May 2005 doc IEEE 802 11 -05 0373

May 2005 doc. : IEEE 802. 11 -05/0373 r 0 Secure Mobile Architecture Date: 2005 -03 -13 Authors: Notice: This document has been prepared to assist IEEE 802. 11. It is offered as a basis for discussion and is not binding on the contributing individual(s) or organization(s). The material in this document is subject to change in form and content after further study. The contributor(s) reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802. 11. Patent Policy and Procedures: The contributor is familiar with the IEEE 802 Patent Policy and Procedures , including the statement "IEEE standards may include the known use of patent(s), including patent applications, provided the IEEE receives assurance from the patent holder or applicant with respect to patents essential for compliance with both mandatory and optional portions of the standard. " Early disclosure to the Working Group of patent information that might be relevant to the standard is essential to reduce the possibility for delays in the development process and increase the likelihood that the draft publication will be approved for publication. Please notify the Chair as early as possible, in written or electronic form, if patented technology (or technology under patent application) might be incorporated into a draft standard being developed within the IEEE 802. 11 Working Group. If you have questions, contact the IEEE Patent Committee Administrator at . Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 1 Richard Paine, Boeing NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 doc. : IEEE 802. 11 -05/0373 r 0 SMA Demonstration Dec. 2004 SMA Demo Team Math & Computing Technologies Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 2 Richard Paine, Boeing NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Agenda doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • • • Video Introduction Motivation and Problem Statement Overview of SMA Components • • PKI, HIP, NDS, LENS Demonstration • • E&IT | Mathematics and Computing Technology Component overview Provisioning Mobility (IP Address change) Location-based Policy enforcement Rule-based policy enforcement Application to Boeing Enterprise CY’ 05 plans Q&A Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 3 Richard Paine, Boeing 3 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Agenda doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • • • Video Introduction Motivation and Problem Statement Overview of SMA Components • • PKI, HIP, NDS, LENS Demonstration • • E&IT | Mathematics and Computing Technology Component overview Provisioning Mobility (IP Address change) Location-based Policy enforcement Rule-based policy enforcement Application to Boeing Enterprise CY’ 05 plans Q&A Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 4 Richard Paine, Boeing 4 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May What 2005“SMA”? is doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works Secure Mobile Architecture Cryptographic identities are associated with each and every packet. Mobility-driven address changes trans -parent to applications & connections. Significantly improves our Enterprise network architecture by providing: • • • Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. E&IT | Mathematics and Computing Technology Improved flexibility and agility Network-enforced, end-to-end security Centralized access control with delegated authority Reduced operational cost and complexity Uniform internal/external access method Slide 5 Richard Paine, Boeing 5 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 So what is the problem? doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology • Cost and complexity of managing current network infrastructure is quickly becoming unmanageable • We have a growing need for flexibility, mobility and user diversity • We are quickly becoming an ISP for our suppliers, vendors and customers – How do we affordably enforce AAA requirements for this diverse population? • Wireless networking is revolutionizing our factory and office environments – How do we support the needs of emerging e-enabled factories, products, and mobile workers? • We need a secure, agile network infrastructure that can quickly adapt to new requirements and emerging network technologies. Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 6 Richard Paine, Boeing 6 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Agenda doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • • • Video Introduction Motivation and Problem Statement Overview of SMA Elements • • PKI, HIP, NDS, LENS Demonstration • • E&IT | Mathematics and Computing Technology Component overview Provisioning Mobility (IP Address change) Location-based Policy enforcement Rule-based policy enforcement Application to Boeing Enterprise CY’ 05 plans Q&A Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 7 Richard Paine, Boeing 7 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology PKI Public Key Infrastructure HIP Host Identity Protocol NDS Network Directory Services + LENS Location-Enabled Network Services SMA Secure Mobile Architecture Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 8 Richard Paine, Boeing 8 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: PKI doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology PKI Public Key Infrastructure HIP Host Identity Protocol NDS Network Directory Services + LENS Location-Enabled Network Services SMA Secure Mobile Architecture Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 9 Richard Paine, Boeing 9 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: PKI doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • Boeing has begun deployment of a PKI using • • • Holder is “owner” of certificate identity Usually protected by a password or PIN Soft Certificates (“Soft. Certs”): • • Identity (user, machine, etc. ) Public Key Cryptographic signature by trusted authority Private Key: • • A hierarchical trust chain of x. 509 certificates “Server”, “Personal” and “Secure. Badge” certificates Certificates contain: • • E&IT | Mathematics and Computing Technology File-based private key Hard Certificates (“Hard. Certs”) • • Private key on hardware token (Smartcard, SIM, etc. ) Signing/decrypting done with on-board computing resources Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 10 Richard Paine, Boeing 10 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: PKI doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • Hard. Cert advantages • • • Limited on-board computing speed and communications Use “Temp. Certs” to bridge this gap: • • • Difficult to subvert or duplicate Portable — user can carry token between computers Hard. Cert disadvantages • • E&IT | Mathematics and Computing Technology A Soft. Cert with delegated, short time-validity Issued to a user/machine after Hard. Cert authentication Advantages • • Reduced exposure to Soft. Cert subversion/duplication Soft. Cert performance – Needed for HIP security associations • • Quickly installable/removable on “shared devices” Useful in “ factory tool room” type shared device domain Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 11 Richard Paine, Boeing 11 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: PKI doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Temp. Cert Provisioning Process 1 Badge cert SSL/TLS Tunnel RA SLDAP Client 2 Temp cert Boeing PKI 1) Badge used for Client Auth; Temp. Cert request sent to RA 2) RA issues Temp. Cert 3) Client has Temp. Cert available for up to 8 hours Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 12 Richard Paine, Boeing 12 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology PKI Public Key Infrastructure HIP Host Identity Protocol NDS Network Directory Services + LENS Location-Enabled Network Services SMA Secure Mobile Architecture Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 13 Richard Paine, Boeing 13 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP Boeing Technology | Phantom Works doc. : IEEE 802. 11 -05/0373 r 0 E&IT | Mathematics and Computing Technology HIP Overview • Background • • • Original concept developed by Bob Moskowitz Currently exists as IETF “Experimental RFC” Boeing heavily involved in RFC development – Linux implementation released as Open Source – Windows implementation soon to be released • • Other major players: Cisco, Ericsson, NEC, Siemens, NTT Do. Co. Mo, universities HIP provides opportunistic pair-wise SA’s Somewhat like IPSec • Client Cert retrieved from DNS or LDAP directory • SA based on identity, not IP address • SA established/managed by a IP control channel • SA data flows through ESP-IP packets • Mobility events handled in Slide stack via HIP READDR packets IP 14 Submission Richard Paine, Boeing • BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004 14

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology HIP-Enabled Secure Communications Responder Initiator Application User Space Kernel Space PF_INET IP Stack IPSec HIP Daemon PF_RAW HIP Handshake PF_KEY HIP Daemon PF_KEY Key Engine PF_RAW Key Engine Application PF_INET IP Stack IPSec ESP Data – Identified by SPI, not IP Address Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 15 Richard Paine, Boeing 15 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works Initiator E&IT | Mathematics and Computing Technology HIP Handshake I 1 packet Simple packet, contains compressed (hashed) version of Host Identities Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 16 Responder Opportunity for Do. S attack (e. g. TCP SYN flood) Richard Paine, Boeing 16 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works Initiator E&IT | Mathematics and Computing Technology HIP Handshake I 1 packet Responder R 1 packet Reply with stock packet and cookie challenge (No state kept) Contains: 1. Diffie-Hellman public value 2. Cookie puzzle 3. Encryption negotiation 4. Responder’s Host Identity Is signed by Responder’s Host Identity Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 17 Richard Paine, Boeing 17 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works Initiator E&IT | Mathematics and Computing Technology HIP Handshake I 1 packet Responder R 1 packet I 2 packet 1. Solve cookie puzzle 2. Generate key material Contains: 1. Diffie-Hellman public value 2. Cookie solution 3. Encryption negotiation 4. IPsec SPI 5. (Encrypted) Host Identity 6. (optional) piggybacked data Is signed by Initiator’s Host Identity Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 18 Richard Paine, Boeing 18 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works Initiator E&IT | Mathematics and Computing Technology HIP Handshake I 1 packet Responder R 1 packet I 2 packet R 2 packet 1. Validate cookie puzzle 2. Generate key material 3. Install. IPsec. SA Contains: 1. IPsec. SPI 2. (option) piggybacked data Is signed by Responder’s Host Identity Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 19 Richard Paine, Boeing 19 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology HIP Handshake Initiator I 1 packet Responder R 1 packet I 2 packet R 2 packet Install IPsec SA All further packets in IPsec ESP envelope (Host Identity is implied by the SPI) Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 20 Richard Paine, Boeing 20 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: HIP doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Host Identity (HI) is public/private key pair: IP header Identity defined by holder of private key Public key used by others to authenticate control messages SHA-1 hash of public key forms a “Host Identity Tag (HIT)” - used where 128 bit fields are needed - self-referential (i. e. , HIT can be securely used instead of HI) Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 21 IPSec (ESP) HIT is implied by the SPI value in IPsec header Encrypted Header and Transport Payload HIP incurs no per-packet overhead Richard Paine, Boeing 21 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: NDS doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology PKI Public Key Infrastructure HIP Host Identity Protocol NDS Network Directory Services + LENS Location-Enabled Network Services SMA Secure Mobile Architecture Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 22 Richard Paine, Boeing 22 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: NDS doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • • E&IT | Mathematics and Computing Technology Directory Information Flow Support for real-time endpoint mobility & location data Future integration with Boeing DNS and directory (CED, NAMS-ng) infrastructure Policy Decision Daemon Location Server DNS Proxy Middleboxes Directory Enterprise Client D DD NS NS Security Perimeter SLDAP Client Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 23 Richard Paine, Boeing 23 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: NDS doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • E&IT | Mathematics and Computing Technology Directory Schema Three separate LDAP root directories • People – Similar to CED/BLUES • Hosts – Similar to DNS host data – Includes Certificate and HIT and current Location • Policy – Currently Allowed/Not-Allowed location regions in building Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 24 Richard Paine, Boeing 24 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: NDS doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Two-Stage Client Provisioning Enterprise Provisioning Process Generic ISP Provisioning Process Directory SLDAP AAA Server DHCP Server SLDAP RA Access Point 1 Client S TL 802. 11 DNS 2 Client 1) Hard. Cert authentication for Temp. Cert 2) Identity IP Update in Directory Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 25 Richard Paine, Boeing 25 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: LENS doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology PKI Public Key Infrastructure HIP Host Identity Protocol NDS Network Directory Services + LENS Location-Enabled Network Services SMA Secure Mobile Architecture Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 26 Richard Paine, Boeing 26 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: LENS doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • E&IT | Mathematics and Computing Technology Location Tracking • Identity associated with connections – So we already know the “who”, just need the “where” • Several competing wireless location technologies – – • Airespace Pango Aero. Scout Wherenet Confusion between 802. 11 tracking and RFID tag tracking – We are focusing on 802. 11 tracking including 802. 11 active tags • Location Services • • • Required E 911 services Smart services: Printing, paging, workflow tracking Location policy enforcement – E. g. , No wireless access outside of Boeing property line Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 27 Richard Paine, Boeing 27 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements: LENS doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Location Architecture Boeing Intranet Passive Tag Gate Location Computation Server Location Distribution Server & Policy Directory Location Requesting Client Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 28 Richard Paine, Boeing 28 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May SMA 2005 Elements doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology PKI Public Key Infrastructure HIP Host Identity Protocol NDS Network Directory Services + LENS Location-Enabled Network Services SMA Secure Mobile Architecture Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 29 Richard Paine, Boeing 29 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Agenda doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • • • Video Introduction Motivation and Problem Statement Overview of SMA Components • • PKI, HIP, NDS, LENS Demonstration • • E&IT | Mathematics and Computing Technology Component overview Provisioning Mobility (IP Address change) Location-based Policy enforcement Rule-based policy enforcement Application to Boeing Enterprise CY’ 05 plans Q&A Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 30 Richard Paine, Boeing 30 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Demonstration Infrastructure Boeing Technology | Phantom Works doc. : IEEE 802. 11 -05/0373 r 0 E&IT | Mathematics and Computing Technology Boeing Intranet Router 130. 42. 32. 0/24 Subnet AP DHCP AP Airespace Temp. Cert RA DNS Location Server Test RADIUS Server (33 -12) … Directory AAA Server AP LPDD smamobile 1 sma 4 DNS Namespace: mobile. tl. boeing. com Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 31 Richard Paine, Boeing 31 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Demonstration doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Two-Stage Provisioning Process ISP Provisioning Process Directory RADIUS RA 1 S smamobile 1 TL W (EA PA P/T LS) Security Perimeter SLDAP Airespace SLDAP DHCP Server Enterprise Provisioning Process DNS 2 smamobile 1 Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. 1) Hard. Cert authentication for delegated Temp. Cert Slide 32 2) Identity IP Update Richard Paine, Boeing NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004 32

May 2005 Demonstration Boeing Technology | Phantom Works doc. : IEEE 802. 11 -05/0373 r 0 E&IT | Mathematics and Computing Technology Mobility Event • Wireless client experiences address change • • Address change forced by DHCP server for demo Client auto-updates Directory/DNS with new IP Client notifies existing SA peers using HIP READDR packets Ssh from Windows to wireless client dies after address change • TELNET session data continues after address change • Future: Faster address change • Multi-homed clients • Anticipatory readdressing (802. 11 k) • Legacy client shim to support UDP “connections” Submission Slide 33 Richard Paine, Boeing • BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004 33

May 2005 Demonstration doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Location Policy Enforcement • Wireless client “moves” into disallowed location zone • • • Airespace location server not working We simulate location changes today using prototype GUI Peer’s location policy enforcement • • Peer’s PED sees new location in disallowed region Peer deletes existing SA Peer refuses new client SA requests from disallowed regions Peer moves back into allowed region – SA automatically re-established • Future • • Improved location server capabilities Middlebox policy enforcement—don’t depend on peers Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 34 Richard Paine, Boeing 34 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Demonstration doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Rule-Based Policy Enforcement • Simple case: • • • All connections associated with particular employee are invalidated Manual “GUI” interface used for now Future: • Particular identities limited to particular connections – Factory Autonomous Wireless Devices (AWD’s) – Suppliers, vendors, guests/visitors – Machines not up-to-date with AV s/w only allowed to reach AV update server • Limitations: – This only limits pair-wise peer connections – Does not address file-content limitations (e. g. , ITAR documents) Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 35 Richard Paine, Boeing 35 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Agenda doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • • • Video Introduction Motivation and Problem Statement Overview of SMA Components • • PKI, HIP, NDS, LENS Demonstration • • E&IT | Mathematics and Computing Technology Component overview Provisioning Mobility (IP Address change) Location-based Policy enforcement Rule-based policy enforcement Application to Boeing Enterprise CY’ 05 plans Q&A Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 36 Richard Paine, Boeing 36 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Application to Boeing Enterprise Boeing Technology | Phantom Works • • Allows moving most hosts outside of security perimeter Office/home/Starbucks Connections essentially identical Backwards compatible • • • E&IT | Mathematics and Computing Technology Advantages Secure, identity-based client-to-client communications • • doc. : IEEE 802. 11 -05/0373 r 0 Works within existing IP network and routing architecture Non HIP-aware hosts could still be allowed, depending on network policy Mobile • • HIP’s Multi-homing capability allows hosts to seamlessly cross subnet boundaries or even wireless domains (802. 11, cellular, etc. ) Key enabler for VOIP over WLAN (“Vo. WLAN”) – High-speed roaming across subnets and network domains – Inexpensive IP telephony for the factory Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 37 Richard Paine, Boeing 37 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Application to Boeing Enterprise Boeing Technology | Phantom Works • doc. : IEEE 802. 11 -05/0373 r 0 E&IT | Mathematics and Computing Technology Advantages (Cont. ) Network-based policy enforcement using middleboxes • Allows connectivity limits using identity, not IP or MAC – Smarter, easier to manage than ACL’s • Allows special policies/limitations for classes of hosts/users – AWD’s like printers, machine tools, etc. – Users like vendors, suppliers, guests • Delegatible authorization through PKI • Supervisor can set up new AWD machine tool on network with predefined limited access – No NCC interaction required • • Cross-trust relationships with vendors, suppliers, Do. D, etc. automatically reflected in network policy Works seamlessly across IPv 4 IPv 6 connections • Applications use DNS namespace for connections, not IP addresses Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 38 Richard Paine, Boeing 38 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Application to Boeing Enterprise Boeing Technology | Phantom Works • Much depends on success of early adopters Integrating SMA architecture into Boeing Enterprise • • E&IT | Mathematics and Computing Technology Challenges Bringing HIP into IETF Standards track • • doc. : IEEE 802. 11 -05/0373 r 0 Affects Directory Services, Perimeter Security, Wireless Services, NAMS[ng], etc. Windows modules would have to be included in standard computing images Backwards compatibility hardware needed for legacy equipment Scalability • DNS/Directory query traffic – Publish/Subscribe architecture for location & PDP/PEP? – Reverse lookups • • Rendezvous Server implementation NAT support Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 39 Richard Paine, Boeing 39 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 Agenda doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • • • Video Introduction Motivation and Problem Statement Overview of SMA Components • • PKI, HIP, NDS, LENS Demonstration • • E&IT | Mathematics and Computing Technology Component overview Provisioning Mobility (IP Address change) Location-based Policy enforcement Rule-based policy enforcement Application to Boeing Enterprise CY’ 05 plans Q&A Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 40 Richard Paine, Boeing 40 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 CY’ 05 Plans doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works • Development Activities • • E&IT | Mathematics and Computing Technology Integration of Windows HIP client Preliminary implementation of new HIP API Legacy API shim for Windows and Linux platforms Publish/subscribe architecture for directory changes SIM-chip-based wireless bridge device prototype for AWD’s Prototype middlebox for network policy enforcement Pilot SMA evaluations in Bellevue and Everett • • Move to production DNS namespace (mobile. boeing. com) 802. 11 Location services interoperating with Cisco infrastructure (probably Aeroscout) Security review and buy-off for external access Detailed business case development and analysis Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 41 Richard Paine, Boeing 41 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004

May 2005 doc. : IEEE 802. 11 -05/0373 r 0 Boeing Technology | Phantom Works E&IT | Mathematics and Computing Technology Q&A Submission BOEING is a trademark of Boeing Management Company. Copyright © 2004 Boeing. All rights reserved. Slide 42 Richard Paine, Boeing 42 NGI_SMA_Demoslides-rev 7. ppt | 12/6/2004