Update on the UMU Dynamic VPN R D Work

Update on the UMU Dynamic VPN R&D Work – November 2003 Antonio F. Gomez Skarmeta Gregorio Martinez University of Murcia (UMU) SPAIN

Agenda • • Reminder from the July’ 03 Meeting UMU-PKIv 6: Update on the Status UMU-PBNM: Update on the Status Collaboration Plans 2

UMU-PBNM Main Objective • Design and set-up a security framework to manage distributed communication systems using the PBNM paradigm • Features: – – – Flexible Secure Service and application-independent Standard-based IP-based • In collaboration with UCL-CS (through Euro 6 IX 6 NET project collaboration, SEINIT project) 3

UMU-PBNM Proposed Architecture Cryptographic Middleware UMU-PKIv 6 Java Card Trust Management System Policy Language UMU-PBNM (Policy Console, PMT, PDP, PEP) Policy Management Framework IPsec Security Services Network Layer Security Services 4

General Architecture

Policy Management Process 3 4 2 6 1 5 7

Monitoring Process 2 3 4 1

Agenda • • Reminder from the July’ 03 Meeting UMU-PKIv 6: Update on the Status UMU-PBNM: Update on the Status Collaboration Plans 11

UMU-PKIv 6 v 7. 1. 2 • Installation process highly improved (thanks to feedback from UCL-CS, and NRNS/DRDC-RDDC) • Version 7. 1. 2, supporting – – Win. CE-compatible devices (PDAs, mobile phones, etc. ) SSH/SCP PKCS#10 and KEYGEN (Netscape) requests Support of DNSsec New debug mode • New version (v 7. 2. 0) will be released this week – OCSP and TSP applets automatically signed during the installation process – Log management from the web 12

Agenda • • Reminder from the July’ 03 Meeting UMU-PKIv 6: Update on the Status UMU-PBNM: Update on the Status Collaboration Plans 13

Policy Language • Definition of XML schemas from the IETF IPsec PIB • Extension of the UMU-PBNM to support IPsec policies for: – Linux Free. S/WAN (in both IPv 4 and IPv 6) – Free. BSD (in both IPv 4 and IPv 6) 14

UMU-PBNM Internal Components • COPS: – Porting of VOCAL 1. 5 COPS implementation to IPv 6 (in C++) – UMU-j. COPS (University of Murcia – Java COPS) implementation • Definition of all the COPS and COPS-PR messages • Definition of two APIs, allowing the definition of any kind of (security, Qo. S, mobility, routing, etc. ) PDP or PEP: – At the message level – At the functionality level • Interoperable with VOCAL 1. 5 COPS implementation 15

UMU-PBNM Internal Components (and II) • UMU-j. COPS packages: brief description 16

Agenda • • Reminder from the July’ 03 Meeting UMU-PKIv 6: Update on the Status UMU-PBNM: Update on the Status Collaboration Plans 17

X-Bone v 3. 0 -beta UMU-PKIv 6 UMU-PBNM • X-Bone v 3. 0 -beta being tested in our labs • Evaluation plan: – With UMU-PKIv 6 • Using UMU-PKIv 6 certificates (with IPv 6 addresses in the DN field) in every X-Bone node • Check how the DNSsec support of both systems can be integrated • Analyse the use of attribute certificates in the X-Bone – With UMU-PBNM • Analysing elements in X-Bone that can be dynamically managed by the UMU-PBNM proposed architecture – Inter-site testbed • Interest from UCL-CS and UMU to set-up an inter-site testbed over IPv 6 • Any other interested? ? 18

DVC UMU-PKIv 6 • DVC 0. 0. 2 a being tested in our labs • DVC needs: – Provision of PKI + KMS functionalities – IPv 6 support • DVC required features: automated … – – – certificate enrolment certificate renewal certificate revocation certificate status checking cross-certification 19

DVC UMU-PKIv 6 (II) • UMU-PKIv 6 currently offers: – Automated certificate enrolment and revocation • SCEP server (SCEP draft version 0. 5) • SSH server – Certificate status checking • CRLs published in LDAP servers • OCSP server – Cross-Certification – Certificate renewal missing!! • Additional components: – UMU-j. SCEP: Java SCEP client – UMU-j. OCSP: Java OCSP – Java SSH client • Being currently used with: – CISCO routers (SCEP-based) – 6 WIND routers (SSH-based) 20

DVC UMU-PKIv 6 (and III) • Decisions to be taken: – Support of ARLs (Authority Revocation Lists) • Why? : provide the status of cross-certificates • DVC: have to evaluate the need of supporting them • UMU-PKIv 6: have to improve its support of ARLs – Use of DNSsec • Why? : dynamic provision of security information • DVC: have to study the interest on this • UMU-PKIv 6: feature already supported – The use of PKIX-CMP protocol • Why? : providing complete certificate lifecycle management • DVC: defined as an interesting feature • UMU-PKIv 6: implementation already started (both modes: simple and full) 21

For anyone Interested in Collaborating, Integrating and/or Testing … • The UMU-PKIv 6 v 7. 2. 0 • The UMU-PBNM, or any of its components (e. g. VPN Enforcement Tool, UMU-j. COPS, etc. ) • Any other idea/line regarding the dynamic management of VPNs please, send us an email to Antonio F. Gomez Skarmeta and/or Gregorio Martinez Thanks!!! 22