180 likes | 461 Views
GPRS Interworking with IPv6. Preeti Vinayakray-Jani NOKIA RESEARCH CENTER HELSINKI, FINLAND. Outline. GPRS Architecture - Basic Services IPv6 over GPRS - A Protocol Stack Interworking Mechanisms and their Examples GPRS Interworking with Internet
E N D
GPRS Interworking with IPv6 Preeti Vinayakray-Jani NOKIA RESEARCH CENTER HELSINKI, FINLAND
Outline • GPRS Architecture - Basic Services • IPv6 over GPRS - A Protocol Stack • Interworking Mechanisms and their Examples • GPRS Interworking with Internet • Security Threats in GPRS systems with Examples • Summary
GPRS Architecture h Cellular world Operator B Operator A SGSN SGSN VLR/HLR VLR/HLR GPRS core GPRS core GTP' BG (4&6) GGSN GGSN Existing IPv4 Internet
Basic Services • Address acquisition • stateless • stateful • assign single address • assign subnet • GGSN intercepts and replies to neighbor discovery messages • possible design: • GTP tunnel based on link-layer address only • MN address assignment as a result of 'GPRS Activate Context' request (which is triggered during PPP setup) • GGSN sends router advertisements once GTP tunnel is formed • Name resolution • New DNS record types: AAAA and A6 • AAAA support already exists • DNS server should be dual stack • Data transfer
Visited Network Support • Network with IPv6 support (v6) • In such a network there is an IPv6 router reachable by the mobile host - the router responds to IPv6 router solicitation requests sent by the mobile host. The IPv6 router has connectivity to the rest of IPv6 world. • Network with basic IPv4 support (v4) • no support for IPv6 • no enforcing for the use of a Mobile IPv4 FA (may not support MIPv4 at all) • Network with IPv4 supports in which use of external FA (Foreign Agent) is mandatory (v4FA) • An IPv4 network not supporting IPv6 and requiring the visiting mobile host to use an external FA in the network. • In the first phase of evolution from IPv4 to IPv6, v4 type of network will be the most common visited network type (v4FA networks most probably are rare because of the low deployment of MIPv4).
Interworking Mechanisms • Encapsulation • Supports end-to-end IPv6 connectivity over IPv4 networks • Configured tunnels (does not scale) • Automatic encapsulation (requires 1 public IPv4 address per recipient) • 6to4 encapsulation (requires 1 public IPv4 address per site) • Protocol translation • Necessary for communication between IPv4 and IPv6 end points • Network layer translators • SIIT, NAT-PT (require little or no host changes) • Upper layer translators • SOCKS, ALGs • Temporary address allocation • Supports end-to-end IPv4 connectivity between a dual stack mobile node and IPv4-only correspondent • AIIH (assigning IPv4 addresses to IPv6 hosts) • RSIP (realm specific IP) • Conti……….
Conti...Temporary Address Allocation • AIIH may still be relevant • Implementations reportedly under way • Allows connections initiated from the outside • - AIIH server is a combined DNS and DHCP server • - Uses DHCPv6 extensions (Reconfigure) • RSIP is promising but not a panacea • Requires host modifications • Intermediate node maintains state • Potential problems with TCP states: refused connections, security exposures • Some application may assume all <IP-address, port> pairs with the same 'IP-address' end in the same node
Encapsulation Example: 6to4 • Requires only 1 IPv4 address per site • Implemented on various OS • Appears to be popular and effective
Protocol Translation Example: SIIT • NAT-PT and BITS use translations specified by SIIT
Protocol Translation Example: SOCKS • host change required, but no changes to DNS, routing etc. • implementation is available • public acceptance unclear; but appears to be quite useful
Temporary address allocation example: RSIP RSIP client RSIP server Correspondent Address space B Address space A REGISTER_REQUEST • preserves end-to-end functionality • seen as 'next best thing' to IPv6 • no practical experience yet ASSIGN_REQUEST (address in B, or address/port-range) data traffic data traffic via tunnel ASSIGN_REQUEST_EXT (address in B, or address/port-range) data traffic data traffic via tunnel DEALLOCATE DE-REGISTER REQUEST Note: Responses from RSIP server are not shown
Security Threats in GPRS systems • Denial of Service (DOS) • A particular victim Mobile host gets terminated • Malicious party gets to see all traffic directed to particular Mobile host • Session Stealing/Spoofing • Eavesdropping and floods the Mobile host with bogus traffic • Intercepting packets destined to Mobile host • Incompetent Translator • Attacker gains physical access via unattended network socket by exercising some ARP requests to DHCP and gets access to IP host and floods the network • Simple attack through Intranet to GGSN's Gi interface • Attack through GPRS Tunneling Protocol (GTP)
MN GGSN Router 1 IPv4 Internet IPv6 intranet IPv6 IPv6 IPv4 intranet Operator IPv6 services stub NW Internet Operator IPv4 services GPRS Interworking with Internet • (1) Mobile node type and address • (2) GGSN AP type (IPv4, IPv6, 6to4, ..) and address • (3) Possibly needed TrGW - needed functionality and address type • (4) Edge router (assumption: dual stack); functionality and address type • (5) Router 1 between IPv4 Internet and IPv6 network • (6) The host that the MN is connected to • Points to think about: • If tunneling is needed, what tunneling mechanism is used and what are the endpoints of the tunnel? • Is a translator such as NAT-PT needed in the case? • Is there a sufficient number of public IPv4 addresses (most probably not) • ... "ADDR" (6) Host Operator own network • TrGW • NAT-PT • RSIP • Encapsulaton / decapsulation • ALGs • etc. "ADDR" (1) (5) (3) SGSN (2) (4) Edge Router Operator NW GPRS core FW
Summary • Suitable transition techniques for IPv4 interoperability exist • use dual stack nodes, encapsulation, and temporary IPv4 address allocation as primary interoperability mechanisms • if protocol translation is necessary, use upper layer translators where possible • use IP-layer protocol translators only when there is no other option • Applicability of Transition Mechanisms • 6to4 encapsulating mechanism is more competitive than others • Upgrade the existing IPv4 servers with dual stack support • In case of limited public IPv4 addresses, currently the use of RSIP is more preferred choice • Security Consideration - • - To preserve end-to-end integrity of data and when protocol translation is necessary one should use SOCKS or ALGs than SIIT and NAT-PT • - Trust Management with other operators is an important issue