Richard Paine, BoeingSlide 1
doc.: IEEE 802.11-07/757r0
Submission
May 2007
Secure Mobile Architecture SMA –
Secure Multi-Net Handoff
May 2007 SMA Demo TeamMath & Computing Technologies
Richard Paine, BoeingSlide 2
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Agenda
• Motivation and Problem Statement• Review of SMA Components
• Public Key Infrastructure (PKI) • Host Identity Protocol (HIP) • Network Directory Service (NDS) • Location Enabled Network Service (LENS)
Richard Paine, BoeingSlide 3
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Motivation and Problem Statement
• BCAG Business Segment Need is Total Secure Communications in the Factory (Cellular/WLAN/Fixed Wireless/Cable Replacements/Roam across Subnets)
• IDS Business Segment Need is Secure Mobile Communications (multi-level security, ad hoc, cross-subnet roaming, discovery)
• Works with any MAC, has Uniform Method of Security and Handles Layer 2 Mobility
• Utilizes Cryptographic Identities and Authorization • Addresses most major Communications and Security
Concerns in Networking• Need to Treat IP as an Insecure Transport Layer• Secures both Wired and Wireless (as in VOIP calls)
Richard Paine, BoeingSlide 4
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007What is “SMA”?
ecure Cryptographic identities are associated with each and every packet.
obile Mobility-driven address changes trans-parent to applications & connections.
rchitecture Significantly improves our Enterprise network architecture by providing:
• Improved flexibility and agility• Network-enforced, end-to-end security• Centralized access control with delegated
authority• Reduced operational cost and complexity• Uniform internal/external access method
SMA
Richard Paine, BoeingSlide 5
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Agenda
• Motivation and Problem Statement• Review of SMA Components
• Public Key Infrastructure (PKI) • Host Identity Protocol (HIP) • Network Directory Service (NDS) • Location Enabled Network Service (LENS)
Richard Paine, BoeingSlide 6
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
Richard Paine, BoeingSlide 7
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: PKI
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
Richard Paine, BoeingSlide 8
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: PKI
Badgecert
Tempcert
ClientRA
SSL/TLSTunnel
1
2
Boeing PKI
SLDAP
1) Badge used for Client Auth; TempCert request sent to RA2) RA issues TempCert3) Client has TempCert available for 8-16 hours
TempCert Provisioning Process
Richard Paine, BoeingSlide 9
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: HIP
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
Richard Paine, BoeingSlide 10
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: HIP
HIP Overview• Background
• Original concept developed by Bob Moskowitz• Experimental RFCs now in last call in the IETF• Boeing heavily involved in RFC development (Tom
Henderson)– Linux implementation released as Open Source– Windows implementation soon to be released
• Other major players: Cisco, Ericsson, NEC, Siemens, NTT DoCoMo, universities
• HIP provides opportunistic pair-wise SA’s• Somewhat like IPSec• Client Cert retrieved from LDAP directory• SA based on identity, not IP address• SA established/managed by a IP control channel• SA data flows through ESP-IP packets• Mobility events handled in IP stack via HIP UPDATE packets
Richard Paine, BoeingSlide 11
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: HIP
UserSpace
KernelSpace
Application
IP StackIPSec
HIP Daemon
PF_INET PF_KEYPF_RAW
KeyEngine
Initiator Responder
HIP-Enabled Secure Communications
Application
IP StackIPSec
HIP Daemon
PF_INETPF_KEY PF_RAW
KeyEngine
HIP Handshake
IPSec ESP Data – Identified by SPI, not IP Address
Richard Paine, BoeingSlide 12
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: HIP
IP header
IPSec (ESP)
Encrypted Header and Transport Payload
Host Identity (HI) is public/private key pair:
Identity definedby holder of private key
Public key usedby others to authenticatecontrol messages
SHA-1 hash of public key forms a“Host Identity Tag (HIT)”- used where 128 bit fields are needed - self-referential (i.e., HIT can besecurely used instead of HI)
HIT isimplied
by the SPIvalue in
IPsec header
HIP incursno per-packet
overhead
Richard Paine, BoeingSlide 13
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: NDS
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
Richard Paine, BoeingSlide 14
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: NDS
• Support for real-time endpoint mobility & location data• Future integration with Boeing DNS and directory (CED,
NAMS-ng) infrastructure
Enterprise
DNS Proxy
Security Perimeter
Virtual Directory
SLDAPClient
Policy DecisionDaemon
Middleboxes
Client
DNSDDNS
Location Server
Directory Information Flow
Richard Paine, BoeingSlide 15
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: NDS
Generic ISP Provisioning Process
DHCPServer
AAAServer
Client
802.11
Access Point
Enterprise Provisioning Process
RA
Client
TLS
Directory
1 2
1) HardCert authentication for TempCert2) Identity IP Update in Directory
Two-Stage Client Provisioning
DNS
SLD
AP
SLD
AP
Richard Paine, BoeingSlide 16
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: LENS
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
Richard Paine, BoeingSlide 17
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements: LENS
LocationComputationServer
Directory
Location DistributionServer & Policy
LocationRequestingClient
Passive Tag Gate BoeingIntranet
Location Architecture
AAA Server
Richard Paine, BoeingSlide 18
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007SMA Elements
PKI Public Key Infrastructure
HIP Host Identity Protocol
NDS Network Directory Services
LENS Location-Enabled Network Services
SMA Secure Mobile Architecture
+
Richard Paine, BoeingSlide 19
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007What has Changed between 2004 and 2006 Demos
2004
PKI
HIP
NDS
LENS
Smart CardsTemp CertsBoeing PKI
Linux Client (Opensource)HIP Web Server
Location-Based Policy Enforcement(Polling LDAP)
Simulated Location Server
2005
PKI
HIP
NDS
LENS
No Change
Windows XP Client (Opensource)EndboxCellular to WLAN Handoffs
Location-Based Policy Enforcement(Pub-Sub Using IBM MQ Series)Scales to Enterprise
Aeroscout Location Server (Blv & 40-26)Location Events thru Pub-SubLive Location Updates
2006
PKI
HIP
NDS
LENS
TCG Recommendations
Mobile DemoSecure SCADA on 777 CrawlersVOIP Handoffs
Network Location Service (NLS)
No Change
Richard Paine, BoeingSlide 20
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Agenda
• SMA Technology Transfer• Location• Secure Layer 2 Mobility• Pub-Sub• SMA Policy-Based Networking Using Location• Endbox• Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace• CY’07 plans• Q & A
Richard Paine, BoeingSlide 21
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Everett Manufacturing Site
WLAN 802.11-based RTLS/LENS Pilot
Richard Paine, BoeingSlide 22
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Everett 40-26 (TDOA)
Time Synchronizers
TDOA Location Devices
Richard Paine, BoeingSlide 23
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007RFID Components
• Active tags send an identifier string• AeroScout: Unique 802.11 MAC address• Programmable “chirp” rate
• Location is computed using a combination of• Signal strength measurements
– Both Cisco AP’s and AeroScout “Location Receivers”• Time-of-Flight triangulation
– AeroScout “Location Receivers” only– We expect this capability to be added to Cisco AP’s in a few
years
Richard Paine, BoeingSlide 24
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Everett Location Policy Enforcement
N
Richard Paine, BoeingSlide 25
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007C17 Factory
Richard Paine, BoeingSlide 26
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007F15/F18 Factory
Richard Paine, BoeingSlide 27
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Other Factories to Get NLS
• Fredrickson
• Auburn
• Everett
Richard Paine, BoeingSlide 28
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Agenda
• SMA Technology Transfer• Location• Secure Layer 2 Mobility• Pub-Sub• SMA Policy-Based Networking Using Location• Endbox• Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace• CY’07 plans• Q & A
Richard Paine, BoeingSlide 29
doc.: IEEE 802.11-07/XXXXr0
Submission
May 20072005 SMA Cellular to WLAN Handoff
• Real-time WLANCellular mobility demonstration
SMAmobile
AP
AP
AP
…
130.42.32.0/24
Directory
CiscoSwitch
TempCert RA
LPDD
Bellevue
AAAServer
PKI
Internet
NetscreenMSC
IP Address AIP Address
B
PW Namespace:mct.phantomworks.org
X
Richard Paine, BoeingSlide 30
doc.: IEEE 802.11-07/XXXXr0
Submission
May 20072006 SMA Secure VOIP Handoff
smamobiles
AAAServer
DNS Namespace:mobile.tl.boeing.com
RouterTwr
Twr
Twr
…
smaX
Msg Brkr
Directory
DNS
WiMAXSwitch
TempCert RA
LocationServer
LPDD
HIP SA
AP
AP
AP
…
SMAxVOIP
Msg Brkr
Directory
DNS
WiFiSwitch
TempCert RA
LocationServer
LPDD
SmamobilesVOIP
HIP SAHIP S
A
HIP SA
NavyPKI
CellularSmamobile
HIP SA
HIP
SA
RobotController
RobotsHIP
SA
HIP
SA
Richard Paine, BoeingSlide 31
doc.: IEEE 802.11-07/XXXXr0
Submission
May 20072007 SMA VoWLAN for FactoryNet
smamobiles
Boeing Intranet
AAAServer
DNS Namespace:mobile.tl.boeing.com
RouterTwr
Twr
Twr
…
smaX
Msg Brkr
Directory
DNS
WiMAXSwitch
TempCert RA
LocationServer
LPDD
HIP SA
AP
AP
AP
…
SMAxVOIP
Msg Brkr
Directory
DNS
WiFiSwitch
TempCert RA
LocationServer
LPDD
SmamobilesVOIP
HIP SAHIP S
A
HIP SA
NavyPKI
CellularSmamobile
HIP SA
HIP
SA
Internet
RobotController
RobotsHIP
SA
HIP SA
HIP
SA
Richard Paine, BoeingSlide 32
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Agenda
• SMA Technology Transfer• Location• Secure Layer 2 Mobility• Pub-Sub• SMA Policy-Based Networking Using Location• Endbox• Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace• CY’07 plans• Q & A
Richard Paine, BoeingSlide 33
doc.: IEEE 802.11-07/XXXXr0
Submission
May 20072004 SMA Directory Service
• 2004LDAP
DecisionDaemon
Status
PoliciesLocations
Client
Client
Status Updates
Status Updates
Sim LS
DNSIP
Locations
Richard Paine, BoeingSlide 34
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Prototype Pub-Sub Messaging Architecture
MessageBroker
Infrastructure
MessageBroker
Infrastructure
ConnectorRTLS
LocationServer
PassiveTagDCS
BarcodeScanner
DCS
ContentSubscription
Manager
RDBMS
Connector
Connector
Connector
EventConsumer
Content
Sub
scriptions
SQ
L
Connector
Possible Future Enhancement
Richard Paine, BoeingSlide 35
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Pub-Sub Detail for FactoryNet
• RTLS Location
MessageBroker
Infrastructure
MessageBroker
Infrastructure
ConnectorRTLS
LocationServer
ContentSubscription
Manager
LDAP
Connector
EventConsumer
Content
Sub
scriptionsConnector
DecisionDaemon
Interest
Updates
Policy
HIPD
HIPDInitial Query Response
Status
Locations
Status Updates
Status Updates
First Year: PollingSecond Year: Pub-Sub
Initial Query Response
ConnectorSensorServer
ConnectorRFIDServer
Richard Paine, BoeingSlide 36
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Agenda
• SMA Technology Transfer• Location• Secure Layer 2 Mobility• Pub-Sub• SMA Policy-Based Networking Using Location• Endbox• Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace• CY’07 plans• Q & A
Richard Paine, BoeingSlide 37
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007
Wireless_Application_Group_(WAG)_Vision_and_Arch_6-9- 05.ppt | 43
Boeing Technology | Phantom Works
Copyright © 2004 Boeing. All rights reserved.
E&IT | Mathematics and Computing Technology
Asset Tracking and Supply Chain Vision
LocationComputationServer
Directory
Location DistributionServer & Policy
LocationRequestingClient
Passive Tag Gate(s)
BoeingIntranet
• 866-957MHz Passive Tag RFID Systems (Internationally Available frequencies)• RFID RF Containment Device• Tags only have innocuous number unless they are equipped with encryption processor on tag• Wireless Baseline Scans for every installation• Integrity protection
RFID InformationRepository
AAA Server
• WPA or WPA2• IEEE 802.11 or 802.15.4 915MHz Sensors• IEEE 802.11 Active RFID Tags (innocuous number)• Encourage new serial cable replacements to those that use WPA
• Enterprise RLAN/RFID Management Council• Enterprise RLAN/RFID Technical Council
Richard Paine, BoeingSlide 38
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Agenda
• SMA Technology Transfer• Location• Secure Layer 2 Mobility• Pub-Sub• SMA Policy-Based Networking Using Location• Endbox• Secure VoWLAN
• SMA in the Boeing Enterprise and Battlespace• CY’07 plans• Q & A
Richard Paine, BoeingSlide 39
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Endbox (Crawlers)
• HIP Endbox• Uses robust wireless network infrastructure securely• Strong one factor authentication using SIM chip
HIP Bridge
SMA End-to-End Security Association over Enterprise WLAN
Controller
Richard Paine, BoeingSlide 40
doc.: IEEE 802.11-07/XXXXr0
Submission
May 20072005 SMA Endbox Demonstration
• Real-time SMA Endbox mobility demonstration
SMAmobile Robot
AP
AP
AP
…
130.42.32.0/24
Directory
CiscoSwitch
TempCert RA
LPDD
Bellevue
AAAServer
PKI
Boeing Namespace:Mobile.tl.boeing.com
SMAmobile RobotController
HIP SA
Richard Paine, BoeingSlide 41
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Crawler Connected to WLAN w SMA
Richard Paine, BoeingSlide 42
doc.: IEEE 802.11-07/XXXXr0
Submission
May 2007Present Tech Transitions from SMA
• Network Location Service (NLS) deployed by Boeing IT
• 777 Crawlers – SMA/HIP Endbox (FactoryNet)
• HIP Bridge – enables legacy Ethernet equipment to use SMA in the factory (FactoryNet)
• Any Controller to Robot mobile secure communications in the factory (FactoryNet)
• Secure Handoff Using End-to-End HIP-Enabled Security Association (SA)