.
  • CONs?
  • Is this attractive for host implementers to
    include?
  • API needed on the host to know when to create a
    new entry in FW
  • Others ?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "A Firewall Control Protocol FCON draftsolimanfirewallcontrol00 Hesham Soliman Greg Daley Suresh Kris" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!