1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³.

Slides:



Advertisements
Similar presentations
Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.
Advertisements

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:
IPSec.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Chapter 5 Network Security Protocols in Practice Part I
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Host Mobility Using an Internet Indirection Infrastructure by Shelley Zhuang, Kevin Lai, Ion Stoica, Randy Katz, Scott Shenker presented by Essi Vehmersalo.
COM555: Mobile Technologies Location-Identifier Separation.
I3 Status Ion Stoica UC Berkeley Jan 13, The Problem Indirection: a key technique in implementing many network services,
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.
10/31/2007cs6221 Internet Indirection Infrastructure ( i3 ) Paper By Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Sharma Sonesh Sharma.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
CS 268: Lecture 5 (Project Suggestions) Ion Stoica February 6, 2002.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.
Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley,
Internet Indirection Infrastructure (i3) Status – Summer ‘03 Ion Stoica UC Berkeley June 5, 2003.
CS 268: Project Suggestions Ion Stoica February 6, 2003.
1 Pertemuan 11 IPSec dan SSL Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Internet Indirection Infrastructure Slides thanks to Ion Stoica.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
CS 268: Lecture 25 Internet Indirection Infrastructure Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Indirection Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm Slides.
Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.
Internet Indirection Infrastructure (i3) Ion Stoica Daniel Adkins Shelley Zhuang Scott Shenker Sonesh Surana (Published in SIGCOMM 2002) URL:
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.
Towards a New Naming Architectures
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Host Identity Protocol
1 Lecture 14: Real-Time Communication Security real-time communication – two parties interact in real time (as opposed to delayed communication like )
Professor OKAMURA Laboratory. Othman Othman M.M. 1.
Information-Centric Networks07a-1 Week 7 / Paper 1 Internet Indirection Infrastructure –Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.
IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Karlstad University IP security Ge Zhang
Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley,
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
1 A VPN based approach to secure WLAN access John Floroiu
IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
1 Chapter 6 IP Security. 2 Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
CS 268: Project Suggestions Ion Stoica January 26, 2004.
Information-Centric Networks Section # 7.1: Evolved Addressing & Forwarding Instructor: George Xylomenos Department: Informatics.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
IPSec  general IP Security mechanisms  provides  authentication  confidentiality  key management  Applications include Secure connectivity over.
HIP & MIP V 6 SECURITY Research: Security Architecture IRT Lab, Columbia University.
IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.
Network Layer Security Network Systems Security Mort Anvari.
Internet Indirection Infrastructure (i3) Ion Stoica Daniel Adkins Shelley Zhuang Scott Sheker Sonesh Surana Presented by Kiran Komaravolu.
K. Salah1 Security Protocols in the Internet IPSec.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Cryptography CSS 329 Lecture 13:SSL.
SHIP: Performance Reference: “SHIP mobility management hybrid SIP-HIP scheme” So, J.Y.H.; Jidong Wang; Jones, D.; Sixth International Conference on
IPSecurity.
MOBILE IPv6 SECURITY ISSUES
Internet Indirection Infrastructure (i3)
IPSec IPSec is communication security provided at the network layer.
Computer Networks Protocols
Presentation transcript:

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³

2/32 Overview Communication today Problems I³ New services SI³ Denial of Service protection HIP Cryptographic security HI³ C. Today I³SI³HIPHI³

3/32 Communication Today Via IP Source and destination know one another Identifier = Locator C. Today I³SI³HIPHI³

4/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

5/32 Mobility Change the address space Broken „connection“ Paderborn 1Paderborn 2 C. Today I³SI³HIPHI³

6/32 Denial of Service Attack Flooding the host with useless traffic Faulty connection Loss of services C. Today I³SI³HIPHI³

7/32 Internet Indirection Infrastructure C. Today I³SI³HIPHI³ Enables new services Mobility Multicast, Anycast … New overlay network Decouples sending from receiving

8/32 I³ - How It Works C. Today I³SI³HIPHI³ sender (S) receiver (R) (id,data)(R,data) Receivers express interest in packets Sources send packets to trigger I³ servers store triggers / forward packets (id,R)

9/32 Identifiers Identifiers are m bit long Each identifier is mapped to an unique I³ server First k bits select server Efficient trigger matching (v,R1) (x|y,R2) (x|z,R3) (x|q,data) OR C. Today I³SI³HIPHI³ sender (S) receiver1 (R1) receiver2 (R2) receiver3 (R3)

10/32 Mobility Receiver moves from one location to another Receiver updates its existing triggers Simultaneous movement of sender & receiver possible Identifier ≠ Locator (id,R) sender (S) receiver (R) (id,data) (R,data) receiver (R‘) (R‘,data) (id,R‘) C. Today I³SI³HIPHI³

11/32 Public / Private Triggers Distinction only at application layer First contact through public trigger Private triggers are used for data communication (id,S) client (C)server (S) (id,id PC ) (id PC,C) (id PS,S) (id PC, id PS ) C. Today I³SI³HIPHI³

12/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

13/32 Secure I³ Extended I³ Protection against DoS attacks Communication without revealing IP addresses Empowering end-hosts with more control C. Today I³SI³HIPHI³

14/32 Control Against DoS Attacks Stop the Attack Dilute the Attack Slow Down the Attack Evade the Attack Multicast Access Control C. Today I³SI³HIPHI³

15/32 Stop the Attack Remove public trigger Prevent new clients from connecting Preserving existing connections (private triggers) C. Today I³SI³HIPHI³ Client3 (C3) Server (S) (x,R) (y,R) (z,R) Client2 (C2) Client1 (C1) Attacker (A)

16/32 Dilute the Attack Provide multiple public triggers Drop a fraction of the total traffic Still some triggers to connect Learn which public triggers are alive Change the subset of active public triggers Victim (V) (id 1,V) (id 2,V) (id 3,V) (id 4,V) Attacker (A) C. Today I³SI³HIPHI³

17/32 Slow Down the Attack Use a powerful third-party server Cryptographic puzzle Each message with a unique puzzle Server (S) (id a,A) Client (C) DoS-Filter (A) 1 (id C,C) 2 (id S,S) 3 C. Today I³SI³HIPHI³

18/32 Secure I³ - Summary Advantages Prevent IP level flooding Inability to attack private communication Alleviate flooding via triggers at the I³ level Costs Overlay server – amount of network traffic C. Today I³SI³HIPHI³

19/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

20/32 Host Identity Protocol New namespace New protocol layer Between internetworking and transport layer Public-key cryptography C. Today I³SI³HIPHI³

21/32 Host Identity Protocol Host Identifier Independent of IP address Public key Host Identity Tag (HIT) 128-bit representation for Host Identity Locator IP address Binding transport associations to Host Identities C. Today I³SI³HIPHI³

22/32 End-to-End Connection Using IPsec: Internet key exchange (Diffie-Hellman) Security association Security parameters index - connection identifier C. Today I³SI³HIPHI³

23/32 Mobility First scenario – not connected Mobile node – rendezvous mechanism Second scenario – connected address change doesn`t brake TCP connection Third scenario Move at the same time C. Today I³SI³HIPHI³

24/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

25/32 Weaknesses SI³ Traffic flows through an overlay server No encryption HIP Rendezvous server is needed Unable to deal with DoS attacks Lacks support for multicast / anycast C. Today I³SI³HIPHI³

26/32 Host Identity Indirection Infrastructure (HI³) Combination of (S)I³ and HIP More efficient SI³ More secure than SI³ Better DoS protection than HIP Rendezvous service C. Today I³SI³HIPHI³

27/32 HI³ Architecture Using HITs as SI³ triggers I³ server is similar to rendezvous server Basic Idea: Separation of data / control traffic Use SI³ to route HIP control packets Data packets via HIP IPsec protected end-to-end traffic C. Today I³SI³HIPHI³

28/32 HI³ Architecture (id PUB,R) Client (C) Server (S) Public/private trigger insertion (id PRI,R) C. Today I³SI³HIPHI³ I1 private trigger IPsec protected SI³ HIP

29/32 Seperating Data And Control Control traffic: Via SI³ DoS protection Mobility C. Today I³SI³HIPHI³

30/32 Seperating Data And Control Data traffic: IPsec / SPI used to implements DoS protection Middle box forwards traffic (destination Address, SPI) HIP mobility C. Today I³SI³HIPHI³

31/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

32/32 The End Questions ? C. Today I³SI³HIPHI³

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.