1 / 31

Advanced Issues in Internet Protocol (IP)

Explore IPsec protocols, advantages, and disadvantages for secure network communication. Learn about AH, ESP, IPcomp, IKE, and their roles in data integrity, confidentiality, and access control.

gaudette
Download Presentation

Advanced Issues in Internet Protocol (IP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Advanced Issues in Internet Protocol (IP) • IPv4 • Network Address Translation (NAT) • IPV6 • IP Security (IPsec) • Mobile IP • IP Telephony Network Architecture and Design

  2. IP Security (IPsec) • Advantages • Provides seamless security to application and transport layers (ULPs) • Allows per flow or per connection security and thus allows for very fine-grained security control • Disadvantages • More difficult to exercise on a per user basis on a multi-user machine Network Architecture and Design

  3. IPsec Services • Connectionless integrity • Assurance that received traffic has not been modified • Integrity includes anti-reply defenses • Data origin authentication • Assurance that traffic is sent by legitimate party or parties • Confidentiality (encryption) • Assurance that user’s traffic is not examined by non-authorized parties • Access control Prevention of unauthorized use of a resource Network Architecture and Design

  4. IPsec Protocols • IPsec = AH + ESP + IPcomp + IKE • Authentication Header (AH) • Provides authenticity guarantee for packets, by attaching strong crypto checksum to packets • Ensures: • The packet was originated by the expected peer • The packet was not generated by impersonator • The packet was not modified in transit Network Architecture and Design

  5. IPsec Protocols • Encapsulating Security Payload (ESP) • Provides confidentiality guarantee for packets, by encrypting packets with encryption algorithms • Ensures • The packet was not wiretapped in the middle Network Architecture and Design

  6. IPsec Protocols • IP payload compression (IPcomp) • Provides a way to compress packets before encryption by ESP • Internet Key Exchange (IKE) • AH and ESP needs shared secret key between peers • IKE provides ways to negotiate keys in secrecy Network Architecture and Design

  7. RFC 2401-2412 Network Architecture and Design

  8. IPsec Modes Network Architecture and Design

  9. IPsec Example (Transport) Bulk data in clear text, but sensitive information encrypted Privacy, Transparency, Flexibility and High Performance IP IP clear text clear text IPSec ESP header IPSec ESP header ESP ESP payload payload encrypted encrypted encrypted sensitive information IPSec host IPSec host router router Internet LAN LAN IP IP clear text payload payload clear text clear text bulk data Network Architecture and Design

  10. IPsec Example (Tunnel) A single IPSec gateway secures multiple site networks Simplicity, High Performance, Flexibility and Compatibility IP new IP header clear text ESP IPSec ESP header IP IP IP clear text payload encrypted payload payload clear text IPSec gateway IPSec gateway Internet IPSec “tunnel” LAN LAN Network Architecture and Design

  11. Advanced Issues in Internet Protocol (IP) • IPv4 • Network Address Translation (NAT) • IPV6 • IP Security (IPsec) • Mobile IP • IP Telephony Network Architecture and Design

  12. Mobile IP – The Problem • A mobile host must be assigned a new address when it moves outside of the home network • Host address must be preserved regardless of a hosts location Home Network Foreign Network Mobile node Network Architecture and Design

  13. Mobile IP – Basic Entities • Mobile Node (or Mobile Host) • Home Agent (HA) • The agent of the network where the mobile node belongs (Home Network) • Foreign Agent (FA) • The agent of the foreign network where the mobile node may be found • Home Address (HA) • The mobile node’s permanent address • Care-of Address (CA) • The mobile node’s temporary address assigned in the foreign network Network Architecture and Design

  14. Mobile IP – Basic Entities • A mobile node keeps its home address inside the home network, but in a foreign network it borrows a care-of address • Agents: • Take care of all issues related to the mapping of the care-of address to the home address • Agents are: • Routers • Advanced servers Network Architecture and Design

  15. Mobile IP Mechanism • Advertising care-of address • Registration • Tunneling Network Architecture and Design

  16. Mobile IPAdvertising Care-of Address • Home and foreign agents periodically broadcast agent advertisements (ICMP messages) to mobile nodes • Messages contain: • mobility agent address • care-of addresses • If (Network Prefix IP Source Address advertisement = Network Prefix Home Address) then • mobile node is in the home network • Else • Move detection • Registration required Network Architecture and Design

  17. Mobile IPAdvertising Care-of Address Foreign Agent Home Agent Internet Agent Addr: 132.5.3.2 Care-of Addr: 132.5.3.8 Agent Addr: 169.17.8.29 Care-of Addr: 169.17.8.11 132.5.3.69 132.5.3.74 This node is in the home network This node requires registration Network Architecture and Design

  18. Mobile IP - Registration • After registration: • Both, host and agents know the host’s new location • Home agent knows the host’s state-of address Internet Foreign Ag. relays request to Home Ag. Host requests service For. Ag. relays status to Host Home Ag. accepts or denies Network Architecture and Design

  19. Mobile IP - Tunneling • How packets from sources are delivered to host? • Home agent (router) intercepts packets destined to host • Home agent tunnels (encapsulates) packets to sate-of address • Foreign agent decapsulates packets and delivers them to mobile host Network Architecture and Design

  20. Mobile IP - Tunneling Mobile Host Home Address: 148.6.8.2 Mobile Host State-of Address: 134.2.5.7 Mobile Host Foreign Agent Home Agent Source Internet Packets to Host Dest. Addr. 148.6.8.2 Data Dest. Addr. 134.2.5.7 Dest. Addr. 148.6.8.2 Data Dest. Addr. 148.6.8.2 Data Header Payload Outer Header Inner Header Payload Header Payload Network Architecture and Design

  21. Mobile IP: NAT issues • The problem: • IP in IP tunnels cannot traverse NAT. • The Care-of address is a private address. This address is not reachable from outside the private network. • Two Mobile Nodes in different private networks may happen to have the same private address as Care-of address. • The solution: draft-ietf-mobileip-nat-traversal-05.txt • Use IP in UDP tunnels. • Use the source IP address and source port of Registration Request messages to locate the Mobile Node. • Add an option to registration messages to inform of UDP tunneling capability. Network Architecture and Design

  22. Advanced Issues in Internet Protocol (IP) • IPv4 • Network Address Translation (NAT) • IPV6 • IP Security (IPsec) • Mobile IP • IP Telephony Network Architecture and Design

  23. IP Telephony • Since today PSTN and Internet were two different networks • Need of integration • Solution: Voice over IP (VoIP) • New devices • IP Telephones • Gatekeepers Network Architecture and Design

  24. IP Telephony IP Phone PSTN IP Network Switch Gatekeeper PC Phone Network Architecture and Design

  25. IP Telephony Vs Pure Telephony • Pure Telephony: • End to End QoS • No delay • Isolated from new IP services • IP telephony • Variable QoS • Delay • Integrated with other services • Problems will be solved in the future Network Architecture and Design

  26. IP Telephony Features • Data Transport : • RTP • Signalling: • IETF SIP protocol suit • ITU-T H.323 protocol suit • Quality of Service: • RSVP Network Architecture and Design

  27. IP Telephony Protocol Stack Network Architecture and Design

  28. First Intermediate Report • NAT and Mobile IP • I. Stergiou • IPv6 and IPsec • A. Sgora • Deadline: 15/01/03 Network Architecture and Design

  29. First Intermediate Report • Structure • Overview of examined technology • Focus on open research points • Related to open points works - State of the art behind open points • Your own interests - Ideas • Conclusions • References Network Architecture and Design

  30. First Intermediate Report • Report (soft and hard copy) • A related presentation (about twenty minutes). Network Architecture and Design

  31. End of Second Lecture Network Architecture and Design

More Related