Preferred Alternatives for Tunnelling HIP (PATH)

Slides:



Advertisements
Similar presentations
Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
Advertisements

Internet Protocol Security (IP Sec)
IPSec.
RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
IP SECURITY – Chapter 16 IP SECURITY – Chapter 16 Security Mechanisms: – S/MIME, PGP client/server - Kerberos web access - Secure Sockets Layer network.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Mobile IP Polytechnic University Anthony Scalera Heine Nzumafo Duminda Wickramasinghe Edited by: Malathi Veeraraghavan 12/05/01.
Host Identity Protocol
Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000.
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.
NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,
Chapter 13 – Network Security
03/20/01Pyda Srisuresh - Jasmine Networks1 Framework for interfacing with NAT Pyda Srisuresh.
NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF.
Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.
TURN Jonathan Rosenberg Cisco Systems. Changes since last version Moved to behave terminology Many things moved into STUN –Basic request/response formation.
1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.
NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
Routing Information Protocol
0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.
NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
GIST NAT traversal and Legacy NAT traversal for GIST AND
K. Salah1 Security Protocols in the Internet IPSec.
ID-LOC Proposal Philip Matthews Eric Cooper Alan Johnston Avaya With contributions from Cullen Jennings, David Bryan, and Bruce Lowekamp.
H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the.
HIP-Based NAT Traversal in P2P-Environments
1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:
NAT Traversal in HIP Xiang LIU TML/HIIT 1.
An Analysis on NAT Security
IPSecurity.
Preferred Alternatives for Tunnelling HIP (PATH)
Introduction Wireless devices offering IP connectivity
MIDCOM Protocol Semantics 55th IETF
Chapter 18 IP Security  IP Security (IPSec)
Network Address Translation
IT443 – Network Security Administration Instructor: Bo Sheng
EA C451 Vishal Gupta.
NAT Traversal for LISP Mobile Node
LOCSER + HIP draft-hautakorpi-p2psip-peer-protocol-00
HIP RG – IETF 65 Dallas, March 24, 2006
תרגול 11 – אבטחה ברמת ה-IP – IPsec
Security Protocols in the Internet
Unit 3 Mobile IP Network Layer
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Request for Comments(RFC) 3489
Presentation transcript:

Preferred Alternatives for Tunnelling HIP (PATH) <draft-nikander-hip-path-01.txt> P. Nikander, H. Tschofenig, X. Fu, T. Henderson

Idea Allow HIP to traverse LEGACY NA(P)Ts by reusing EXISTING mechanisms Goal: To allow HIP protocol exchanges between two HIP endpoints to traverse NATs Mainly for standard ESP-mode encapsulation How: Use UDP encapsulation for HIP signaling and data messages Introduce a new (S-)UDP-REA parameter in HIP signaling messages To support the case where DS/DR we use the RVS functionality (as well as HIP endpoints) to support this extension Such extended RVS servers  also called “PATH” servers HIP endpoints accessing this info  “PATH” clients

The UDP-REA parameter UDP-REA: UDP encapsulated REAdress Idea: Used in To detect existence of NA(P)Ts Mainly, consists of “lifetime + Hashed value” Hash = PRF(RANDOM | Source IP | Destination IP | Source Port | Destination Port) Used in R1-I2 signaling messages in HIP base exchanges RVS/PATH registrations relayed HIP base exchange thru RVS/PATH server UPDATE messages in RVS/PATH registration HIP base UPDATE messages

The S-UDP-REA Parameter S-UDP-REA: “Secure” UDP-REAdress Idea: Reuse other (external) mechanism to discover the NA(P)T address External mechanism can be STUN, TURN, MIDCOM, or NSIS NATFW NSLP Then integrity-protected UDP-REA parameter can be included in the HIP I1-R2 signaling messages This also allows HIP traversal of certain firewalls

Next Steps ?

Questions?