Tunnel Loops and Its Detection draft-ng-intarea-tunnel-loop-00.txt

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
IPv4 - The Internet Protocol Version 4
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IETF draft-jeyatharan-mext-flow-tftemp-reference-01 Mohana Jeyatharan panasonic.com Chan-Wah Ng 1 IETF.
Network Localized Mobility Management using DHCP
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
MOBILITY SUPPORT IN IPv6
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
National Institute Of Science & Technology Mobile IP Jiten Mishra (EC ) [1] MOBILE IP Under the guidance of Mr. N. Srinivasu By Jiten Mishra EC
Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.
IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.
CSC 600 Internetworking with TCP/IP Unit 5: IP, IP Routing, and ICMP (ch. 7, ch. 8, ch. 9, ch. 10) Dr. Cheer-Sun Yang Spring 2001.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
Chapter 27 IPv6 Protocol.
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Overview of draft–16 for MIPv6 MIPv6 Design Team March 19 th, 2002.
1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.
Mobile IP Definition: Mobile IP is a standard communication protocol, defined to allow mobile device users to move from one IP network to another while.
Currently Open Issues in the MIPv6 Base RFC MIPv6 security design team.
IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.
Click to edit Master title style Click to add subtitle © 2008 Wichorus Inc. All rights reserved. CONFIDENTIAL - DO NOT DISTRIBUTE rfc3775bis Issues November.
Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.
Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.
Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Mobility support in IP v4. Internet Computing (CS-413) 2.
Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations (RFC 6324) Po-Kang Chen Oct 19,
Mobile IP Security Konidala M. Divyan International Research Center for Information Security Network Security (ICE 615) Term Project – 2002 Autumn.
ROUTING MOBILE IP  Motivation  Data transfer  Encapsulation.
GRE.
draft-jounay-pwe3-dynamic-pw-update-00.txt IETF 70 PWE3 Working Group
Connecting MPLS-SPRING Islands over IP Networks
Chapter 3 TCP and IP Chapter 3 TCP and IP.
RFC 3775 IPv6 Mobility Support
Booting up on the Home Link
Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks
IP - The Internet Protocol
MANEMO Applicability of existing mechanism
Syam Madanapalli Basavaraj Patil Erik Nordmark JinHyeock Choi
NEMO Basic Support Protocol IETF 60, San Diego
Multiple Care-of Address Registration
EA C451 Vishal Gupta.
draft-jeyatharan-netext-pmip-partial-handoff-02
IP - The Internet Protocol
Internet Protocol Version4
IP - The Internet Protocol
Guide to TCP/IP Fourth Edition
Greg Mirsky Jeff Tantsura Mach Chen Ilya Varlashkin
Unit 3 Mobile IP Network Layer
NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt
IP - The Internet Protocol
CSE 4215/5431: Mobile Communications Winter 2010
NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt
Net 323 D: Networks Protocols
IP - The Internet Protocol
1 Multi-Protocol Label Switching (MPLS). 2 MPLS Overview A forwarding scheme designed to speed up IP packet forwarding (RFC 3031) Idea: use a fixed length.
CSE 4215/5431: Mobile Communications Winter 2011
Mobile IP Presented by Team : Pegasus Kishore Reddy Yerramreddy Jagannatha Pochimireddy Sampath k Bavipati Spandana Nalluri Vandana Goyal.
Network Fundamentals – Chapter 5
Achieving Resilient Routing in the Internet
IP - The Internet Protocol
Lecture 4a Mobile IP 1.
NET 323D: Networks Protocols
IPv6 Encapsulation for IOAM - Enhancement of IPv6 Extension Headers draft-li-6man-ipv6-sfc-ifit-01 draft-li-6man-enhanced-extension-header-00 Zhenbin.
draft-ietf-bier-ipv6-requirements-01
Presentation transcript:

Tunnel Loops and Its Detection draft-ng-intarea-tunnel-loop-00.txt Chan-Wah Ng chanwah.ng@sg.panasonic.com Mohana Jeyatheran mohana.jeyatharan@sg.panasonic.com Benjamin Lim benjamin.limck@sg.panasonic.com 20081119 IETF-73 Minnepolis

Tunnel Loops Tunnel packet: A tunnel loop is formed when Encapsulated by Tunnel Entry Node Decapsulated by Tunnel Exit Node A tunnel loop is formed when A tunnel packet is routed back to its tunnel entry node before reaching its tunnel exit node There can be multiple tunnel entry nodes in a tunnel loop Tunnel Exit Node Tunnel Entry Node 20081119 IETF-73 Minnepolis

Problem of Tunnel Loops Tunnel Entry Node 2 Tunnel Entry Node 2 Each encapsulation increases packet size leads to fragmentation  amplifies the problem Each encapsulation has a new hop count  packet will be routed indefinitely Tunnel Entry Node 1 20081119 IETF-73 Minnepolis

Example of Tunnel Loop Formation HA PDNGW ePDG MN INTERNET 3GPP EPC HoA CoA MN.HoA Addr 3GPP.Addr ePDG.Addr Assigned Nomadic 1 Binds MN.HoA to AR.Addr Sets up Mobike mapping 2 Binds 3GPP.Addr to ePDG.Addr 3 MSP HA PDNGW ePDG MN INTERNET 3GPP EPC HoA CoA MN.HoA 3GPP.Addr ePDG.Addr Assigned Nomadic 4 Binds MN.HoA to AR.Addr 1 Sets up Mobike mapping 2 3 Binds MN.HoA to 3GPP.Addr MSP Binds 3GPP.Addr to ePDG.Addr HA PDNGW ePDG MN INTERNET 3GPP EPC HoA CoA MN.HoA Addr Assigned Nomadic ePDG.Addr 1 Binds MN.HoA to AR.Addr Sets up Mobike mapping 2 MSP HA PDNGW ePDG MN INTERNET 3GPP EPC HoA CoA MN.HoA 3GPP.Addr ePDG.Addr Assigned Nomadic 4 Binds MN.HoA to AR.Addr 1 Sets up Mobike mapping 2 3 MSP Binds MN.HoA to 3GPP.Addr Binds 3GPP.Addr to ePDG.Addr Loop forms! HA PDNGW ePDG MN INTERNET 3GPP EPC HoA CoA MN.HoA AR.Addr Binds MN.HoA to AR.Addr 1 MSP Assigned Nomadic HA PDNGW ePDG MN INTERNET 3GPP EPC MSP HoA CoA Assigned Nomadic 20081119 IETF-73 Minnepolis

Current Protection RFC 2473 specifies the Tunnel Encapsulation Limit Option for IPv6 packets Adds a maximum number of encapsulation to Destination Header of outer packet All Tunnel Entry Nodes must process this option RFC 1701 has a 3-bit recursion field for IPv4 GRE based tunneling 20081119 IETF-73 Minnepolis

Inadequacies Both mechanisms only limits the number of times a packet will traverse a loop Does not allow a tunnel entry node to differentiate between The case where a tunnel loop has occurred The case where the initial TEL/Recursion value is set too low 20081119 IETF-73 Minnepolis

Add Identifier We propose Adds an identifier to the tunnel packet header Can be an additional field in TEL option Can be coded using multiple TEL option Can be an additional field in GRE header Can be coded using the Key field in GRE header The type of identifier is for further analysis 20081119 IETF-73 Minnepolis

Tunnel Entry Node Processing Receives a packet to be encapsulated Is there an identifier in received packet? Does identifier indicates a loop? yes yes no no Encapsulate packet Adds identifier Encapsulate packet Copy identifier Loop detected!!! 20081119 IETF-73 Minnepolis

Comments So Far Any practical situation where the problem is encountered? Issue #17 in the ongoing work of RFC 3775-bis 3GPP CT1 has agreed that this is a realistic problem in TS 24.303 20081119 IETF-73 Minnepolis

Comments So Far Better to avoid the loop entirely Using control plane signaling (if present) However with possible malicious mobile nodes dynamically setting up tunnels, this is not possible Address check mechanism HA to check the validity of the care-of address before accepting the BU With Monami6, a malicious mobile can still set up the loop while passing any address check mechanism  But it is not always possible 20081119 IETF-73 Minnepolis

Comments So Far Rely on generic DoS defense Most operators has defense mechanism to drop packets when a DoS attack is launched Problems: Reactive: network is already under attack before defense is triggered Does not know if DoS attack is due to tunnel loop Since DoS defense generally drops packets from a domain where the attack is suspected to have originated, a tunnel loop can be used to cause packets from an innocent domain to be dropped Avoid a loop > Detect a loop > Defense against DoS 20081119 IETF-73 Minnepolis

Discussion Points Is this specific to Mobility? Should we solve it? The problem is generic But all practical scenarios identified so far are mobility related Should we solve it? If so, where? 20081119 IETF-73 Minnepolis

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.