Transcript Document
Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP Telephony Network Architecture and Design 1 IP Security (IPsec) Advantages Provides seamless security to application and transport layers (ULPs) Allows per flow or per connection security and thus allows for very fine-grained security control Disadvantages More difficult to exercise on a per user basis on a multi-user machine Network Architecture and Design 2 IPsec Services Connectionless integrity Data origin authentication Assurance that traffic is sent by legitimate party or parties Confidentiality (encryption) Assurance that received traffic has not been modified Integrity includes anti-reply defenses Assurance that user’s traffic is not examined by nonauthorized parties Access control Prevention of unauthorized use of a resource Network Architecture and Design 3 IPsec Protocols IPsec = AH + ESP + IPcomp + IKE Authentication Header (AH) Provides authenticity guarantee for packets, by attaching strong crypto checksum to packets Ensures: The packet was originated by the expected peer The packet was not generated by impersonator The packet was not modified in transit Network Architecture and Design 4 IPsec Protocols Encapsulating Security Payload (ESP) Provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms Ensures The packet was not wiretapped in the middle Network Architecture and Design 5 IPsec Protocols IP payload compression (IPcomp) Provides a way to compress packets before encryption by ESP Internet Key Exchange (IKE) AH and ESP needs shared secret key between peers IKE provides ways to negotiate keys in secrecy Network Architecture and Design 6 RFC 2401-2412 Network Architecture and Design 7 IPsec Modes Network Architecture and Design 8 IPsec Example (Transport) Bulk data in clear text, but sensitive information encrypted Privacy, Transparency, Flexibility and High Performance IP clear text encrypted IPSec host ESP payload IP IPSec ESP header IPSec ESP header encrypted sensitive information ESP payload router clear text encrypted IPSec host router Internet LAN clear text LAN IP IP payload payload clear text bulk data Network Architecture and Design clear text 9 IPsec Example (Tunnel) A single IPSec gateway secures multiple site networks Simplicity, High Performance, Flexibility and Compatibility IP clear text IP clear text payload encrypted ESP new IP header IPSec ESP header IP IP payload payload IPSec gateway clear text IPSec gateway Internet IPSec “tunnel” LAN LAN Network Architecture and Design 10 Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP Telephony Network Architecture and Design 11 Mobile IP – The Problem Home Network Mobile node Foreign Network A mobile host must be assigned a new address when it moves outside of the home network Host address must be preserved regardless of a hosts location Network Architecture and Design 12 Mobile IP – Basic Entities Mobile Node (or Mobile Host) Home Agent (HA) Foreign Agent (FA) The agent of the foreign network where the mobile node may be found Home Address (HA) The agent of the network where the mobile node belongs (Home Network) The mobile node’s permanent address Care-of Address (CA) The mobile node’s temporary address assigned in the foreign network Network Architecture and Design 13 Mobile IP – Basic Entities A mobile node keeps its home address inside the home network, but in a foreign network it borrows a care-of address Agents: Take care of all issues related to the mapping of the care-of address to the home address Agents are: Routers Advanced servers Network Architecture and Design 14 Mobile IP Mechanism Advertising care-of address Registration Tunneling Network Architecture and Design 15 Mobile IP Advertising Care-of Address Home and foreign agents periodically broadcast agent advertisements (ICMP messages) to mobile nodes Messages contain: If (Network Prefix IP Source Address advertisement = Network Prefix Home Address) then mobility agent address care-of addresses mobile node is in the home network Else Move detection Registration required Network Architecture and Design 16 Mobile IP Advertising Care-of Address Foreign Agent Home Agent Internet Agent Addr: 169.17.8.29 Agent Addr: 132.5.3.2 Care-of Addr: 169.17.8.11 Care-of Addr: 132.5.3.8 132.5.3.69 132.5.3.74 This node requires registration This node is in the home network Network Architecture and Design 17 Mobile IP - Registration Internet Foreign Ag. relays request to Home Ag. Host requests service For. Ag. relays status to Host Home Ag. accepts or denies After registration: Both, host and agents know the host’s new location Home agent knows the host’s state-of address Network Architecture and Design 18 Mobile IP - Tunneling How packets from sources are delivered to host? Home agent (router) intercepts packets destined to host Home agent tunnels (encapsulates) packets to sate-of address Foreign agent decapsulates packets and delivers them to mobile host Network Architecture and Design 19 Mobile IP - Tunneling Mobile Host Home Address: 148.6.8.2 Mobile Host State-of Address: 134.2.5.7 Mobile Host Foreign Agent Home Agent Source Internet Packets to Host Dest. Addr. Data 148.6.8.2 Header Payload Dest. Addr. Dest. Addr. 134.2.5.7 148.6.8.2 Data Outer Header Inner Header Payload Network Architecture and Design Dest. Addr. Data 148.6.8.2 Header Payload 20 Mobile IP: NAT issues The problem: IP in IP tunnels cannot traverse NAT. The Care-of address is a private address. This address is not reachable from outside the private network. Two Mobile Nodes in different private networks may happen to have the same private address as Care-of address. The solution: draft-ietf-mobileip-nat-traversal-05.txt Use IP in UDP tunnels. Use the source IP address and source port of Registration Request messages to locate the Mobile Node. Add an option to registration messages to inform of UDP tunneling capability. Network Architecture and Design 21 Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP Telephony Network Architecture and Design 22 IP Telephony Since today PSTN and Internet were two different networks Need of integration Solution: Voice over IP (VoIP) New devices IP Telephones Gatekeepers Network Architecture and Design 23 IP Telephony IP Phone IP Network PSTN Gatekeeper Switch PC Phone Network Architecture and Design 24 IP Telephony Vs Pure Telephony Pure Telephony: End to End QoS No delay Isolated from new IP services IP telephony Variable QoS Delay Integrated with other services Problems will be solved in the future Network Architecture and Design 25 IP Telephony Features Data Transport : Signalling: RTP IETF SIP protocol suit ITU-T H.323 protocol suit Quality of Service: RSVP Network Architecture and Design 26 IP Telephony Protocol Stack Network Architecture and Design 27 First Intermediate Report NAT and Mobile IP IPv6 and IPsec I. Stergiou A. Sgora Deadline: 15/01/03 Network Architecture and Design 28 First Intermediate Report Structure Overview of examined technology Focus on open research points Related to open points works - State of the art behind open points Your own interests - Ideas Conclusions References Network Architecture and Design 29 First Intermediate Report Report (soft and hard copy) A related presentation (about twenty minutes). Network Architecture and Design 30 End of Second Lecture Network Architecture and Design 31