1 / 47

Mobility and IP Security in Networking

This lecture covers topics related to host mobility, IP security, and DNS security. It explores varying degrees of user mobility and the challenges of maintaining ongoing transfers. It also discusses different options for handling mobility, such as letting the routing protocol handle it or using a home agent. The lecture concludes with a discussion on the impact of mobility on higher-layer protocols.

rhealey
Télécharger la présentation

Mobility and IP Security in Networking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 9 Advance Topics in Networking Host Mobility, IP and DNS Security

  2. Host Mobility

  3. Varying Degrees of User Mobility • Moves only within same access network • Single access point: mobility is irrelevant • Multiple access points: only link-link layer changes • Either way, users is not mobile at the network layer • Shuts down between changes access networks • Host gets new IP address at the new access network • No need to support any ongoing transfers • Applications have become good at supporting this • Maintains connections while changing networks • Surfing the ‘net while driving in a car or flying a plane • Need to ensure traffic continues to reach the host

  4. Maintaining Ongoing Transfers • Seamless transmission to a mobile host B A

  5. E.g., Keep Track of Friends on the Move • Sending a letter to a friend who moves often • How do you know where to reach him? • Option #1: have him update you • Friend contacts you on each move • So you can mail him directly • E.g., Boeing Connexion service • Option #2: ask his parents when needed • Parents serve as “permanent address” • So they can forward your letter to him • E.g., Mobile IP

  6. Option #1: Let Routing Protocol Handle It • Mobile node has a single, persistent address • Address injected into routing protocol (e.g., OSPF) A B 12.34.45.0/24 12.34.45.7/32 Mobile host with IP address 12.34.45.7

  7. Example: Boeing Connexion Service • Boeing Connexion service • Mobile Internet access provider • WiFi “hot spot” at 35,000 feet moving 600 mph • Went out of business in December 2006…  • Communication technology • Antenna on the plane to leased satellite transponders • Ground stations serve as Internet gateways • Using BGP for mobility • IP address block per airplane • Ground station advertises into BGP • http://www.nanog.org/mtg-0405/abarbanel.html

  8. Example: Boeing Connexion Service 12.78.3.0/24 Internet

  9. Summary: Letting Routing Handle It • Advantages • No changes to the end host • Traffic follows an efficient path to new location • Disadvantages • Does not scale to large number of mobile hosts • Large number of routing-protocol messages • Larger routing tables to store smaller address blocks • Alternative • Mobile IP

  10. Option #2: Home Network and Home Agent Home network:permanent “home” of mobile (e.g., 128.119.40/24) Home agent:entity that will perform mobility functions on behalf of mobile, when mobile is remote wide area network Permanent address:address in home network, can always be used to reach mobile e.g., 128.119.40.186 correspondent Correspondent:wants to communicate with mobile

  11. Visited Network and Care-of Address Visited network:network in which mobile currently resides (e.g., 79.129.13/24) Permanent address:remains constant (e.g., 128.119.40.186) Care-of-address:address in visited network. (e.g., 79,129.13.2) wide area network Home agent: entity in visited network that performs mobility functions on behalf of mobile. Correspondent:wants to communicate with mobile

  12. mobile contacts foreign agent on entering visited network foreign agent contacts home agent home: “this mobile is resident in my network” 1 2 Mobility: Registration • Foreign agent knows about mobile • Home agent knows location of mobile visited network home network wide area network

  13. foreign agent receives packets, forwards to mobile home agent intercepts packets, forwards to foreign agent correspondent addresses packets using home address of mobile mobile replies directly to correspondent 3 2 4 1 Mobility via Indirect Routing visited network home network wide area network

  14. Indirect Routing: Efficiency Issues • Mobile uses two addresses • Permanent address: used by correspondent (making mobile’s location is transparent to correspondent) • Care-of-address: used by the home agent to forward datagram to the mobile • Mobile may perform the foreign agent functions • Triangle routing is inefficient • E.g., correspondent and mobile in the same network

  15. foreign agent receives packets, forwards to mobile mobile replies directly to correspondent 4 2 4 1 3 Mobility via Direct Routing correspondent forwards to foreign agent visited network home network wide area network correspondent requests, receives foreign address of mobile No longer transparent to the correspondent

  16. Mobility Today • Limited support for mobility • E.g., among base stations on a campus • Applications increasingly robust under mobility • Robust to changes in IP address, and disconnections • E.g., e-mail client contacting the e-mail server • … and allowing reading/writing while disconnected • New Google Gears for offline Web applications • Increasing demand for seamless IP mobility • E.g., continue a VoIP call while on the train • Increasing integration of WiFi and cellular • E.g., dual-mode cell phones that can use both networks • Called Unlicensed Mobile Access (UMA)

  17. Impact on Higher-Layer Protocols • Wireless and mobility change path properties • Wireless: higher packet loss, not from congestion • Mobility: transient disruptions, and changes in RTT • Logically, impact should be minimal … • Best-effort service model remains unchanged • TCP and UDP can (and do) run over wireless, mobile • But, performance definitely is affected • TCP treats packet loss as a sign of congestion • TCP tries to estimate the RTT to drive retransmissions • TCP does not perform well under out-of-order packets • Internet not designed with these issues in mind

  18. Conclusions • Wireless • Already a major way people connect to the Internet • Gradually becoming more than just an access network • Mobility • Today’s users tolerate disruptions as they move • … and applications try to hide the effects • Tomorrow’s users expect seamless mobility • Challenges the design of network protocols • Wireless breaks the abstraction of a link, and the assumption that packet loss implies congestion • Mobility breaks association of address and location • Higher-layer protocols don’t perform as well

  19. IP Security

  20. IP Security • There is range of app-specific security mechanisms • eg. S/MIME, PGP, Kerberos, SSL/HTTPS • However there are security concerns that cut across protocol layers • Implement by the network for all applications? Enter IPSec!

  21. IPSec • General IP Security mechanisms • Provides • authentication • confidentiality • key management • Applicable to use over LANs, across public & private WANs, and for the Internet

  22. IPSec Uses

  23. Benefits of IPSec • If in a firewall/router: • Provides strong security to all traffic crossing the perimeter • Resistant to bypass • Is below transport layer, hence transparent to applications • Can be transparent to end users • Can provide security for individual users • Secures routing architecture

  24. IP Security Architecture • Specification is quite complex • Defined in numerous RFC’s • Incl. RFC 2401 / 2402 / 2406 / 2408 • Mandatory in IPv6, optional in IPv4 • Have two security header extensions: • Authentication Header (AH) • Encapsulating Security Payload (ESP)

  25. IPSec Services • Access control • Connectionless integrity • Data origin authentication • Rejection of replayed packets • A form of partial sequence integrity via seq #’s • But not as robust as if on top of TCP • Confidentiality (encryption) • Limited traffic flow confidentiality

  26. Transport vs. Tunnel Mode ESP • Transport mode is used to encrypt & optionally authenticate IP data • Data protected but header left in clear • Can do traffic analysis but is efficient • Good for host-to-host traffic • Tunnel mode encrypts entire IP packet • Add new header for next hop • Good for VPNs, gateway-to-gateway security

  27. LAB (Establishing VPN)

  28. LAB (Establishing VPN)

  29. LAB (Establishing VPN)

  30. LAB (Establishing VPN)

  31. LAB (Establishing VPN)

  32. LAB (Establishing VPN)

  33. LAB (Establishing VPN)

  34. DNS Security

  35. Source: http://nsrc.org/tutorials/2009/apricot/dnssec/dnssec-tutorial.pdf

  36. Root level DNS attacks • Feb. 6, 2007: • Botnet attack on the 13 Internet DNS root servers • Lasted 2.5 hours • None crashed, but two performed badly: • g-root (DoD), l-root (ICANN) • Most other root servers use anycast

  37. Do you trust the TLD operators? • Wildcard DNS record for all .com and .net domain names not yet registered by others • September 15 – October 4, 2003 • February 2004: Verisign sues ICANN • Redirection for these domain names to Verisign web portal: “to help you search” • and serve you ads…and get “sponsored” search

  38. Defense: Replication and Caching source: wikipedia

  39. DNS QuerySrcIP: DoS Target (60 bytes) EDNS Reponse (3000 bytes) DNS Amplification Attack DNS Amplification attack: ( 40 amplification ) DNSServer DoSSource DoSTarget 580,000 open resolvers on Internet (Kaminsky-Shiffman’06)

  40. Solutions ip spoofed packets Open amplifier attacker replies prevent ip spoofing disable open amplifiers victim

  41. But should we believe it? Enter DNSSEC • DNSSEC protects against data spoofing and corruption • DNSSEC also provides mechanisms to authenticate servers and requests • DNSSEC provides mechanisms to establish authenticity and integrity

  42. PK-DNSSEC (Public Key) • The DNS servers sign the hash of resource record set with its private (signature) keys • Public keys can be used to verify the SIGs • Leverages hierarchy: • Authenticity of nameserver’s public keys is established by a signature over the keys by the parent’s private key • In ideal case, only roots’ public keys need to be distributed out-of-band

  43. Verifying the tree Question: www.cnn.com ? .(root) dns.cs.biit.edu.pk www.cnn.com A ? src.cs.biit.edu.pk ask .com server SIG (IP addr and PK of .com server) resolver Stub resolver www.cnn.com A ? xxx.xxx.xxx.xxx www.cnn.com A ? .com transaction signatures ask cnn.com server SIG (IP addr and PK of cnn.com server) add to cache slave servers www.cnn.com A ? SIG (xxx.xxx.xxx.xxx) transaction signatures cnn.com

  44. Summary • Network security and definitions • Securing IP communication and DNS lookup

  45. Assignment • Write notes on the words highlighted in Green in this lecture • Quiz from Highlighted Words in Next Class !

  46. DNS Tools Lab (nslookup) • nslookup • dig • Using zoneedit.com

  47. The End Questions?

More Related