VPN, Mobility - CSCI 6433 Internet Protocols
Download
Report
Transcript VPN, Mobility - CSCI 6433 Internet Protocols
CSCI 6433
Internet Protocols
Class 8
Dave Roberts
1
Topics
• Mobile IP
• IPSec
• Virtual Private Networks
2
Mobile IP
• IP was not designed with hand-held or book-sized mobile
computers in mind
• Mobile IP has its limitations in today’s world, where IP
address is tied to network address which is geographic
• However, Mobile IP does illustrate the basics of dealing
with a roving host
3
Mobile IP
Allows portable computers to move from one network to
another.
Hosts move from one network to another, not in the
original design of IP!
Without mobile IP, either
• Host address must change, or
• Routers must send a host-specific route across the entire
Internet
4
General Characteristics of Mobile IP
•
•
•
•
•
Transparency—mobility transparent to applications, transport
layer protocols, routers not involved in the change.
Interoperability—mobile host can interoperate with stationery
and mobile hosts using IPv4, and mobile IPv6 hosts can
interoperate with stationary and mobile IPv6 hosts
Scalability—scales to large internets
Security—authentication for all messages
Macro mobility—focuses on long-duration moves, rather than
roving as in a cellular phone system
5
Overview of Mobile IPv4
•
•
•
•
•
Host can have primary and secondary address
Primary is obtained at “home” location, permanent and fixed
Secondary obtained after a move. Sent to agent (router) at
home.
Agent intercepts datagrams, encapsulates in IP datagrams,
sends to secondary address.
Mobile host deregisters when returning home, notifies agent
of new address after another move
6
Mobile IPv4 Addressing
•
•
•
Home address—conventional IP address
Temporary address is called care-of address
Two forms of care-of address:
•
•
•
Foreign: foreign agent (router) on network being visited assigns care-of address, handles forwarding
A home agent (HA) stores information about mobile nodes whose permanent home
address is in the home agent's network.
•
•
Co-located: mobile host does forwarding
The HA acts as a router on a mobile host's (MH) home network which tunnels datagrams for delivery to the
MH when it is away from home, maintains a location directory (LD) for the MH.
A foreign agent (FA) stores information about mobile nodes visiting its network.
Foreign agents also advertise care-of addresses, which are used by Mobile IP. If there is
no foreign agent in the host network, the mobile device has to take care of getting an
address and advertising that address by its own means.
•
The FA acts as a router on a MH’s visited network which provides routing services to the MH while
registered. FA detunnels and delivers datagrams to the MH that were tunneled by the MH’s HA
7
Operation of Mobile IP
8
Mobile IP
•
•
•
•
•
Mobile node finds an agent on its local network through the agent
discovery process. Listens for agent advertisement messages, or can
ask for one with agent solicitation
Mobile node determines from the message whether it is at its home
network
If device has moved to foreign network, it obtains a (local) care-of
address. Used to forward datagrams
Mobile node tells home agent at home network by registering with
the home network
Home agent captures datagrams for the mobile node and forward
them
9
IPv4 Foreign Agent Discovery
ICMP router discovery mechanism used to
discover a foreign agent.
10
IPv4 Agent Registration
11
IPv6 Mobility
• No use of foreign agent or care-of addresses. Instead,
IPv6 mobile host uses co-located care-of address
• Host can have a home address and co-located care-of
address at once
• IPv6 does not depend on link-layer forwarding
• IPv6 routing expansion header makes forwarding more
efficient than for IPv4
• IPv6 mobile host does not need foreign agent
12
IPv6 Datagram Transmission
• IPv6 mobile host informs home agent before
communicating with a destination
• Host includes a mobility header in sent datagram
• Destination can then communicate with home agent, find
mobile’s current address, and send directly
13
Assessment of Mobile IP
• Designed for devices with static IP configuration—not
practical with dynamic IP address assignment
• Retaining an IP address is less important than it was, due
to dynamic IP address assignment
• Not practical for devices that move frequently—too much
setup and teardown
• VPN allows remote device to have home address and
have full access to its home network
14
Summary
•
•
•
Mobile IP allows a computer to move from one network to
another without changing its IP address
Mobile either obtains a co-located care-of address or discovers
a foreign mobility agent and requests a care-of address.
Once registered, mobile can communicate with an arbitrary
computer on the Internet.
•
•
Datagrams from mobile go directly to destination
Return datagrams go through mobile’s home agent
15
IPSec
• IPSec provides security services at the IP layer for other
Internet protocols to use
16
What’s Needed for A Secure Path
• Mutually agreed security protocols
• Mutually agreed specific encryption algorithm
• Exchange of keys
17
IPSec Protocols and Components
18
Authentication Header
• The AH allows for the contents of the datagram to be
authenticated
• It contains a checksum, computed using a secret key
agreed between the sender and recipient
• The checksum is added by the sender, used by the
recipient to validate the contents
19
Authentication Header
20
Encapsulation Security Payload
• ESP protects from intermediate devices examining the
contents of the datagram
• Header is placed before encrypted data
• Trailer is placed after encrypted data
• Authentication data is used to check integrity similarly to
AH protocol, for ESP optional authentication feature to
authenticate after encryption
21
ESP Payload
22
Internet Key Exchange
• A new security association involves a key exchange
• The following is established:
•
•
•
•
Encryption algorithm to be used
Hash algorithm
Authentication method
Diffie-Helman Group
23
IPSec Implementation Methods
• End host implementation: implementing in hosts
provides “end to end” security
• Router implementation: implement in pairs of routers,
provides security between routers
24
IPSec Architectures
• Built in to IP
• Inserted into the stack: “bump
in the stack”
• In device connected to the
router: “bump in the wire”
25
Built In to IP
• Integrated: change IP stack to include IPSec
• Requires extensive software changes for IPv4.
• IPv6 is designed to include IPSec.
26
“Bump in The Stack”
• Bump in the stack
(BITS): IPSec a layer
between IP and data
link layer. IPSec
intercepts datagrams,
passes to data link
layer.
27
“Bump in The Wire”
Bump in the wire (BITW): Add a hardware device between
two communicating routers
28
IPSec Modes
• Transport mode: IPSec protects the message passed to
IP from the transport layer. AH and ESP headers are
added as the IP datagram is created.
• Tunnel mode: IPSec protects complete encapsulated IP
datagram after IP header is applied. IP datagram is
created normally, then AH and ESP headers are added.
Usually associated with “bump in the stack” and “bump in
the wire” implementations
29
IPSec Transport Mode
30
IPSec Tunnel Mode
31
Summary
• IPSec protects against observation and change of
transmitted data by intermediate hosts
• IPSec requires setup between communicating hosts to
establish security associations
32
VPN
• Extends a private network across a public network such as
the Internet
• Enables user to send and receive data across shared
networks as if the hosts were directly connected to the
private network
• VPN is created by establishing virtual point-to-point
connections, typically using virtual tunneling protocols,
with or without traffic encryption
33
Virtual Private Networks (VPN)
Suppose we want to:
•
•
Allow external connections
Keep internal datagrams private
• We can use VPN to build a private internet, not connected
to the public Internet
• Or we can use VPN to build a private network, and
connect each site to the Internet also (hybrid network)
34
IPSec for VPNs
• IPSec can be used to provide a VPN
• If IPSec is implemented in tunnel mode, it protects the
addresses as well as the contents of datagrams
• If IPSec is implemented using the “bump in the stack”
architecture, then the security parameters can be used to
implement a VPN using IPSec
35
VPN Example
36
Source: Wikipedia
Virtual Private Network
37
Virtual Private Network
38
VPN Addressing
39
VPN with Private Addresses
40
VPN Services
• Today a great variety of VPN services are offered
• One service lets you use an IP address associated
with a different location so that your messages
appear to come from somewhere other than your
location
• Another lets you use a constant IP address even
though your ISP may use dynamic IP addressing or
you might have a NAT router
41
Summary
• VPN—less costly alternative to private connection
between networks
42