Transcript Document

Advanced Issues in Internet
Protocol (IP)






IPv4
Network Address Translation (NAT)
IPV6
IP Security (IPsec)
Mobile IP
IP Telephony
Network Architecture and Design
1
Challenges to IP

Addresses needed for 21st century




Internet devices will be more numerous, and
not adequately handled by NATs




Estimated 20 billion people
Multiple interfaces/node
Multiple addresses/interface
mobile phones
cards
residential servers
The solution: IPv6
Network Architecture and Design
2
IPv6

IPv6 Address: 128 bits


3,4x10^38 different addresses
Allows:



multiple interfaces per host
multiple addresses per interface
Advanced routing functions



unicast
multicast
anycast
Network Architecture and Design
3
IPv6 Notation

X:X:X:X:X:X:X:X where X is Hex values
of 16 bits, e.g.


FEDC:BA98:7654:3210:FEDC:BA98:7654:3210
Skip one sequence of zero words, e.g.

FEDC:0000:0000:0000:9876:0000:0000:ABCD =
= FEDC::9876:0000:0000:ABCD
Network Architecture and Design
4
IPv6 Address Types

According to the prefix there are 5 types of
addresses


Local use:




Provider-based (global): Prefix:010
Link local: Prefix: 1111 1110 10
Site local: Prefix: 1111 1110 11
Multicast: Prefix: 1111 1111
Reserved

unspecified, loop back, IPv6 with embedded IPv4
addresses: Prefix: 0000 0000
Network Architecture and Design
5
IPv6 Address Types
Global



Site-Local
Link-Local
Global - Forwarded anywhere
Link Local – Not forwarded outside the link
Site Local – Not forwarded outside the site
Network Architecture and Design
6
IPv6 Provider Based Address
Registry Provider
Subscriber
010
0
0
ID
ID
ID
3
5

16
8
24
8
Subnet
ID
16
Interface
ID
48
Forwarded anywhere
Network Architecture and Design
7
IPv6 - Link Local Address
1111 1110 10
10 bits

0
Interaface ID
n bits
118-n bits
Not forwarded outside the link
Network Architecture and Design
8
IPv6 - Site Local Address
1111 1110 11
10 bits

0
Interaface ID
n bits
118-n bits
Not forwarded outside the site
Network Architecture and Design
9
IPv6 – Multicast Addresses
1111 1111
8 bits

Scope
4bits
Group ID
112 bits
Flag: 000T



Flags
4 bits
T=0 for permanent address
T=1 for transient address
Scope:



1: Node Local
2: Link Local
8: Org Local
Network Architecture and Design
10
IPv6 Packet Header
Version (4 bits)
Priority (4 bits)
Payload Length (16 bits)
IPv6
Flow Label (24 bits)
Next Header (8 bits)
Hop Limit (8 bits)
Source Address (128 bits)
Destination Address (128 bits)
Vers = 4
IHL
Type of Service
Identification
IPv4
Time to Live
Total Length
Flags
Protocol
Fragment Offset
Header Checksum
Source Address
Destination Address
Options
Shaded fields are absent from IPv6 header
Network Architecture and Design
11
IPv6 Extension Headers

Options field of IPv4 is replaced by extension
headers, used for special purposes:

Extension headers are chained together
IPv6 Header
TCP Header + Data
Next Header = TCP
IPv6 Header
Routing Header
Next Header = Routing
Next Header = TCP
TCP Header + Data
IPv6 Header
Routing Header
Fragment Header
Fragment of TCP
Next Header = Routing
Next Header = Fragment
Next Header = TCP
Header + Data
Network Architecture and Design
12
IPv6 Header Types

Header Types







Hop-by-Hop = 0
Routing Header = 43
Fragment Header = 44
Authentication Header = 51
Encrypted Payload = 52
TCP =6
UDP =17
Network Architecture and Design
13
IPv6
Flow Label Header Field


IPv6 header gives the ability of labeling
traffic flow (24 bits)
Flow label indicates that packets need
special handling:


Real time service
Special QoS
Network Architecture and Design
14
IPv6 – Priority Header Field



4 bit priority field
Enables source to identify the desired
delivery priority of it’s packets relative to other
packets from the same source
Two ranges


0 through 7 specifies priority of packets (no real
time)
8 through 15 specify priority of real time packets
Network Architecture and Design
15
IPv6 Vs IPv4


Expanded addressing capabilities
Simplified header format





Reduction in processing cost
Flow labeling
Support for authentication and privacy
Support for improved options and extensions
Support of all IPv4-based mechanisms

IPsec – diffserv – QoS features
Network Architecture and Design
16
IPv6 and IPv4 Co-existence


IPv4 and IPv6 will exist together
As time goes by:




Devices support only IPv4
Devices support IPv4 and IPv6
Devices support only IPv6
Coexistence using:

Dual stack approach


Tunneling approach


Applications choose version to use
Encapsulation of IPv6 in IPv4 packets
Translation approach

Extended NAT techniques for translating IPv6 to IPv4
Network Architecture and Design
17
Advanced Issues in Internet
Protocol (IP)






IPv4
Network Address Translation (NAT)
IPV6
IP Security (IPsec)
Mobile IP
IP Telephony
Network Architecture and Design
18
IP Security (IPsec)

Advantages



Provides seamless security to application and
transport layers (ULPs)
Allows per flow or per connection security and
thus allows for very fine-grained security control
Disadvantages

More difficult to exercise on a per user basis on a
multi-user machine
Network Architecture and Design
19
IPsec Services

Connectionless integrity



Data origin authentication


Assurance that traffic is sent by legitimate party or parties
Confidentiality (encryption)


Assurance that received traffic has not been modified
Integrity includes anti-reply defenses
Assurance that user’s traffic is not examined by nonauthorized parties
Access control
Prevention of unauthorized use of a resource
Network Architecture and Design
20
IPsec Protocols


IPsec = AH + ESP + IPcomp + IKE
Authentication Header (AH)


Provides authenticity guarantee for packets, by
attaching strong crypto checksum to packets
Ensures:



The packet was originated by the expected peer
The packet was not generated by impersonator
The packet was not modified in transit
Network Architecture and Design
21
IPsec Protocols

Encapsulating Security Payload (ESP)


Provides confidentiality guarantee for
packets, by encrypting packets with
encryption algorithms
Ensures

The packet was not wiretapped in the middle
Network Architecture and Design
22
IPsec Protocols

IP payload compression (IPcomp)


Provides a way to compress packets
before encryption by ESP
Internet Key Exchange (IKE)


AH and ESP needs shared secret key
between peers
IKE provides ways to negotiate keys in
secrecy
Network Architecture and Design
23
IPsec Example (Tunnel)
A single IPSec gateway secures multiple site networks
Simplicity, High Performance, Flexibility and Compatibility
IP
clear text
IP
clear text
payload
encrypted
ESP
new IP header
IPSec ESP header
IP
IP
payload
payload
IPSec
gateway
clear text
IPSec
gateway
Internet
IPSec “tunnel”
LAN
LAN
Network Architecture and Design
24
IPsec Example (Transport)
Bulk data in clear text, but sensitive information encrypted
Privacy, Transparency, Flexibility and High Performance
IP
clear text
encrypted
IPSec host
ESP
payload
IP
IPSec
ESP header
IPSec
ESP header
encrypted sensitive information
ESP
payload
router
clear text
encrypted
IPSec host
router
Internet
LAN
clear text
LAN
IP
IP
payload
payload
clear text bulk data
Network Architecture and Design
clear text
25
Advanced Issues in Internet
Protocol (IP)






IPv4
Network Address Translation (NAT)
IPV6
IP Security (IPsec)
Mobile IP
IP Telephony
Network Architecture and Design
26
Mobile IP – The Problem
Home
Network
Mobile node


Foreign
Network
A mobile host must be assigned a new address when it moves
outside of the home network
Host address must be preserved regardless of a hosts location
Network Architecture and Design
27
Mobile IP – Basic Entities


Mobile Node (or Mobile Host)
Home Agent (HA)


Foreign Agent (FA)


The agent of the foreign network where the mobile node may
be found
Home Address (HA)


The agent of the network where the mobile node belongs
(Home Network)
The mobile node’s permanent address
Care-of Address (CA)

The mobile node’s temporary address assigned in the
foreign network
Network Architecture and Design
28
Mobile IP – Basic Entities


A mobile node keeps its home address inside
the home network, but in a foreign network it
borrows a care-of address
Agents:


Take care of all issues related to the mapping of
the care-of address to the home address
Agents are:


Routers
Advanced servers
Network Architecture and Design
29
Mobile IP Mechanism



Advertising care-of address
Registration
Tunneling
Network Architecture and Design
30
Mobile IP
Advertising Care-of Address

Home and foreign agents periodically broadcast
agent advertisements (ICMP messages) to mobile
nodes

Messages contain:



If (Network Prefix IP Source Address advertisement =
Network Prefix Home Address) then


mobility agent address
care-of addresses
mobile node is in the home network
Else


Move detection
Registration required
Network Architecture and Design
31
Mobile IP
Advertising Care-of Address
Foreign Agent
Home Agent
Internet
Agent Addr: 169.17.8.29
Agent Addr: 132.5.3.2
Care-of Addr: 169.17.8.11
Care-of Addr: 132.5.3.8
132.5.3.69
132.5.3.74
This node requires registration
This node is in the home network
Network Architecture and Design
32
Mobile IP - Registration
Internet
Foreign Ag. relays request to Home Ag.
Host requests service
For. Ag. relays status to Host

Home Ag. accepts or denies
After registration:


Both, host and agents know the host’s new location
Home agent knows the host’s state-of address
Network Architecture and Design
33
Mobile IP - Tunneling

How packets from sources are delivered
to host?



Home agent (router) intercepts packets
destined to host
Home agent tunnels (encapsulates)
packets to sate-of address
Foreign agent decapsulates packets and
delivers them to mobile host
Network Architecture and Design
34
Mobile IP - Tunneling
Mobile Host Home Address: 148.6.8.2
Mobile Host State-of Address: 134.2.5.7
Mobile Host
Foreign Agent
Home Agent
Source
Internet
Packets to Host
Dest. Addr.
Data
148.6.8.2
Header Payload
Dest. Addr.
Dest. Addr.
134.2.5.7
148.6.8.2
Data
Outer Header Inner Header Payload
Network Architecture and Design
Dest. Addr.
Data
148.6.8.2
Header Payload
35
Mobile IP: NAT issues


The problem:
 The Care-of address is a private address. This address is
not reachable from outside the private network.
 Two Mobile Nodes in different private networks may happen
to have the same private address as Care-of address.
The solution: draft-ietf-mobileip-nat-traversal-05.txt
 Use IP in UDP tunnels.
 Use the source IP address and source port of Registration
Request messages to locate the Mobile Node.
 Add an option to registration messages to inform of UDP
tunneling capability.
Network Architecture and Design
36
Advanced Issues in Internet
Protocol (IP)






IPv4
Network Address Translation (NAT)
IPV6
IP Security (IPsec)
Mobile IP
IP Telephony
Network Architecture and Design
37
IP Telephony




Since today PSTN and Internet were
two different networks
Need of integration
Solution: Voice over IP (VoIP)
New devices


IP Telephones
Gatekeepers
Network Architecture and Design
38
IP Telephony
IP Phone
IP Network
PSTN
Gatekeeper
Switch
PC
Phone
Network Architecture and Design
39
IP Telephony Vs Pure
Telephony

Pure Telephony:




End to End QoS
No delay
Isolated from new IP services
IP telephony




Variable QoS
Delay
Integrated with other services
Problems will be solved in the future
Network Architecture and Design
40
IP Telephony Features

Data Transport :


Signalling:



RTP
IETF SIP protocol suit
ITU-T H.323 protocol suit
Quality of Service:

RSVP
Network Architecture and Design
41
IP Telephony Protocol Stack
Network Architecture and Design
42
First Intermediate Report

NAT



Mobile IP



Klaoudatou
Mavrogenis
Mobile IP: NAT issues


Doukas
Kikilis
Lizos
Deadline: 15/03/04
Network Architecture and Design
43
First Intermediate Report

IPv6



IPsec




Baliotis
Panoutsakopoulos
IPv6 and IPv4 coexistence


Kolovou
Barbarousis
IP telephony


Ratsiatos
Rekleitis
Plataniwtis
Deadline: 16/03/04
Network Architecture and Design
44
First Intermediate Report

Structure






Overview of examined technology
Focus on open research points
Related to open points works - State of the
art behind open points
Your own interests - Ideas
Conclusions
References
Network Architecture and Design
45
First Intermediate Report


Report (soft and hard copy)
A related presentation (about twenty
minutes).
Network Architecture and Design
46
Basic Grid
Functions
Services
Data
Publication
and
Subscription
Toolkits
Instrument
Management
Toolkits
Collaboration
Toolkits
Visualization
Toolkits
Applications
Application
Codes
Grid Layers
Grid Enabled Libraries
Resource
Brokering
Data Management:
replication and
metadata
Resource
Discovery
Fault
Management
Scheduling and Access
to Computing
Workflow
Management
Uniform Data
Access
Encapsulation
as Web
Services
Accounting
Monitoring
and Events
Grid Communication Functions
transport services
security services
Communications
Internet
space-based networks
optical networks
...
Distributed Resources
Tertiary
Storage
On-Line
Storage
national
supercomputer
facilities
CPUs
clusters
Network Architecture and Design
Condor pools
of workstations
Scientific
Instruments
47

Emulator of distributed resources
We need this emulator in order to perform
 Resource discovery and resource distribution tasks
http://www.samos.aegean.gr/icsd/gkorm/
Network Architecture and Design
48