Problems in using HIP for P2PSIP Philip Matthews Avaya

Slides:

Advertisements

Similar presentations

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.

Advertisements

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”

NAT Traversal for P2PSIP Philip Matthews Avaya. Peer X Peer Y Peer W 2. P2PSIP Network Establishing new Peer Protocol connection Peer Protocol messages.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

1 The 7 layer OSI model Sending an . 2 The seven layers.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.

K. Salah1 Security Protocols in the Internet IPSec.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Host Identity Protocol

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Network Layer (3). Node lookup in p2p networks Section in the textbook. In a p2p network, each node may provide some kind of service for other.

P2PSIP Charter Proposal Many people helped write this charter…

Chapter 13 – Network Security

Internet Addresses. Universal Identifiers Universal Communication Service - Communication system which allows any host to communicate with any other host.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

NATs and UDP Victor Norman CS322 Spring NAPT Suppose we have a router doing NAT: half is the “public side”, IP address ; other half is.

The HIP-HOP proposal draft-matthews-p2psip-hip-hop-00 Philip Matthews

PPSP NAT traversal Lichun Li, Jun Wang, Wei Chen {li.lichun1, draft-li-ppsp-nat-traversal-02.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Peer-to-Peer Name Service (P2PNS) Ingmar Baumgart Institute of Telematics, Universität Karlsruhe IETF 70, Vancouver.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Network Address Translation Current problems with IP addresses:  Address depletion  Scaling in routing Solutions:  IPv6  CIDR  NAT.

An analysis of Skype protocol Presented by: Abdul Haleem.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Attacking IPsec VPNs Charles D George Jr. Overview Internet Protocol Security (IPSec) is a suite of protocols for authenticating and encrypting packets.

IPv6 Site-Local Discussion Bob Hinden & Margaret Wasserman IETF 56 San Francisco March 2003.

Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

Application Layer Multicast Extensions to RELOAD draft-kolberg-sam-baseline-protocol-01 Mario Kolberg, University of Stirling, UK (Editor) John Buford,

The NAT Traversal Problem in P2PSIP Bruce Lowekamp (SIPeerior) Philip Matthews (Avaya)

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

HIP & MIP V 6 SECURITY Research: Security Architecture IRT Lab, Columbia University.

MPTCP Threat analysis draft-bagnulo-mptcp-threat-00 marcelo bagnulo IETF76 – MPTCP WG.

4343 X2 – The Transport Layer Tanenbaum Ch.6.

The eXtensible Peer Protocol (XPP) Emil Ivov - Enrico Marocco –

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

GIST NAT traversal and Legacy NAT traversal for GIST AND

1 P2PSIP Peer Protocol Design Questions Presenter: Philip Matthews (based on input from the authors of the various proposals)

K. Salah1 Security Protocols in the Internet IPSec.

ID-LOC Proposal Philip Matthews Eric Cooper Alan Johnston Avaya With contributions from Cullen Jennings, David Bryan, and Bruce Lowekamp.

Securing Access to Data Using IPsec Josh Jones Cosc352.

SHIP: Performance Reference: “SHIP mobility management hybrid SIP-HIP scheme” So, J.Y.H.; Jidong Wang; Jones, D.; Sixth International Conference on

Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.

Thoughts on the LMAP protocol(s) LMAP Interim meeting, Dublin, 15 th September 2014 Philip Eardley Al Morton Jason Weil 1.

HIP-Based NAT Traversal in P2P-Environments

Encryption and Network Security

Zueyong Zhu† and J. William Atwood‡

IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.

LOCSER + HIP draft-hautakorpi-p2psip-peer-protocol-00

CS 4594 Broadband PNNI Signaling.

Computer Networks Protocols

Exceptions and networking

Presentation transcript:

Problems in using HIP for P2PSIP Philip Matthews Avaya

Overview Will present 2 different alternatives and the problems we discovered. Currently trying third approach: –Take ideas from HIP, rather than trying to use HIP itself.

Background: Overlay Routing When establishing a new overlay connection to a peer behind a NAT or Firewall, often cannot send signaling directly; must route signaling around overlay. X NAT Z W Y Most NATs will block msg

First Attempt draft-matthews-p2psip-hip-hop-00 Key idea: Add overlay routing to HIP To establish new overlay connection: 1) Establish connection with HIP signaling; 2) Do additional handshaking at Peer Protocol level over HIP connection. Protocol being defined by P2PSIP WG to manage the overlay and implement a DHT in the overlay.

Overlay Problem: Credentials Credential checks are done by Peer Protocol, but this is after HIP connections are made. –Lots of work done before check is made. Would like to do checks earlier, but this requires credentials to be carried in I1 and/or I2. X Z W Y All nodes except RVS assumed to be behind a NAT or FW. RVS J I1 msg

Problem: Routing R1 and R2 How to route R1 and R2 back to joining peer J ? Add new TLVs? –Record-Route record node that a HIP msg passes through –Playback-Route source-routes a HIP msg. Overlay X Z W Y RVS J All nodes except RVS assumed to be behind a NAT or FW. I1 msg R1 msg

Problem: Duplicate Functionality Some functions seem to be needed at both HIP and Peer Protocol layer. Example: –Routing hop-by-hop around the overlay required at HIP layer to route BEX messages. –Routing hop-by-hop around the overlay seems to also be needed at Peer Protocol layer to route packets for Get and Put operations on DHT

First Attempt: Impressions Lots of additions to HIP required: –Overlay routing based on HITs –Credentials in I1 msg –Record-Route TLV in I1 msg –Plus other extensions Starting to look messy.

Second Attempt draft-hautakorpi-p2psip-with-hip-01 Key idea: Carry HIP inside Peer Protocol –I1, R1, I2, and R2 packets carried inside Peer Protocol messages. –Overlay routing handled by peer protocol –Previous two problems pushed out of HIP to peer protocol.

Problem: D-H exchange Peer has to present a credential every time it sets up a new connection showing that it is allowed to be a member of the overlay. Given this, is the simple D-H exchange of HIP still appropriate?

Problem: Puzzles HIP Puzzle designed to protect against DoS attacks However, lots of work being done by peers in overlay before puzzle is exchanged.

Third Attempt draft-matthews-p2psip-id-loc-00 Don’t use HIP signaling Instead, incorporate ideas from HIP into Peer Protocol: –ID/Locator split Yes –ESP encryption, D-H stuff Not now –Puzzle Not now

More on Third Attempt On a peer, applications use an “identifier” that looks like an IPv4 or IPv6 address to identify a peer. –Can allocate ports off this identifier These “virtual” addresses and ports are then translated to real addresses and ports by a “mapping” layer between the IP layer and the Transport layer.

Open Issue Expose HIT to IPv6 apps, or expose only an IPv6 LSI (as is done to IPv4 apps)? –May be advantages to exposing only a IPv6 LSI. Using the HIT as the IPv6 Identifier doesn’t seem to help a lot. –At first blush, helps when sending protocol messages with embedded addresses –However, receiving node must be able to find the node with that HIT -- problematic.