1 / 7

draft-ietf-dime-e2e-sec-req-01

draft-ietf-dime-e2e-sec-req-01. DIME WG – IETF88 Hannes Tschofenig Jouni Korhonen Glen Zorn K. Pillay. Background. It is a well-known fact that Diameter base protocol has no end-to-end security. To be fixed with a new attempt.. and now more topical than ever ;-) From the current charter:

raina
Download Presentation

draft-ietf-dime-e2e-sec-req-01

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. draft-ietf-dime-e2e-sec-req-01 DIME WG – IETF88 HannesTschofenig Jouni Korhonen Glen Zorn K. Pillay

  2. Background • It is a well-known fact that Diameter base protocol has no end-to-end security. • To be fixed with a new attempt.. and now more topical than ever ;-) • From the current charter: • Dec 2012 - Submit 'problem statement and requirements for Diameter end-to-end security framework' to the IESG for consideration as an Informational RFC • Well.. are almost there ;-)

  3. Current status • Authors think the document is “almost there” • Two open issues (also written down in the I-D)

  4. Open issue #1 - Capability/Policy Discovery • This document talks about selectively protecting Diameter AVPs between different Diameter nodes. A Diameter node has to be configured such that it applies security protection to a certain number of AVPs. • A number of policy related questions arise: • What keying material should be used so that the intended recipient is also able to verify it? • What AVPs shall be protected so that the result is not rejected by the recipient? In case of confidentiality protection the Diameter nodeencryptingAVPsneeds to know ahead of time whatothernodeisintended to decryptthem. Should the list of integrityprotectedAVPsbeindicated in the protectedpayloaditself (or isitknownbased on out-of-band information)? • Is thispolicy/capabilityinformation assumed to beestablished out-of-band (manually) or isthere a protocolmechanism to distributethis information?

  5. Open issue #2 - Command-Line Support • Should solutions allow the provisioning of long-term shared symmetric credentials via a command-line interface / text file? This allows easier management for small-scale deployments.

  6. Next steps • Fix the issues. • WGLC.. Ok?

  7. Questions ? Jouni will pay attention just like in v6ops session…

More Related