1 / 20

Securing Access to Mobile Operator Core Networks using IKEv2

This Master's thesis explores the feasibility of implementing IKEv2-based Virtual Private Networks (VPNs) in an operator's network environment. The study includes a literature review of security protocols for IP networks, testing of different IKEv2 implementations, and an evaluation of feasibility in the operator's environment.

karenwilliams
Download Presentation

Securing Access to Mobile Operator Core Networks using IKEv2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Access to Mobile Operator Core Networks using IKEv2 16.1.2006 Master’s Thesis Author Pekka Nurmi Supervisor Joerg Ott

  2. Agenda • Background • Methodology • Security Protocols for IP Networks • Operator’s Network Architectures • Testing IKEv2 Implementations • Feasibility in Operator’s Environment • Conclusions

  3. Background • Amount and the value of the internet traffic grows • Insecurity of the networks, risks grow • IP based networks -> IP security (IPsec) • Enhanced version of the IPsec defined by the IETF in December 2005 • New key exchange protocol IKEv2 • more efficient • more secure • First implementations during 2006 • need for testing in Mobile Operator’s environment ” Is the IKEv2 based Virtual Private Networks (VPNs) feasible in an operator’s network environment? ”

  4. Methodology • The study is conducted in three parts 1. Literature study • Security protocols for IP networks (IETF) • Operator’s network Architectures (3GPP) • Testing • 3 Cases = 3 different IKEv2 implementations • Measurements using network analyzer tools • Feasibility evaluation • Operator solutions • Issues and improvements

  5. Security Protocols for IP networks 1/3 IPsec • creates VPN tunnels and provides security for the insecure IP protocol • access control, connectionless integrity, data origin authentication, confidentiality, and anti-replay protection • Security protocols • Encapsulating Security Payload (ESP) • Authentication Header (AH) • Key management • Internet Key Exchange (IKEv2)

  6. Security Protocols for IP networks 2/3 IKEv2 • Key negotiation protocol for performing mutual authentication and setting up IPsec security associations • 4 message exchanges • IKE_SA_INIT and IKE_AUTH • CREATE_CHILD_SA • INFORMATIONAL MOBIKE • IKEv2 Mobility and Multihoming protocol • VPN client can move and change address without breaking the SA • New protocol; no implementations tested yet

  7. Security Protocols for IP networks 3/3 IKEv2 authentication in operator’s network • AAA protocol (RADIUS, Diameter) • EAP-SIM • SIM card based authentication • EAP-AKA • for 3G

  8. Operator’s Network Architectures 1/3 • Access Networks • GERAN / UTRAN • WLAN • Core Network • CS & PS domains • AAA services • IMS services

  9. Operator’s Network Architectures 2/3 • IMS services using IKEv2 • Tunneled connection to the operator’s PDG

  10. Operator’s Network Architectures 3/3 • Mobility management in IKEv2 (in 3GPP2) • MOBIKE for intra Access Network handoff • MIP for inter AN handoff

  11. Testing IKEv2 Implementations 1/3 • Case 1 • IP based solution • laptop client (Linux) • Case 2 • IP based solution • Mobile phone client (Symbian S60) • Case 3 • 3G and IP based solution (TTG) • 2 clients • Laptop (Windows XP) • PDA (Windows Mobile 5.0)

  12. Testing IKEv2 Implementations 2/3 • Test Case Architectures • Cases 1 & 2

  13. Testing IKEv2 Implementations 3/3 • Case 3

  14. Testing IKEv2 Implementations 4/4 Measurement results

  15. Feasibility in Operator’s Environment 1/4 • Present Situation • Approx. 86 % of organizations (turnover >10M€) in Finland used VPN solutions already in 2005. • Nearly 70% of mobile workers used VPN by 2006 in the U.S. • IPsec is the most popular VPN technology • VPN business is centralized between a few big vendors

  16. Feasibility in Operator’s Environment 2/4 • Solution 1 • Hosted VPN access to an enterprise’s intranet • Same service for the 3G and IP (e.g. WLAN) access • SIM-card based authentication in both cases

  17. Feasibility in Operator’s Environment 3/4 • Solution 2 • Bundle several secure network access elements in one package • Laptop/mobile phone • 3G and WLAN • SIM-card • IKEv2/IMS VPN client • for enterpises and consumers

  18. Feasibility in Operator’s Environment 4/4 • Issues and Improvements • Choices for Clients • Interoperability • Mobility management • Signalling traffic optimization

  19. Conclusions • Secure connections are needed • IKEv2 and IPsec specifications provide enhanced IP security • IKEv2 implementations appear to be promising technology • A few important issues to solve with every tested implementation • IMS services can be used safely through an IKEv2 tunnel • Large-scale scalability testing needed • The old security solutions are still valid, but for how long?

  20. The Nordic and Baltictelecommunications leader

More Related