Establishing Host Identity Protocol Opportunistic Mode with TCP Option

Slides:



Advertisements
Similar presentations
IPSec.
Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Establishing Host Identity Protocol Opportunistic Mode with TCP Option draft-lindqvist-hip-opportunistic-01.txt Janne.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Henric Johnson1 Chapter 6 IP Security. Henric Johnson2 Outline Internetworking and Internet Protocols IP Security Overview IP Security Architecture Authentication.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
IEEE Wireless Local Area Networks (WLAN’s).
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Gursharan Singh Tatla Transport Layer 16-May
Host Identity Protocol
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.
IIT Indore © Neminath Hubballi
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Transport Layer: UDP, TCP
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Transmission Control Protocol
TCP/IP Protocols Contains Five Layers
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Karlstad University IP security Ge Zhang
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
ICMP
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
MPTCP Protocol draft-ietf-mptcp-multiaddressed-02 Update and Open Issues Alan Ford IETF79 – Beijing 1.
Telecommunications Networking II Lecture 41d Denial-of-Service Attacks.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
© 2002, Cisco Systems, Inc. All rights reserved..
K. Salah1 Security Protocols in the Internet IPSec.
TCP Handshake NW Analysis Class. What happens in 3-way handshake Client tells server it wants connection Server acknowledges the client’s connection Server.
03/22/10 draft-zhang-hip-privacy-protection- 00 Dacheng Zhang Miika Komu An Extension of HIP Base Exchange to Support Identity Privacy.
Cryptography CSS 329 Lecture 13:SSL.
8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,
COMP2322 Lab 6 TCP Steven Lee April 1, TCP Transmission Control Protocol Transport layer protocol User Datagram Protocol (UDP) is another one 2.
IP Security (IPSec) Encapsulating Security Payload (ESP) Dr Milan Marković.
Chapter 5 Network Security Protocols in Practice Part I
IPSecurity.
COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.
Michael Welzl , Distributed and Parallel Systems Group
Encryption and Network Security
Chapter 18 IP Security  IP Security (IPSec)
IT443 – Network Security Administration Instructor: Bo Sheng
Transport Layer.
Process-to-Process Delivery, TCP and UDP protocols
Process-to-Process Delivery
PART 5 Transport Layer Computer Networks.
Extending Option Space Discussion Overview and its requirements
Introduction to Networking
TCP Transport layer Er. Vikram Dhiman LPU.
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Network Security (contd.)
CS4470 Computer Networking Protocols
SSL (Secure Socket Layer)
NET 536 Network Security Lecture 5: IPSec and VPN
Chapter 15. Internet Protocol
Virtual Private Networks (VPNs)
PW security measures PWE3 – 65th IETF 21 March 2005 Yaakov (J) Stein.
Transport Layer 9/22/2019.
TCP Connection Management
CSE 5/7349 – February 15th 2006 IPSec.
Presentation transcript:

Establishing Host Identity Protocol Opportunistic Mode with TCP Option Janne Lindqvist Helsinki University of Technology (presented by Miika Komu) draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Motivation for the Approach Fallback mechanism to plain TCP if peer does not support HIP. (TCP piggybacking) According to Medina et al. arbitrary TCP options are wirely accepted in today’s Internet. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Basic Idea Include the Host Identity Tag as a TCP option to a TCP SYN segment. If peer supports HIP, the peer responses with R1. Thus, the TCP SYN with the Host Identity Tag is equivalent of an opportunistic I1. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

HIP TCP Option Format 8 bits Kind field. Needs IESG Approval to assign an experimental value (RFC 3692). Used to distinguish one option from another. 8 bits Length field. Denotes the lenght of the option data. (Length = 18.) 128 bits for Host Identity Tag. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Packet Processing without piggybacking Initiator sends TCP SYN with the HIP TCP Option. Responder replies with R1 and does not create neither HIP or TCP state. Responder thus ignores the TCP SYN. Initiator sends I2. Responder replies with R2. Initiator sends a normal TCP SYN to start TCP handshake. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Packet Processing Motivation We could allow the Responder to send TCP SYN+ACK after the HIP base exchange, but this would mean introducing TCP state before the base exchange is completed. HIP was designed to avoid state creation before verification that the Initiator is sincere. The above approach would hinder the objective. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Next, we open a can of worms. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Piggybacking TCP to HIP base exchange One of the original motivators for the draft was the possibility to piggyback TCP handshake to the HIP base exchange. However, currently the approach is NOT RECOMMENDED. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

HIP Piggybacking Initiator: TCP SYN with the HIP TCP OPTION Responder: R1 concatenated with TCP SYN+ACK Initiator: I2 concatenated with TCP ACK. (TCP hanshake done) Responder: R2 and possibly concatenated TCP data. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

HIP Piggybacking Problems: State creation? We do not want to create HIP or TCP state before verification of the puzzle solution in I2. A normal TCP would be vulnerable to TCP ACK flooding if it does not create state while sending TCP SYN+ACK. (And is vulnerable to TCP SYN flooding.) However, the Responder can trust the Initiator to be sincere after the puzzle is verified and we create TCP state after TCP ACK? This should not introduce a new attack? draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

HIP Piggybacking Problems: Data encryption. TCP ACK in the TCP handshake can contain data. This means that with the presented piggybacking, we would need to encrypt the TCP segment concatenated to I2. And we most likely would need to encrypt possible TCP segments concatenated to R2. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

HIP Piggybacking Problems: Data encryption. Instead of catenating a TCP segment to I2 and R2, we could have ESP(TCP). HIP control messages including ESP seems like an overkill. SPI, Sequence Number, The Payload Data, Padding, Pad Length, Next Header, Authentication Data The approach was even removed from the HIP base protocol specification. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

HIP Piggybacking Problems: Processing Alternatives Just a quick mention that the piggybacking possibility introduces interesting processing alternatives and implementation issues depending on the support status. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Security Considerations Vulnerable to man-in-the-middle attacks because the peer’s HIT is now known before connection establishment. The fallback mechanism provides the possibility to use unencrypted TCP instead of HIP. Applications should notify users about the connection status. draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

What Next? Currently, it seems that we should rewrite the presented draft to motivate and cover only the non-piggybacking approach and remove the piggybacking stuff. Write a separate draft on piggybacking related issues? draft-lindqvist-hip-opportunistic-00.txt janne.lindqvist@tkk.fi

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.