1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address...

Network Architecture and Design 1

Advanced Issues in Internet Protocol (IP)

IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP Telephony


IP Security (IPsec)

Advantages Provides seamless security to application and

transport layers (ULPs) Allows per flow or per connection security and

thus allows for very fine-grained security control

Disadvantages More difficult to exercise on a per user basis on a

multi-user machine


IPsec Services Connectionless integrity

Assurance that received traffic has not been modified Integrity includes anti-reply defenses

Data origin authentication Assurance that traffic is sent by legitimate party or parties

Confidentiality (encryption) Assurance that user’s traffic is not examined by non-

authorized parties Access control

Prevention of unauthorized use of a resource


IPsec Protocols

IPsec = AH + ESP + IPcomp + IKE Authentication Header (AH)

Provides authenticity guarantee for packets, by attaching strong crypto checksum to packets

Ensures: The packet was originated by the expected peer The packet was not generated by impersonator The packet was not modified in transit


IPsec Protocols

Encapsulating Security Payload (ESP) Provides confidentiality guarantee for

packets, by encrypting packets with encryption algorithms

Ensures The packet was not wiretapped in the middle


IPsec Protocols

IP payload compression (IPcomp) Provides a way to compress packets

before encryption by ESP Internet Key Exchange (IKE)

AH and ESP needs shared secret key between peers

IKE provides ways to negotiate keys in secrecy


RFC 2401-2412


IPsec Modes


IPsec Example (Transport)Bulk data in clear text, but sensitive information encrypted

Privacy, Transparency, Flexibility and High Performance

encrypted

clear text

encrypted

clear text

clear text bulk data

encrypted sensitive information

clear text

IPIP

IPSecESP headerESPESP

LAN

Internet

payloadpayload

IPIP

ESPESP

IPSec host

IPSecESP header

clear text

IPIP IPIP

LAN

IPSec hostrouterrouter

payloadpayload

payloadpayload payloadpayload


IPsec Example (Tunnel)

payloadpayload

A single IPSec gateway secures multiple site networks

Simplicity, High Performance, Flexibility and Compatibility

encrypted

clear textIPSec ESP header

LAN

Internet

LAN

IPSecgateway

IPSecgateway

IPIP

ESPESP

IPIP

new IP header

IPSec “tunnel”

clear textclear text

IPIP IPIP

payloadpayload payloadpayload


Mobile IP – The Problem

A mobile host must be assigned a new address when it moves outside of the home network Host address must be preserved regardless of a hosts location

Mobile node

Foreign Network

Home Network


Mobile IP – Basic Entities Mobile Node (or Mobile Host) Home Agent (HA)

The agent of the network where the mobile node belongs (Home Network)

Foreign Agent (FA) The agent of the foreign network where the mobile node

may be found Home Address (HA)

The mobile node’s permanent address Care-of Address (CA)

The mobile node’s temporary address assigned in the foreign network


Mobile IP – Basic Entities

A mobile node keeps its home address inside the home network, but in a foreign network it borrows a care-of address

Agents: Take care of all issues related to the mapping of

the care-of address to the home address Agents are:

Routers Advanced servers


Mobile IP Mechanism

Advertising care-of address Registration Tunneling


Mobile IPAdvertising Care-of Address Home and foreign agents periodically broadcast

agent advertisements (ICMP messages) to mobile nodes

Messages contain: mobility agent address care-of addresses

If (Network Prefix IP Source Address advertisement = Network Prefix Home Address) then

mobile node is in the home network Else

Move detection Registration required


Mobile IPAdvertising Care-of Address

Agent Addr: 132.5.3.2

Care-of Addr: 132.5.3.8

Home Agent

Foreign Agent

Agent Addr: 169.17.8.29

Care-of Addr: 169.17.8.11

Internet

132.5.3.69132.5.3.7

4This node requires registration

This node is in the home network


Mobile IP - Registration

Internet

Host requests service Foreign Ag. relays request to Home Ag.

For. Ag. relays status to Host

Home Ag. accepts or denies

After registration: Both, host and agents know the host’s new location Home agent knows the host’s state-of address


Mobile IP - Tunneling

How packets from sources are delivered to host? Home agent (router) intercepts packets

destined to host Home agent tunnels (encapsulates)

packets to sate-of address Foreign agent decapsulates packets and

delivers them to mobile host


Mobile IP - Tunneling

Internet

Dest. Addr.

148.6.8.2

DataDest. Addr.

134.2.5.7

Dest. Addr.

148.6.8.2

DataDest. Addr.

148.6.8.2

Data

Source

Home Agent

Foreign Agent

Mobile Host

Header

Header

Inner Header

Outer Header

Payload Payload Payload

Mobile Host Home Address: 148.6.8.2

Mobile Host State-of Address: 134.2.5.7

Packets to Host


Mobile IP: NAT issues The problem:

IP in IP tunnels cannot traverse NAT. The Care-of address is a private address. This address is

not reachable from outside the private network. Two Mobile Nodes in different private networks may happen

to have the same private address as Care-of address. The solution: draft-ietf-mobileip-nat-traversal-05.txt

Use IP in UDP tunnels. Use the source IP address and source port of Registration

Request messages to locate the Mobile Node. Add an option to registration messages to inform of UDP

tunneling capability.


IP Telephony

Since today PSTN and Internet were two different networks

Need of integration Solution: Voice over IP (VoIP) New devices

IP Telephones Gatekeepers


IP Telephony

PSTN IP Network

Phone

Gatekeeper

Switch

IP Phone

PC


IP Telephony Vs Pure Telephony

Pure Telephony: End to End QoS No delay Isolated from new IP services

IP telephony Variable QoS Delay Integrated with other services Problems will be solved in the future


IP Telephony Features Data Transport :

RTP Signalling:

IETF SIP protocol suit ITU-T H.323 protocol suit

Quality of Service: RSVP


IP Telephony Protocol Stack


First Intermediate Report

NAT and Mobile IP I. Stergiou

IPv6 and IPsec A. Sgora

Deadline: 15/01/03



Structure Overview of examined technology Focus on open research points Related to open points works - State of the

art behind open points Your own interests - Ideas Conclusions References



Report (soft and hard copy) A related presentation (about twenty

minutes).


End of Second Lecture

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address...

Documents

Transcript of 1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address...