PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the.

Slides:

Advertisements

Similar presentations

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

Advertisements

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.

IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

Configuring and Troubleshooting Network Connections

Network Localized Mobility Management using DHCP

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

بسم الله الرحمن الرحیم. Why ip V6 ip V4 Addressing Ip v4 :: 32-bits :: :: written in dotted decimal :: :: ::

Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.

Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

2002 년 2 학기이동인터넷프로토콜 1 Mobile IP:Overview 년 2 학기이동인터넷프로토콜 2 Mobile IP overview Is Mobile IP an official standard? What problems does Mobile IP solve?

Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.

Network Layer4-1 DHCP: Dynamic Host Configuration Protocol Goal: allow host to dynamically obtain its IP address from network server when it joins network.

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

Module 3: Designing IP Addressing. Module Overview Designing an IPv4 Addressing Scheme Designing DHCP Implementation Designing DHCP Configuration Options.

IPv6, the Protocol of the Future, Today Mathew Harris.

August 1, 2005IETF63 PANA WG Pre-authentication Support for PANA (draft-ohba-pana-preauth-00.txt) Yoshihiro Ohba

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.

SYSTEM ADMINISTRATION Chapter 8 Internet Protocol (IP) Addressing.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Addressing IP v4 W.Lilakiatsakun. Anatomy of IPv4 (1) Dotted Decimal Address Network Address Host Address.

Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal.

IETF-71, Philadelphia PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt Lionel Morand France Telecom Alper Yegin Samsung Yoshihiro Ohba Toshiba.

DHCP Meha Modi. “Dynamic Host Configuration Protocol” Automatically assigns IP addresses to devices (I.e. hosts) on your network. -Prevents to enter data.

PANA Implementation in Open Diameter Victor Fajardo.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.

Spring 2004 Mobile IP School of Electronics and Information Kyung Hee University Choong Seon HONG

Multi-hop PANA IETF Currently: –“For simplicity, it is assumed that the PAA is attached to the same link as the device (i.e., no intermediary IP.

Network Addressing Tom Harper, Martell Maten, Robert Pohlman, Jarrod Rotolo.

ICMPv6 Error Message Types Informational Message Types.

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada.

An Introduction to Mobile IPv4

DHCPv4 option for PANA Authentication Agents draft-suraj-dhcpv4-paa-option-00.txt DHC/PANA WG IETF-63 France, Paris.

PANA in DSL networks draft-morand-pana-panaoverdsl-00.txt Lionel Morand Roberta Maglione John Kaippallimalil Alper Yegin IETF-67, San Diego.

1 IPv6: Address Architecture Dr. Rocky K. C. Chang 29 January, 2002.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

CHAPTER 10: DHCP Routing & Switching. Objectives 10.0 Introduction 10.1 Dynamic Host Configuration Protocol v Dynamic Host Configuration Protocol.

© 2015 Infoblox Inc. All Rights Reserved. Tom Coffeen, IPv6 Evangelist UKNOF January 2015 Tom Coffeen, IPv6 Evangelist UKNOF January 2015 DHCPv6 Operational.

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

<draft-ohba-pana-framework-00.txt>

PANA in DSL networks draft-morand-pana-panaoverdsl-01.txt

Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

Module 8: Networking Services

ECSE-6600: Internet Protocols

Chapter 10: DHCP Routing & Switching Chapter 10: DHCP

Chapter 9: Subnetting IP Networks

Routing and Switching Essentials v6.0

Chapter 9: Subnetting IP Networks

Internet Protocol, Version 6 (IPv6)

DHCP: Dynamic Host Configuration Protocol

Lecture 4a Mobile IP 1.

Presentation transcript:

PaC with unspecified IP address

Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the PaC to configure an IP address before using this protocol. Allocating IP addresses to unauthenticated PaCs may create security vulnerabilities, such as IP address depletion attacks on the access network [SECTHREAT]. IPv4 networks with limited address space are the main targets of such attacks. Launching a successful attack that can deplete the addresses in an IPv6 network is relatively harder. This threat can be mitigated by allowing the protocol to run without an IP address configured on the PaC (i.e., using unspecified source address). Such a design choice might limit the re-use of existing security mechanisms, and impose additional implementation complexity. This trade off should be taken into consideration in designing PANA.

Current state PANA design to allow use of unspecified IP address –PaC by default will attempt IP configuration –Deployment decision whether network allows an IP address configuration prior to PANA

Why allow unspecified PaC address? Security - attacks by unauthenticated clients –Address depletion attack (DHCPv4) –DAD-attack DHCP addresses IPv4 link-locals IPv6 link-locals - SEND can solve this Low-cost, directed, can be harder to detect

Why allow… (security) How does authenticating first, giving IP address later help? –In physically secured links: Client ID is known and bound to the link after PANA. (when attack is detected, attacker can be identified) –L2-ciphered prior to PANA: Attacker identification. –L2-ciphered after PANA: Attacker identification. –IPsec-based access control: Secure dhcp: draft-tschofenig-pana-bootstrap-rfc txt Still need secure DAD… PANA SA might help SEND.. (a non-CGA-based scheme? For IPv4 too?) No straight forward benefit of configuring IP after PANA.

Utility of handling this threat Question: Does handling this DoS threat improve the overall security? [other DoS attacks]

Why allow… (deployment) Deployment considerations –In some scenarios, final address assignment depends on the client ID (authentication) Pre-PANA address, post-PANA address –Allocation of pre-PANA address IPv6: link-locals IPv4: –rely on IPv4 link-locals, or –Use (additional) local DHCP server –Address management If IPsec-based access control is used: –Pre-PANA address is used even after PANA auth as the IPsec tunnel end-point If IPsec is NOT used, pre-PANA IPv4 address must be disabled after post-PANA address is obtained (IPv6 LL is OK)

Drawbacks… Sending to unspecified IP address –Use link-layer unicast and IP broadcast, or not trivial Used by Mobile IPv4 (FA never uses ARP for MN) –Use link-layer and IP broadcast Used by DHCP Rely on a protocol field (PANA session ID) Receiving from unspecified IP address –Rely on link-layer address (not trivial), or –Rely on a protocol field (PANA session ID) Fragmentation –Not a requirement for EAP lower-layer, but for EAP methods

Question Do we want to (keep) allow(ing) use of unspecified IP addresses by PaCs? Do we want to assume Pac always has an IP address?