Transcript View File

Lecture 9
Advance Topics in
Networking
Host Mobility, IP and DNS Security
McGraw-Hill Technology Education
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
Host Mobility
2
Varying Degrees of User Mobility
• Moves only within same access network
– Single access point: mobility is irrelevant
– Multiple access points: only link-link layer changes
– Either way, users is not mobile at the network
layer
• Shuts down between changes access
networks
– Host gets new IP address at the new access
network
– No need to support any ongoing transfers
– Applications have become good at supporting this
• Maintains connections while changing
networks
– Surfing the ‘net while driving in a car or flying a
plane
– Need to ensure traffic continues to reach the host
3
Maintaining Ongoing Transfers
• Seamless transmission to a mobile host
A
B
4
E.g., Keep Track of Friends on the Move
• Sending a letter to a friend who moves often
– How do you know where to reach him?
• Option #1: have him update you
– Friend contacts you on each move
– So you can mail him directly
– E.g., Boeing Connexion service
• Option #2: ask his parents when needed
– Parents serve as “permanent address”
– So they can forward your letter to him
– E.g., Mobile IP
5
Option #1: Let Routing Protocol Handle It
• Mobile node has a single, persistent address
• Address injected into routing protocol (e.g.,
OSPF)
A
12.34.45.0/24
B
12.34.45.7/32
Mobile host with IP address 12.34.45.7
6
Example: Boeing Connexion Service
• Boeing Connexion service
– Mobile Internet access provider
– WiFi “hot spot” at 35,000 feet moving 600 mph
– Went out of business in December 2006… 
• Communication technology
– Antenna on the plane to leased satellite
transponders
– Ground stations serve as Internet gateways
• Using BGP for mobility
– IP address block per airplane
– Ground station advertises into BGP
– http://www.nanog.org/mtg-0405/abarbanel.html
Example: Boeing Connexion Service
12.78.3.0/24
Internet
Summary: Letting Routing Handle It
• Advantages
– No changes to the end host
– Traffic follows an efficient path to new location
• Disadvantages
– Does not scale to large number of mobile hosts
• Large number of routing-protocol messages
• Larger routing tables to store smaller address blocks
• Alternative
– Mobile IP
9
Option #2: Home Network and Home Agent
Home network:
permanent “home” of
mobile
(e.g., 128.119.40/24)
Home agent: entity that will
perform mobility functions on
behalf of mobile, when mobile is
remote
wide area
network
Permanent address:
address in home network,
can always be used to
reach mobile
e.g., 128.119.40.186
correspondent
Correspondent: wants to
communicate with mobile
10
Visited Network and Care-of Address
Permanent address: remains
constant (e.g., 128.119.40.186)
Visited network: network in
which mobile currently
resides (e.g., 79.129.13/24)
Care-of-address: address in
visited network.
(e.g., 79,129.13.2)
wide area
network
Correspondent: wants to
communicate with mobile
Home agent: entity in
visited network that
performs mobility
functions on behalf of
mobile.
11
Mobility: Registration
visited network
home network
2
wide area
network
foreign agent contacts home agent
home: “this mobile is resident in my
network”
1
mobile contacts
foreign agent on
entering visited
network
• Foreign agent knows about mobile
• Home agent knows location of mobile
12
Mobility via Indirect Routing
foreign agent
receives packets,
forwards to mobile
home agent intercepts
packets, forwards to
foreign agent
home
network
3
wide area
network
correspondent
addresses packets
using home address
of mobile
1
visited
network
2
4
mobile replies
directly to
correspondent
13
Indirect Routing: Efficiency Issues
• Mobile uses two addresses
– Permanent address: used by correspondent (making mobile’s
location is transparent to correspondent)
– Care-of-address: used by the home agent to forward
datagram to the mobile
• Mobile may perform the foreign agent functions
• Triangle routing is inefficient
– E.g., correspondent and mobile in the same network
Mobility via Direct Routing
foreign agent
receives packets,
forwards to mobile
correspondent forwards
to foreign agent
home
network
4
wide area
network
2
correspondent
requests, receives
foreign address of
mobile
visited
network
3
1
No longer transparent to the correspondent
4
mobile replies
directly to
correspondent
Mobility Today
• Limited support for mobility
– E.g., among base stations on a campus
• Applications increasingly robust under mobility
–
–
–
–
Robust to changes in IP address, and disconnections
E.g., e-mail client contacting the e-mail server
… and allowing reading/writing while disconnected
New Google Gears for offline Web applications
• Increasing demand for seamless IP mobility
– E.g., continue a VoIP call while on the train
• Increasing integration of WiFi and cellular
– E.g., dual-mode cell phones that can use both networks
– Called Unlicensed Mobile Access (UMA)
Impact on Higher-Layer Protocols
• Wireless and mobility change path properties
– Wireless: higher packet loss, not from congestion
– Mobility: transient disruptions, and changes in RTT
• Logically, impact should be minimal …
– Best-effort service model remains unchanged
– TCP and UDP can (and do) run over wireless, mobile
• But, performance definitely is affected
– TCP treats packet loss as a sign of congestion
– TCP tries to estimate the RTT to drive retransmissions
– TCP does not perform well under out-of-order packets
• Internet not designed with these issues in mind
Conclusions
• Wireless
– Already a major way people connect to the Internet
– Gradually becoming more than just an access network
• Mobility
– Today’s users tolerate disruptions as they move
– … and applications try to hide the effects
– Tomorrow’s users expect seamless mobility
• Challenges the design of network protocols
– Wireless breaks the abstraction of a link, and the assumption that
packet loss implies congestion
– Mobility breaks association of address and location
– Higher-layer protocols don’t perform as well
IP Security
IP Security
• There is range of app-specific security
mechanisms
– eg. S/MIME, PGP, Kerberos, SSL/HTTPS
• However there are security concerns that cut
across protocol layers
• Implement by the network for all applications?
Enter IPSec!
IPSec
• General IP Security mechanisms
• Provides
– authentication
– confidentiality
– key management
• Applicable to use over LANs, across
public & private WANs, and for the
Internet
IPSec Uses
Benefits of IPSec
• If in a firewall/router:
– Provides strong security to all traffic
crossing the perimeter
– Resistant to bypass
• Is below transport layer, hence
transparent to applications
• Can be transparent to end users
• Can provide security for individual users
• Secures routing architecture
IP Security Architecture
• Specification is quite complex
• Defined in numerous RFC’s
– Incl. RFC 2401 / 2402 / 2406 / 2408
• Mandatory in IPv6, optional in IPv4
• Have two security header extensions:
– Authentication Header (AH)
– Encapsulating Security Payload (ESP)
IPSec Services
•
•
•
•
Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets
– A form of partial sequence integrity via seq
#’s
– But not as robust as if on top of TCP
• Confidentiality (encryption)
• Limited traffic flow confidentiality
Transport vs. Tunnel Mode ESP
• Transport mode is used to encrypt &
optionally authenticate IP data
– Data protected but header left in clear
– Can do traffic analysis but is efficient
– Good for host-to-host traffic
• Tunnel mode encrypts entire IP packet
– Add new header for next hop
– Good for VPNs, gateway-to-gateway
security
LAB (Establishing VPN)
LAB (Establishing VPN)
LAB (Establishing VPN)
LAB (Establishing VPN)
LAB (Establishing VPN)
LAB (Establishing VPN)
LAB (Establishing VPN)
DNS Security
Source: http://nsrc.org/tutorials/2009/apricot/dnssec/dnssec-tutorial.pdf
Root level DNS attacks
• Feb. 6, 2007:
– Botnet attack on the 13 Internet DNS root
servers
– Lasted 2.5 hours
– None crashed, but two performed badly:
• g-root (DoD), l-root (ICANN)
• Most other root servers use anycast
Do you trust the TLD operators?
• Wildcard DNS record for all .com and
.net domain names not yet registered by
others
– September 15 – October 4, 2003
– February 2004: Verisign sues ICANN
• Redirection for these domain names to
Verisign web portal: “to help you
search”
– and serve you ads…and get “sponsored”
search
Defense: Replication and Caching
source: wikipedia
DNS Amplification Attack
DNS Amplification attack: ( 40 amplification )
DNS Query
SrcIP: DoS Target
EDNS Reponse
(60 bytes)
DoS
Source
(3000 bytes)
DNS
Server
DoS
Target
580,000 open resolvers on Internet (Kaminsky-Shiffman’06)
Solutions
ip spoofed packets
attacker
prevent
ip spoofing
Open
amplifier
disable
open amplifiers
victim
But should we believe it?
Enter DNSSEC
• DNSSEC protects against data spoofing
and corruption
• DNSSEC also provides mechanisms to
authenticate servers and requests
• DNSSEC provides mechanisms to
establish authenticity and integrity
PK-DNSSEC (Public Key)
• The DNS servers sign the hash of resource
record set with its private (signature) keys
• Public keys can be used to verify the SIGs
• Leverages hierarchy:
– Authenticity of nameserver’s public keys is
established by a signature over the keys by the
parent’s private key
– In ideal case, only roots’ public keys need to be
distributed out-of-band
Verifying the tree
Question: www.cnn.com ?
.(root)
dns.cs.biit.edu.pk
src.cs.biit.edu.pk
Stub
resolver
ask .com server
SIG (IP addr and PK of .com server)
www.cnn.com A ?
xxx.xxx.xxx.xxx
resolver
transaction
signatures
www.cnn.com A ?
.com
ask cnn.com server
SIG (IP addr and PK of cnn.com server)
add to cache
slave servers
transaction
signatures
cnn.com
Summary
• Network security and definitions
• Securing IP communication and DNS lookup
Assignment
• Write notes on the words highlighted in
Green in this lecture
• Quiz from Highlighted Words in Next
Class !
DNS Tools Lab (nslookup)
• nslookup
• dig
• Using zoneedit.com
The End
Questions?
McGraw-Hill Technology Education
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.