1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address...
-
Upload
aron-nickolas-norman -
Category
Documents
-
view
224 -
download
0
Transcript of 1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address...
Network Architecture and Design 1
Advanced Issues in Internet Protocol (IP)
IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP Telephony
Network Architecture and Design 2
IP Security (IPsec)
Advantages Provides seamless security to application and
transport layers (ULPs) Allows per flow or per connection security and
thus allows for very fine-grained security control
Disadvantages More difficult to exercise on a per user basis on a
multi-user machine
Network Architecture and Design 3
IPsec Services Connectionless integrity
Assurance that received traffic has not been modified Integrity includes anti-reply defenses
Data origin authentication Assurance that traffic is sent by legitimate party or parties
Confidentiality (encryption) Assurance that user’s traffic is not examined by non-
authorized parties Access control
Prevention of unauthorized use of a resource
Network Architecture and Design 4
IPsec Protocols
IPsec = AH + ESP + IPcomp + IKE Authentication Header (AH)
Provides authenticity guarantee for packets, by attaching strong crypto checksum to packets
Ensures: The packet was originated by the expected peer The packet was not generated by impersonator The packet was not modified in transit
Network Architecture and Design 5
IPsec Protocols
Encapsulating Security Payload (ESP) Provides confidentiality guarantee for
packets, by encrypting packets with encryption algorithms
Ensures The packet was not wiretapped in the middle
Network Architecture and Design 6
IPsec Protocols
IP payload compression (IPcomp) Provides a way to compress packets
before encryption by ESP Internet Key Exchange (IKE)
AH and ESP needs shared secret key between peers
IKE provides ways to negotiate keys in secrecy
Network Architecture and Design 9
IPsec Example (Transport)Bulk data in clear text, but sensitive information encrypted
Privacy, Transparency, Flexibility and High Performance
encrypted
clear text
encrypted
clear text
clear text bulk data
encrypted sensitive information
clear text
IPIP
IPSecESP headerESPESP
LAN
Internet
payloadpayload
IPIP
ESPESP
IPSec host
IPSecESP header
clear text
IPIP IPIP
LAN
IPSec hostrouterrouter
payloadpayload
payloadpayload payloadpayload
Network Architecture and Design 10
IPsec Example (Tunnel)
payloadpayload
A single IPSec gateway secures multiple site networks
Simplicity, High Performance, Flexibility and Compatibility
encrypted
clear textIPSec ESP header
LAN
Internet
LAN
IPSecgateway
IPSecgateway
IPIP
ESPESP
IPIP
new IP header
IPSec “tunnel”
clear textclear text
IPIP IPIP
payloadpayload payloadpayload
Network Architecture and Design 11
Advanced Issues in Internet Protocol (IP)
IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP Telephony
Network Architecture and Design 12
Mobile IP – The Problem
A mobile host must be assigned a new address when it moves outside of the home network Host address must be preserved regardless of a hosts location
Mobile node
Foreign Network
Home Network
Network Architecture and Design 13
Mobile IP – Basic Entities Mobile Node (or Mobile Host) Home Agent (HA)
The agent of the network where the mobile node belongs (Home Network)
Foreign Agent (FA) The agent of the foreign network where the mobile node
may be found Home Address (HA)
The mobile node’s permanent address Care-of Address (CA)
The mobile node’s temporary address assigned in the foreign network
Network Architecture and Design 14
Mobile IP – Basic Entities
A mobile node keeps its home address inside the home network, but in a foreign network it borrows a care-of address
Agents: Take care of all issues related to the mapping of
the care-of address to the home address Agents are:
Routers Advanced servers
Network Architecture and Design 15
Mobile IP Mechanism
Advertising care-of address Registration Tunneling
Network Architecture and Design 16
Mobile IPAdvertising Care-of Address Home and foreign agents periodically broadcast
agent advertisements (ICMP messages) to mobile nodes
Messages contain: mobility agent address care-of addresses
If (Network Prefix IP Source Address advertisement = Network Prefix Home Address) then
mobile node is in the home network Else
Move detection Registration required
Network Architecture and Design 17
Mobile IPAdvertising Care-of Address
Agent Addr: 132.5.3.2
Care-of Addr: 132.5.3.8
Home Agent
Foreign Agent
Agent Addr: 169.17.8.29
Care-of Addr: 169.17.8.11
Internet
132.5.3.69132.5.3.7
4This node requires registration
This node is in the home network
Network Architecture and Design 18
Mobile IP - Registration
Internet
Host requests service Foreign Ag. relays request to Home Ag.
For. Ag. relays status to Host
Home Ag. accepts or denies
After registration: Both, host and agents know the host’s new location Home agent knows the host’s state-of address
Network Architecture and Design 19
Mobile IP - Tunneling
How packets from sources are delivered to host? Home agent (router) intercepts packets
destined to host Home agent tunnels (encapsulates)
packets to sate-of address Foreign agent decapsulates packets and
delivers them to mobile host
Network Architecture and Design 20
Mobile IP - Tunneling
Internet
Dest. Addr.
148.6.8.2
DataDest. Addr.
134.2.5.7
Dest. Addr.
148.6.8.2
DataDest. Addr.
148.6.8.2
Data
Source
Home Agent
Foreign Agent
Mobile Host
Header
Header
Inner Header
Outer Header
Payload Payload Payload
Mobile Host Home Address: 148.6.8.2
Mobile Host State-of Address: 134.2.5.7
Packets to Host
Network Architecture and Design 21
Mobile IP: NAT issues The problem:
IP in IP tunnels cannot traverse NAT. The Care-of address is a private address. This address is
not reachable from outside the private network. Two Mobile Nodes in different private networks may happen
to have the same private address as Care-of address. The solution: draft-ietf-mobileip-nat-traversal-05.txt
Use IP in UDP tunnels. Use the source IP address and source port of Registration
Request messages to locate the Mobile Node. Add an option to registration messages to inform of UDP
tunneling capability.
Network Architecture and Design 22
Advanced Issues in Internet Protocol (IP)
IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP Telephony
Network Architecture and Design 23
IP Telephony
Since today PSTN and Internet were two different networks
Need of integration Solution: Voice over IP (VoIP) New devices
IP Telephones Gatekeepers
Network Architecture and Design 25
IP Telephony Vs Pure Telephony
Pure Telephony: End to End QoS No delay Isolated from new IP services
IP telephony Variable QoS Delay Integrated with other services Problems will be solved in the future
Network Architecture and Design 26
IP Telephony Features Data Transport :
RTP Signalling:
IETF SIP protocol suit ITU-T H.323 protocol suit
Quality of Service: RSVP
Network Architecture and Design 28
First Intermediate Report
NAT and Mobile IP I. Stergiou
IPv6 and IPsec A. Sgora
Deadline: 15/01/03
Network Architecture and Design 29
First Intermediate Report
Structure Overview of examined technology Focus on open research points Related to open points works - State of the
art behind open points Your own interests - Ideas Conclusions References
Network Architecture and Design 30
First Intermediate Report
Report (soft and hard copy) A related presentation (about twenty
minutes).