SlideShare a Scribd company logo
©PredictableNetworkSolutionsLtd2016
RINA and Security
Security and RINA
Peter Thompson | CTO | Predictable Network Solutions
SDN World Congress 2016, The Hague, October 2016
©PredictableNetworkSolutionsLtd2016
RINA and Security
2
Current networks struggle with managing
connectivity/association
• Implicit association forces ad-hoc
solutions
• 802.1X
• NAT/Firewalls
• Managing the configuration of these
mechanisms is complex
• Errors are easy to make and hard to fix
• Typical node attributes are easily
spoofed
• E.g. MAC address
RINA provides a framework to control
association
• RINA protects layers instead of protocols
• Addressing scope is contained within DIFs
• DIFs are securable containers, replacing
firewalls
• Policy-based Authentication and
Authorisation models
• Enrollment in DIF
• Connection between processes
• All centrally managed via policies
• Allows Capability-based Access Control
Managing connectivity/association
©PredictableNetworkSolutionsLtd2016
RINA and Security
3Protecting layers instead of protocols
Operating on the
IPCP’s RIB
Access control
Sending/receiving PDUs
through N-1 DIF
Confidentiality, integrity
N DIF
N-1 DIF
IPC
Process
IPC
Process
IPC
Process
IPC
Process
Joining a DIF
authentication, access
control
Sending/receiving PDUs
through N-1 DIF
Confidentiality, integrity
Operating on the
IPCP’s RIB
Access control
IPC
Process
Appl.
Process
Access control
(DIF members)
Confidentiality, integrity
Authentication
Access control
Operations on RIB
DIF Operation
Logging
DIF Operation
Logging
The architecture specifies where security-related functions are placed:
All layers have the same mechanisms, programmable via policies.
©PredictableNetworkSolutionsLtd2016
RINA and Security
4Separation of mechanism from policy
4
IPC API
Data Transfer Data Transfer Control Layer Management
SDU Delimiting
Data Transfer
Relaying and Multiplexing
SDU Protection
Retransmission Control
Flow Control
RIB Daemon
RIB
CDAP Parser/Generator
CACEP
Enrollment
Flow Allocation
Resource Allocation
Routing
Authentication
StateVector
StateVector
StateVector
Data TransferData Transfer
Retransmission ControlRetransmission Control
Flow Control
Flow Control
Namespace Management Security Management
Authentication
Access control (layer mgmt
operations)
Access control
(joining the DIF)
Coordination of security functionsConfidentiality,
Integrity
• Don’t specify/implement security protocols, only security policies
• Re-use common layer structure, re-use security policies across layers
• Only 2 protocols: EFCP for data transfer, CDAP for layer management
• This approach greatly simplifies the network structure, minimizing the cost
of security and improving the security level
• “Complexity is the worst enemy of security” (B. Schneier)
©PredictableNetworkSolutionsLtd2016
RINA and Security
5
Combines:
• Adaptive and dynamic nature of
ABAC model and
• Fine-grained authorization
provided by the CBAC model.
Exploits RINA layer management
functions
• Generic solution able to secure
any management layer function
• E.g. routing or flow allocation
New access control architecture in PRISTINE
©PredictableNetworkSolutionsLtd2016
RINA and Security
6
• Key material kept separate
• Secure even if the management system
is compromised
• Hierarchical structure
• Scalability from delegation
• Allows multi-tenant operation
• Can integrate with existing key-
management systems
• ‘Key containers’ in the RIB
• Contain key state
• No private key material
• Physical deployment depends on the
level of trust of the environment
• Reliable time-of-day clocks?
• TPMs?
Key management architecture
©PredictableNetworkSolutionsLtd2016
RINA and Security
10
Resilient Routing
• Loop-free Alternate (LFA) fast re-route
• Routing table changes driven from RIB
events
• N-1 flow up
• N-1 flow down
• Flow State Database changed
• Shown that distributed application
exchanging messages between nodes is not
affected by failure of links.
• Whatever-cast
• Transparent data replication
Load distribution/balancing
• No new components required
• Server clusters belong to a single DAF
• Exchange loading information
• DAPs can be (de)provisioned as required
• Distribution decisions can be taken in
several locations
• Choice depends on specifics of the scenario
• Based on configurable policies
Resiliency in RINA
©PredictableNetworkSolutionsLtd2016
RINA and Security
11Demo: Service provider network
• Show that rogue customers / peers could only compromise e-mall DIFs
• And to do that they would need access to the key material providing authentication and SDU
Protection policies are in place
• Show asymetric key (RSA) and cryptographic SDU protection policies in action
Access
router
PtP DIF
CPE
Edge
Service
Router
MAN P.E
MAN P. E.
MAN Access DIF
PtP DIF PtP DIFPtP DIF
PtP DIF
Host
Core Backbone DIF
PtP DIF
Core router Core router Edge
Router
Edge Router
Customer network ISP 2ISP 1 network
Access Aggregation Service Edge Core Internet Edge
PtP DIF PtP DIF PtP DIF
Service Provider Top Level DIF
E-mall 1 DIF
PtP DIF
E-mall 2 DIF
attacker
attacker
attacker
©PredictableNetworkSolutionsLtd2016
RINA and Security
12Demo observation points
Layout of physical systems
• Observe behaviour of
authentication and SDU
Protection policies
• Flows over e-mall1 DIF
• Flows over e-mall2 DIF
©PredictableNetworkSolutionsLtd2016
RINA and Security
13
Peter.Thompson@pnsol.com
www.pnsol.com
http://ict-pristine.eu

More Related Content

What's hot

2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)
ICT PRISTINE
 
EU-Taiwan Workshop on 5G Research, PRISTINE introduction
EU-Taiwan Workshop on 5G Research, PRISTINE introductionEU-Taiwan Workshop on 5G Research, PRISTINE introduction
EU-Taiwan Workshop on 5G Research, PRISTINE introduction
ICT PRISTINE
 
PRISTINE presentation at the Net-Tech Future Coordination meeting
PRISTINE presentation at the Net-Tech Future Coordination meetingPRISTINE presentation at the Net-Tech Future Coordination meeting
PRISTINE presentation at the Net-Tech Future Coordination meeting
ICT PRISTINE
 
PRISTINE @ FIA Athens 2014
PRISTINE @ FIA Athens 2014PRISTINE @ FIA Athens 2014
PRISTINE @ FIA Athens 2014
ICT PRISTINE
 
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay NetworkingMulti-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
ARCFIRE ICT
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
ICT PRISTINE
 
Rina acc-icc16-stein
Rina acc-icc16-steinRina acc-icc16-stein
Rina acc-icc16-stein
ICT PRISTINE
 
Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorial
ICT PRISTINE
 
RINA as a Clean-Slate Approach to Software Networks
RINA as a Clean-Slate Approach to Software Networks RINA as a Clean-Slate Approach to Software Networks
RINA as a Clean-Slate Approach to Software Networks
ICT PRISTINE
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016
ICT PRISTINE
 
3. RINA use cases, results, benefits
3. RINA use cases, results, benefits3. RINA use cases, results, benefits
3. RINA use cases, results, benefits
ARCFIRE ICT
 
Congestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesCongestion Control in Recursive Network Architectures
Congestion Control in Recursive Network Architectures
ICT PRISTINE
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)
ARCFIRE ICT
 
4. Clearwater on rina
4. Clearwater on rina4. Clearwater on rina
4. Clearwater on rina
ARCFIRE ICT
 
First Contact: Can Switching to RINA save the Internet?
First Contact: Can Switching to RINA save the Internet?First Contact: Can Switching to RINA save the Internet?
First Contact: Can Switching to RINA save the Internet?
ARCFIRE ICT
 
Rina2020 michal
Rina2020 michalRina2020 michal
Rina2020 michal
Eduard Grasa
 
Rina2020 taps rina-ocarina (1)
Rina2020 taps rina-ocarina (1)Rina2020 taps rina-ocarina (1)
Rina2020 taps rina-ocarina (1)
Eduard Grasa
 
Pristine glif 2015
Pristine glif 2015Pristine glif 2015
Pristine glif 2015
ICT PRISTINE
 
1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop
ARCFIRE ICT
 
RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017
ARCFIRE ICT
 

What's hot (20)

2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)2016 06-10-ieee-sdn (1)
2016 06-10-ieee-sdn (1)
 
EU-Taiwan Workshop on 5G Research, PRISTINE introduction
EU-Taiwan Workshop on 5G Research, PRISTINE introductionEU-Taiwan Workshop on 5G Research, PRISTINE introduction
EU-Taiwan Workshop on 5G Research, PRISTINE introduction
 
PRISTINE presentation at the Net-Tech Future Coordination meeting
PRISTINE presentation at the Net-Tech Future Coordination meetingPRISTINE presentation at the Net-Tech Future Coordination meeting
PRISTINE presentation at the Net-Tech Future Coordination meeting
 
PRISTINE @ FIA Athens 2014
PRISTINE @ FIA Athens 2014PRISTINE @ FIA Athens 2014
PRISTINE @ FIA Athens 2014
 
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay NetworkingMulti-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
Multi-operator "IPC" VPN Slices: Applying RINA to Overlay Networking
 
Pristine rina-security-icc-2016
Pristine rina-security-icc-2016Pristine rina-security-icc-2016
Pristine rina-security-icc-2016
 
Rina acc-icc16-stein
Rina acc-icc16-steinRina acc-icc16-stein
Rina acc-icc16-stein
 
Eucnc rina-tutorial
Eucnc rina-tutorialEucnc rina-tutorial
Eucnc rina-tutorial
 
RINA as a Clean-Slate Approach to Software Networks
RINA as a Clean-Slate Approach to Software Networks RINA as a Clean-Slate Approach to Software Networks
RINA as a Clean-Slate Approach to Software Networks
 
Pristine rina-tnc-2016
Pristine rina-tnc-2016Pristine rina-tnc-2016
Pristine rina-tnc-2016
 
3. RINA use cases, results, benefits
3. RINA use cases, results, benefits3. RINA use cases, results, benefits
3. RINA use cases, results, benefits
 
Congestion Control in Recursive Network Architectures
Congestion Control in Recursive Network ArchitecturesCongestion Control in Recursive Network Architectures
Congestion Control in Recursive Network Architectures
 
Rlite software-architecture (1)
Rlite software-architecture (1)Rlite software-architecture (1)
Rlite software-architecture (1)
 
4. Clearwater on rina
4. Clearwater on rina4. Clearwater on rina
4. Clearwater on rina
 
First Contact: Can Switching to RINA save the Internet?
First Contact: Can Switching to RINA save the Internet?First Contact: Can Switching to RINA save the Internet?
First Contact: Can Switching to RINA save the Internet?
 
Rina2020 michal
Rina2020 michalRina2020 michal
Rina2020 michal
 
Rina2020 taps rina-ocarina (1)
Rina2020 taps rina-ocarina (1)Rina2020 taps rina-ocarina (1)
Rina2020 taps rina-ocarina (1)
 
Pristine glif 2015
Pristine glif 2015Pristine glif 2015
Pristine glif 2015
 
1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop1. RINA motivation - TF Workshop
1. RINA motivation - TF Workshop
 
RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017RINA research results - NGP forum - SDN World Congress 2017
RINA research results - NGP forum - SDN World Congress 2017
 

Viewers also liked

The hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelThe hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguel
ICT PRISTINE
 
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQAssuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
ICT PRISTINE
 
A Wake-Up Call for IoT
A Wake-Up Call for IoT A Wake-Up Call for IoT
A Wake-Up Call for IoT
Ahmed Banafa
 
10 myths about cloud computing
10 myths about cloud computing10 myths about cloud computing
10 myths about cloud computing
Ahmed Banafa
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
ICT PRISTINE
 
3 addressingthe problem130123
3 addressingthe problem1301233 addressingthe problem130123
3 addressingthe problem130123
Eleni Trouva
 
Rina sim workshop
Rina sim workshopRina sim workshop
Rina sim workshop
ICT PRISTINE
 
Irati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA WorkshopIrati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA Workshop
Eleni Trouva
 
Data Science in Industry - Applying Machine Learning to Real-world Challenges
Data Science in Industry - Applying Machine Learning to Real-world ChallengesData Science in Industry - Applying Machine Learning to Real-world Challenges
Data Science in Industry - Applying Machine Learning to Real-world Challenges
Yuchen Zhao
 
Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...
Yuchen Zhao
 
Rina IRATI GLIF Singapore 2013
Rina IRATI GLIF Singapore 2013Rina IRATI GLIF Singapore 2013
Rina IRATI GLIF Singapore 2013
Eleni Trouva
 
RINA: Update on research and prototyping activities. Global Future Internet W...
RINA: Update on research and prototyping activities. Global Future Internet W...RINA: Update on research and prototyping activities. Global Future Internet W...
RINA: Update on research and prototyping activities. Global Future Internet W...
Eleni Trouva
 
Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014
Eleni Trouva
 
How Artificial Intelligence Will Kickstart the Internet of Thnigs
How Artificial Intelligence Will Kickstart the Internet of Thnigs How Artificial Intelligence Will Kickstart the Internet of Thnigs
How Artificial Intelligence Will Kickstart the Internet of Thnigs
Ahmed Banafa
 
IRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE WorkshopIRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE Workshop
Eleni Trouva
 
Unreliable inter process communication in Ethernet: Migrating to RINA with th...
Unreliable inter process communication in Ethernet: Migrating to RINA with th...Unreliable inter process communication in Ethernet: Migrating to RINA with th...
Unreliable inter process communication in Ethernet: Migrating to RINA with th...
Eleni Trouva
 
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
Eleni Trouva
 
IRATI @ RINA Workshop 2014, Dublin
IRATI @ RINA Workshop 2014, DublinIRATI @ RINA Workshop 2014, Dublin
IRATI @ RINA Workshop 2014, Dublin
Eleni Trouva
 
RINA IRATI Korea-EU Workshop 2013
RINA IRATI Korea-EU Workshop 2013RINA IRATI Korea-EU Workshop 2013
RINA IRATI Korea-EU Workshop 2013
Eleni Trouva
 

Viewers also liked (19)

The hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguelThe hague rina-workshop-welcome-miguel
The hague rina-workshop-welcome-miguel
 
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQAssuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
Assuring QoS Guarantees for Heterogeneous Services in RINA Networks with ΔQ
 
A Wake-Up Call for IoT
A Wake-Up Call for IoT A Wake-Up Call for IoT
A Wake-Up Call for IoT
 
10 myths about cloud computing
10 myths about cloud computing10 myths about cloud computing
10 myths about cloud computing
 
IRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OSIRATI: an open source RINA implementation for Linux/OS
IRATI: an open source RINA implementation for Linux/OS
 
3 addressingthe problem130123
3 addressingthe problem1301233 addressingthe problem130123
3 addressingthe problem130123
 
Rina sim workshop
Rina sim workshopRina sim workshop
Rina sim workshop
 
Irati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA WorkshopIrati goals and achievements - 3rd RINA Workshop
Irati goals and achievements - 3rd RINA Workshop
 
Data Science in Industry - Applying Machine Learning to Real-world Challenges
Data Science in Industry - Applying Machine Learning to Real-world ChallengesData Science in Industry - Applying Machine Learning to Real-world Challenges
Data Science in Industry - Applying Machine Learning to Real-world Challenges
 
Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...Anomaly detection and root cause analysis in distributed application transact...
Anomaly detection and root cause analysis in distributed application transact...
 
Rina IRATI GLIF Singapore 2013
Rina IRATI GLIF Singapore 2013Rina IRATI GLIF Singapore 2013
Rina IRATI GLIF Singapore 2013
 
RINA: Update on research and prototyping activities. Global Future Internet W...
RINA: Update on research and prototyping activities. Global Future Internet W...RINA: Update on research and prototyping activities. Global Future Internet W...
RINA: Update on research and prototyping activities. Global Future Internet W...
 
Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014Experimental evaluation of a RINA prototype - GC 2014
Experimental evaluation of a RINA prototype - GC 2014
 
How Artificial Intelligence Will Kickstart the Internet of Thnigs
How Artificial Intelligence Will Kickstart the Internet of Thnigs How Artificial Intelligence Will Kickstart the Internet of Thnigs
How Artificial Intelligence Will Kickstart the Internet of Thnigs
 
IRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE WorkshopIRATI Experimentation, US-EU FIRE Workshop
IRATI Experimentation, US-EU FIRE Workshop
 
Unreliable inter process communication in Ethernet: Migrating to RINA with th...
Unreliable inter process communication in Ethernet: Migrating to RINA with th...Unreliable inter process communication in Ethernet: Migrating to RINA with th...
Unreliable inter process communication in Ethernet: Migrating to RINA with th...
 
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
RINA overview and ongoing research in EC-funded projects, ISO SC6 WG7
 
IRATI @ RINA Workshop 2014, Dublin
IRATI @ RINA Workshop 2014, DublinIRATI @ RINA Workshop 2014, Dublin
IRATI @ RINA Workshop 2014, Dublin
 
RINA IRATI Korea-EU Workshop 2013
RINA IRATI Korea-EU Workshop 2013RINA IRATI Korea-EU Workshop 2013
RINA IRATI Korea-EU Workshop 2013
 

Similar to The hageu rina-workshop-security-peter

Rina advantages for large scale decentralized applications
Rina advantages for large scale decentralized applicationsRina advantages for large scale decentralized applications
Rina advantages for large scale decentralized applications
Predictable Network Solutions Ltd.
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
ADVA
 
Multi cloud networking
Multi cloud networkingMulti cloud networking
Multi cloud networking
Joseph Primicerio
 
Is the Network Tap Mightier Than the Sword
Is the Network Tap Mightier Than the SwordIs the Network Tap Mightier Than the Sword
Is the Network Tap Mightier Than the Sword
LiveAction Next Generation Network Management Software
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
PLUMgrid
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco Canada
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
Raphaël PINSON
 
Rina converged network operator - etsi workshop
Rina converged network operator -  etsi workshopRina converged network operator -  etsi workshop
Rina converged network operator - etsi workshop
ARCFIRE ICT
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
NetCraftsmen
 
Webinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingWebinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open Networking
Storage Switzerland
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M users
Mirantis
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
OpenStack Korea Community
 
Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25
Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25
Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25
Real-Time Innovations (RTI)
 
A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...
National Retail Federation
 
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018   sd-wan - delivering intent-based networking to t...Cisco Connect Toronto 2018   sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Canada
 
Software defined network-- SDN
Software defined network-- SDNSoftware defined network-- SDN
Software defined network-- SDN
Aadarsh Sharma
 
Control Plane for High Capacity Networks Public
Control Plane for High Capacity Networks PublicControl Plane for High Capacity Networks Public
Control Plane for High Capacity Networks Public
CPqD
 
SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3
Wen-Pai Lu
 
Interconnect your future
Interconnect your futureInterconnect your future
Interconnect your future
inside-BigData.com
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
Larry Austin
 

Similar to The hageu rina-workshop-security-peter (20)

Rina advantages for large scale decentralized applications
Rina advantages for large scale decentralized applicationsRina advantages for large scale decentralized applications
Rina advantages for large scale decentralized applications
 
Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud Introducing ConnectGuard™ Cloud
Introducing ConnectGuard™ Cloud
 
Multi cloud networking
Multi cloud networkingMulti cloud networking
Multi cloud networking
 
Is the Network Tap Mightier Than the Sword
Is the Network Tap Mightier Than the SwordIs the Network Tap Mightier Than the Sword
Is the Network Tap Mightier Than the Sword
 
Design and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use CasesDesign and Deploy Secure Clouds for Financial Services Use Cases
Design and Deploy Secure Clouds for Financial Services Use Cases
 
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
Cisco connect montreal 2018 sd wan - delivering intent-based networking to th...
 
Cloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust VisibilityCloud Native Bern 05.2023 — Zero Trust Visibility
Cloud Native Bern 05.2023 — Zero Trust Visibility
 
Rina converged network operator - etsi workshop
Rina converged network operator -  etsi workshopRina converged network operator -  etsi workshop
Rina converged network operator - etsi workshop
 
Introduction to SDN
Introduction to SDNIntroduction to SDN
Introduction to SDN
 
Webinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open NetworkingWebinar: The Software Matters in Open Networking
Webinar: The Software Matters in Open Networking
 
Using Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M usersUsing Kubernetes to make cellular data plans cheaper for 50M users
Using Kubernetes to make cellular data plans cheaper for 50M users
 
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
[OpenStack Day in Korea 2015] Track 2-3 - 오픈스택 클라우드에 최적화된 네트워크 가상화 '누아지(Nuage)'
 
Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25
Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25
Build Safe & Secure Distributed Systems - RTI Huntsville Roadshow- 2014 09 25
 
A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...A new way to connect and protect retail networks with secure enterprise SD-WA...
A new way to connect and protect retail networks with secure enterprise SD-WA...
 
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018   sd-wan - delivering intent-based networking to t...Cisco Connect Toronto 2018   sd-wan - delivering intent-based networking to t...
Cisco Connect Toronto 2018 sd-wan - delivering intent-based networking to t...
 
Software defined network-- SDN
Software defined network-- SDNSoftware defined network-- SDN
Software defined network-- SDN
 
Control Plane for High Capacity Networks Public
Control Plane for High Capacity Networks PublicControl Plane for High Capacity Networks Public
Control Plane for High Capacity Networks Public
 
SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3SDN Security Talk - (ISC)2_3
SDN Security Talk - (ISC)2_3
 
Interconnect your future
Interconnect your futureInterconnect your future
Interconnect your future
 
Forcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPSForcepoint SD-WAN and NGFW + IPS
Forcepoint SD-WAN and NGFW + IPS
 

More from ICT PRISTINE

Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...
ICT PRISTINE
 
Lost layer talk 2014
Lost layer talk 2014Lost layer talk 2014
Lost layer talk 2014
ICT PRISTINE
 
RINA Introduction, part II
RINA Introduction, part IIRINA Introduction, part II
RINA Introduction, part II
ICT PRISTINE
 
RINA Introduction, part I
RINA Introduction, part IRINA Introduction, part I
RINA Introduction, part I
ICT PRISTINE
 
6 security130123
6 security1301236 security130123
6 security130123
ICT PRISTINE
 
Dublin addressingtheproblem131224
Dublin addressingtheproblem131224Dublin addressingtheproblem131224
Dublin addressingtheproblem131224
ICT PRISTINE
 
Dublin mngmt140120
Dublin mngmt140120Dublin mngmt140120
Dublin mngmt140120
ICT PRISTINE
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015
ICT PRISTINE
 
SFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed CloudsSFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed Clouds
ICT PRISTINE
 
Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...
ICT PRISTINE
 
EC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINEEC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINE
ICT PRISTINE
 

More from ICT PRISTINE (11)

Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...Benefits of programmable topological routing policies in RINA-enabled large s...
Benefits of programmable topological routing policies in RINA-enabled large s...
 
Lost layer talk 2014
Lost layer talk 2014Lost layer talk 2014
Lost layer talk 2014
 
RINA Introduction, part II
RINA Introduction, part IIRINA Introduction, part II
RINA Introduction, part II
 
RINA Introduction, part I
RINA Introduction, part IRINA Introduction, part I
RINA Introduction, part I
 
6 security130123
6 security1301236 security130123
6 security130123
 
Dublin addressingtheproblem131224
Dublin addressingtheproblem131224Dublin addressingtheproblem131224
Dublin addressingtheproblem131224
 
Dublin mngmt140120
Dublin mngmt140120Dublin mngmt140120
Dublin mngmt140120
 
RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015RINA essentials, PISA Internet Festival 2015
RINA essentials, PISA Internet Festival 2015
 
SFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed CloudsSFR: Scalable Forwarding with RINA for Distributed Clouds
SFR: Scalable Forwarding with RINA for Distributed Clouds
 
Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...Reconstructing computer networking with RINA: how solid scientific foundation...
Reconstructing computer networking with RINA: how solid scientific foundation...
 
EC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINEEC Net Tech FI Cluster meeting October 23 2014 PRISTINE
EC Net Tech FI Cluster meeting October 23 2014 PRISTINE
 

Recently uploaded

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
dtagbe
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
GNAMBIKARAO
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
Infosec train
 

Recently uploaded (11)

Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
一比一原版(uc毕业证书)加拿大卡尔加里大学毕业证如何办理
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 
cyber crime.pptx..........................
cyber crime.pptx..........................cyber crime.pptx..........................
cyber crime.pptx..........................
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
How to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdfHow to make a complaint to the police for Social Media Fraud.pdf
How to make a complaint to the police for Social Media Fraud.pdf
 

The hageu rina-workshop-security-peter

  • 1. ©PredictableNetworkSolutionsLtd2016 RINA and Security Security and RINA Peter Thompson | CTO | Predictable Network Solutions SDN World Congress 2016, The Hague, October 2016
  • 2. ©PredictableNetworkSolutionsLtd2016 RINA and Security 2 Current networks struggle with managing connectivity/association • Implicit association forces ad-hoc solutions • 802.1X • NAT/Firewalls • Managing the configuration of these mechanisms is complex • Errors are easy to make and hard to fix • Typical node attributes are easily spoofed • E.g. MAC address RINA provides a framework to control association • RINA protects layers instead of protocols • Addressing scope is contained within DIFs • DIFs are securable containers, replacing firewalls • Policy-based Authentication and Authorisation models • Enrollment in DIF • Connection between processes • All centrally managed via policies • Allows Capability-based Access Control Managing connectivity/association
  • 3. ©PredictableNetworkSolutionsLtd2016 RINA and Security 3Protecting layers instead of protocols Operating on the IPCP’s RIB Access control Sending/receiving PDUs through N-1 DIF Confidentiality, integrity N DIF N-1 DIF IPC Process IPC Process IPC Process IPC Process Joining a DIF authentication, access control Sending/receiving PDUs through N-1 DIF Confidentiality, integrity Operating on the IPCP’s RIB Access control IPC Process Appl. Process Access control (DIF members) Confidentiality, integrity Authentication Access control Operations on RIB DIF Operation Logging DIF Operation Logging The architecture specifies where security-related functions are placed: All layers have the same mechanisms, programmable via policies.
  • 4. ©PredictableNetworkSolutionsLtd2016 RINA and Security 4Separation of mechanism from policy 4 IPC API Data Transfer Data Transfer Control Layer Management SDU Delimiting Data Transfer Relaying and Multiplexing SDU Protection Retransmission Control Flow Control RIB Daemon RIB CDAP Parser/Generator CACEP Enrollment Flow Allocation Resource Allocation Routing Authentication StateVector StateVector StateVector Data TransferData Transfer Retransmission ControlRetransmission Control Flow Control Flow Control Namespace Management Security Management Authentication Access control (layer mgmt operations) Access control (joining the DIF) Coordination of security functionsConfidentiality, Integrity • Don’t specify/implement security protocols, only security policies • Re-use common layer structure, re-use security policies across layers • Only 2 protocols: EFCP for data transfer, CDAP for layer management • This approach greatly simplifies the network structure, minimizing the cost of security and improving the security level • “Complexity is the worst enemy of security” (B. Schneier)
  • 5. ©PredictableNetworkSolutionsLtd2016 RINA and Security 5 Combines: • Adaptive and dynamic nature of ABAC model and • Fine-grained authorization provided by the CBAC model. Exploits RINA layer management functions • Generic solution able to secure any management layer function • E.g. routing or flow allocation New access control architecture in PRISTINE
  • 6. ©PredictableNetworkSolutionsLtd2016 RINA and Security 6 • Key material kept separate • Secure even if the management system is compromised • Hierarchical structure • Scalability from delegation • Allows multi-tenant operation • Can integrate with existing key- management systems • ‘Key containers’ in the RIB • Contain key state • No private key material • Physical deployment depends on the level of trust of the environment • Reliable time-of-day clocks? • TPMs? Key management architecture
  • 7. ©PredictableNetworkSolutionsLtd2016 RINA and Security 10 Resilient Routing • Loop-free Alternate (LFA) fast re-route • Routing table changes driven from RIB events • N-1 flow up • N-1 flow down • Flow State Database changed • Shown that distributed application exchanging messages between nodes is not affected by failure of links. • Whatever-cast • Transparent data replication Load distribution/balancing • No new components required • Server clusters belong to a single DAF • Exchange loading information • DAPs can be (de)provisioned as required • Distribution decisions can be taken in several locations • Choice depends on specifics of the scenario • Based on configurable policies Resiliency in RINA
  • 8. ©PredictableNetworkSolutionsLtd2016 RINA and Security 11Demo: Service provider network • Show that rogue customers / peers could only compromise e-mall DIFs • And to do that they would need access to the key material providing authentication and SDU Protection policies are in place • Show asymetric key (RSA) and cryptographic SDU protection policies in action Access router PtP DIF CPE Edge Service Router MAN P.E MAN P. E. MAN Access DIF PtP DIF PtP DIFPtP DIF PtP DIF Host Core Backbone DIF PtP DIF Core router Core router Edge Router Edge Router Customer network ISP 2ISP 1 network Access Aggregation Service Edge Core Internet Edge PtP DIF PtP DIF PtP DIF Service Provider Top Level DIF E-mall 1 DIF PtP DIF E-mall 2 DIF attacker attacker attacker
  • 9. ©PredictableNetworkSolutionsLtd2016 RINA and Security 12Demo observation points Layout of physical systems • Observe behaviour of authentication and SDU Protection policies • Flows over e-mall1 DIF • Flows over e-mall2 DIF

Editor's Notes

  1. Instead of thinking protocol security (BGPsec, DNSsec, IPsec, TLS, etc.), think security of the architecture: no more ‘each protocol has its own security’, ‘add another protocol for security’ or ‘add another box that does security’