© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-ietf-mobike-design-00.txt Tero Kivinen

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

Internet Security CSCE 813 IPsec

Guide to Network Defense and Countermeasures Second Edition

Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.

IKEv2 extension: MOBIKE Faisal Memon Erik Weathers CS 259.

Security at the Network Layer: IPSec

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.

IP Security IPSec 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

MOBILITY SUPPORT IN IPv6

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Internet Protocol Security (IPSec)

CMSC 414 Computer (and Network) Security Lecture 25 Jonathan Katz.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Presentation Title Subtitle Author Copyright © 2002 OPNET Technologies, Inc. TM Introduction to IP and Routing.

Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, Secure Anycast Tunneling Protocol.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Bootstrap and Autoconfiguration (DHCP)

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

1 Design of the MOBIKE Protocol Editors: T. Kivinen H. Tschofenig.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

Simple Multihoming Experiment draft-huitema-multi6-experiment-00.txt Christian Huitema, Microsoft David Kessens, Nokia.

CSCE 715: Network Systems Security

IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

Karlstad University IP security Ge Zhang

Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.

IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.

IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

IPSec ● IP Security ● Layer 3 security architecture ● Enables VPN ● Delivers authentication, integrity and secrecy ● Implemented in Linux, Cisco, Windows.

SIP working group IETF#70 Essential corrections Keith Drage.

Introduction to Mobile IPv6

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol draft-kivinen-mobike-protocol-00.txt Tero Kivinen

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.

Identify the traffic that should go across the VPN. Check the ACL configuration Try to ping across the tunnel using a ping that matches the ACL We should.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Protocol Layering Chapter 11.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.

Network Layer Security Network Systems Security Mort Anvari.

Draft-ietf-v6ops-ipsec-tunnels-03 Using IPsec to Secure IPv6-in-IPv4 Tunnels draft-ietf-v6ops-ipsec-tunnels-03 Richard Graveman Mohan Parthasarathy Pekka.

Securing Access to Data Using IPsec Josh Jones Cosc352.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

8-1Network Security Virtual Private Networks (VPNs) motivation:  institutions often want private networks for security.  costly: separate routers, links,

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 8 TCP/IP Suite Error and Control Messages.

HIP-Based NAT Traversal in P2P-Environments

CSE 4905 IPsec.

Chapter 18 IP Security  IP Security (IPSec)

IPSec IPSec is communication security provided at the network layer.

Introduction to Networking

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

Virtual Private Networks (VPNs)

Presentation transcript:

© 2004 SafeNet, Inc. All rights reserved. Mobike Protocol Design draft-kivinen-mobike-design-00.txt Tero Kivinen

© 2004 SafeNet, Inc. All rights reserved. Introduction Want to change the IP-addresses of the IKE and IPsec SAs without rekey 2 Basic scenarios o Roaming laptop Multiple network connections IP-addresses change Prefers some interfaces over some others o Multihoming SGW Multiple network connections Static IP-addresses Some links might be down

© 2004 SafeNet, Inc. All rights reserved. Protocol Notifying the other end of IP-address list changes Update the IKE SA endpoint address based on the notifications Automatically swithing to use new IP-address if old one does not work anymore Updating the tunnel mode IPsec SA tunnel endpoint addresses Return routability checks of new addresses if needed

© 2004 SafeNet, Inc. All rights reserved. Multihoming Support Multihoming support consist of rules how to use IP-address lists When to move to new address? How to verify whether the address works or if any addresses works? When to do return routability checks?

© 2004 SafeNet, Inc. All rights reserved. Direct Indication of Address Change Directly from the other end Authenticated List of addressed in most preferred order Is there max size of that list?

© 2004 SafeNet, Inc. All rights reserved. Indirect Indication of Address Change Indirect indication, i.e. The local end notices something that causes it to belive something along the path has changed Not authenticated All kind of things o Other end start using different source IP-address o ICMP message is received o Routing information changes o No traffic from the other end for awhile Do not directly act on such indication

© 2004 SafeNet, Inc. All rights reserved. Dead-Peer-Detection Verify that the other end is still alive In MOBIKE context verify that the IP- address(es) still work(s) Should have much longer timeouts, should try to all possible IP-addresses before marking peer dead Can be done simultaneously for each IP- addresses o Can cause troubles, as other end might only answer to one request

© 2004 SafeNet, Inc. All rights reserved. Return Routability Checks Try to verify that the other peer can be reached using the IP-address given Protection against the flooding attacks against third party Can be using similar protocol than dead-peer- detection

© 2004 SafeNet, Inc. All rights reserved. Basic Address Update Format Basic format of address update protocol IKEv2 exchanges o Informational exchange? o Own MOBIKE exchange? One or multiple payloads Payload types o Notify payload? o Own MOBIKE payload? Ordered list of addresses or preference number for each address

© 2004 SafeNet, Inc. All rights reserved. Exchange Informational exchange o Already defined in the IKEv2 o All implemenations have code to generate and parse them Own MOBIKE specific exchange o Not restricted to 2 packets o Might be able to combine RR with address update

© 2004 SafeNet, Inc. All rights reserved. Number of Payloads One payload containing everything o More compressed format o More complicated format (needs extensions, list of both IPv4 and IPv6 addresses etc) Multiple payloads o Easier to parse (can use IKEv2 code to parse the list) o Easier to add extension data o Some implementations might have limit of max number of payloads (limits the number of IP- addresses)

© 2004 SafeNet, Inc. All rights reserved. Payloads Notify payloads o Already defined in the IKEv2 o All implemenations should already have code to generate and parse them o Some extra overhead MOBIKE specific payload o Can use more compressed format o If using one big payload, then having separate payload for the complex format is better

© 2004 SafeNet, Inc. All rights reserved. Full List or Incremental Updates When sending IP-address update notifications Full list of IP-addresses o Easier to handle, as all IP-address arrives at same time o No syncronization problems o Restricts the number of IP-addresses because of the packet size restrictions Incremental changes o Strict ordering restrictions (must be processed in order) o More complicated

© 2004 SafeNet, Inc. All rights reserved. Scope of SA Changes How to update the IPsec SA IP-address when IKE SA IP-address change Automatic o Fast, easy, simple o Everything moves, no way to move only some SAs Manual o Needs separate protocol, payloads etc o Allows moving only parts of the traffic to new IP- addresses o Needs per IPsec SA IP-address list

© 2004 SafeNet, Inc. All rights reserved. Zero Address Set Sending zero IP-addresses, meaning that other end is going to be disconnected from the net Is this needed? What happens to the TCP/IP connections while other end is disconnected Local policy can disallow this Helps Monday morning problems as users can keep the SAs up over the weekends :-)

© 2004 SafeNet, Inc. All rights reserved. Return Routability Checks When to do them Every time we change address? o Extra overhead Only when we start to use new address not used before? o Needs to keep track of used addresses Never? o Not protecting third parties against flooding attacks o If other end has fixed authenticated list of IP-address, we can leave checks out

© 2004 SafeNet, Inc. All rights reserved. Summary Lots of questions We need to decide on some of those issues before we can really describe the protocol Different scenarios and usage types affects some of the choices