Presentation is loading. Please wait.

Presentation is loading. Please wait.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³.

Published byAngel Patience McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³."— Presentation transcript:

1 1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³

2 2/32 Overview Communication today Problems I³ New services SI³ Denial of Service protection HIP Cryptographic security HI³ C. Today I³SI³HIPHI³

3 3/32 Communication Today Via IP Source and destination know one another Identifier = Locator C. Today I³SI³HIPHI³

4 4/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

5 5/32 Mobility Change the address space Broken „connection“ Paderborn 1Paderborn 2 C. Today I³SI³HIPHI³

6 6/32 Denial of Service Attack Flooding the host with useless traffic Faulty connection Loss of services C. Today I³SI³HIPHI³

7 7/32 Internet Indirection Infrastructure C. Today I³SI³HIPHI³ Enables new services Mobility Multicast, Anycast … New overlay network Decouples sending from receiving

8 8/32 I³ - How It Works C. Today I³SI³HIPHI³ sender (S) receiver (R) (id,data)(R,data) Receivers express interest in packets Sources send packets to trigger I³ servers store triggers / forward packets (id,R)

9 9/32 Identifiers Identifiers are m bit long Each identifier is mapped to an unique I³ server First k bits select server Efficient trigger matching (v,R1) (x|y,R2) (x|z,R3) (x|q,data) OR C. Today I³SI³HIPHI³ sender (S) receiver1 (R1) receiver2 (R2) receiver3 (R3)

10 10/32 Mobility Receiver moves from one location to another Receiver updates its existing triggers Simultaneous movement of sender & receiver possible Identifier ≠ Locator (id,R) sender (S) receiver (R) (id,data) (R,data) receiver (R‘) (R‘,data) (id,R‘) C. Today I³SI³HIPHI³

11 11/32 Public / Private Triggers Distinction only at application layer First contact through public trigger Private triggers are used for data communication (id,S) client (C)server (S) (id,id PC ) (id PC,C) (id PS,S) (id PC, id PS ) C. Today I³SI³HIPHI³

12 12/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

13 13/32 Secure I³ Extended I³ Protection against DoS attacks Communication without revealing IP addresses Empowering end-hosts with more control C. Today I³SI³HIPHI³

14 14/32 Control Against DoS Attacks Stop the Attack Dilute the Attack Slow Down the Attack Evade the Attack Multicast Access Control C. Today I³SI³HIPHI³

15 15/32 Stop the Attack Remove public trigger Prevent new clients from connecting Preserving existing connections (private triggers) C. Today I³SI³HIPHI³ Client3 (C3) Server (S) (x,R) (y,R) (z,R) Client2 (C2) Client1 (C1) Attacker (A)

16 16/32 Dilute the Attack Provide multiple public triggers Drop a fraction of the total traffic Still some triggers to connect Learn which public triggers are alive Change the subset of active public triggers Victim (V) (id 1,V) (id 2,V) (id 3,V) (id 4,V) Attacker (A) C. Today I³SI³HIPHI³

17 17/32 Slow Down the Attack Use a powerful third-party server Cryptographic puzzle Each message with a unique puzzle Server (S) (id a,A) Client (C) DoS-Filter (A) 1 (id C,C) 2 (id S,S) 3 C. Today I³SI³HIPHI³

18 18/32 Secure I³ - Summary Advantages Prevent IP level flooding Inability to attack private communication Alleviate flooding via triggers at the I³ level Costs Overlay server – amount of network traffic C. Today I³SI³HIPHI³

19 19/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

20 20/32 Host Identity Protocol New namespace New protocol layer Between internetworking and transport layer Public-key cryptography C. Today I³SI³HIPHI³

21 21/32 Host Identity Protocol Host Identifier Independent of IP address Public key Host Identity Tag (HIT) 128-bit representation for Host Identity Locator IP address Binding transport associations to Host Identities C. Today I³SI³HIPHI³

22 22/32 End-to-End Connection Using IPsec: Internet key exchange (Diffie-Hellman) Security association Security parameters index - connection identifier C. Today I³SI³HIPHI³

23 23/32 Mobility First scenario – not connected Mobile node – rendezvous mechanism Second scenario – connected address change doesn`t brake TCP connection Third scenario Move at the same time C. Today I³SI³HIPHI³

24 24/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

25 25/32 Weaknesses SI³ Traffic flows through an overlay server No encryption HIP Rendezvous server is needed Unable to deal with DoS attacks Lacks support for multicast / anycast C. Today I³SI³HIPHI³

26 26/32 Host Identity Indirection Infrastructure (HI³) Combination of (S)I³ and HIP More efficient SI³ More secure than SI³ Better DoS protection than HIP Rendezvous service C. Today I³SI³HIPHI³

27 27/32 HI³ Architecture Using HITs as SI³ triggers I³ server is similar to rendezvous server Basic Idea: Separation of data / control traffic Use SI³ to route HIP control packets Data packets via HIP IPsec protected end-to-end traffic C. Today I³SI³HIPHI³

28 28/32 HI³ Architecture (id PUB,R) Client (C) Server (S) Public/private trigger insertion (id PRI,R) C. Today I³SI³HIPHI³ I1 private trigger IPsec protected SI³ HIP

29 29/32 Seperating Data And Control Control traffic: Via SI³ DoS protection Mobility C. Today I³SI³HIPHI³

30 30/32 Seperating Data And Control Data traffic: IPsec / SPI used to implements DoS protection Middle box forwards traffic (destination Address, SPI) HIP mobility C. Today I³SI³HIPHI³

31 31/32 Problems Mobility Multicast, Anycast etc. Protection against Denial of Service Attacks End-to-end security / authentication C. Today I³SI³HIPHI³

32 32/32 The End Questions ? C. Today I³SI³HIPHI³

Download ppt "1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³."

Similar presentations

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.

Keiji Maekawa Graduate School of Informatics, Kyoto University Yasuo Okabe Academic Center for Computing and Media Studies, Kyoto University.
Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:
IPSec.

IPSec.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 6 IP Security Henric Johnson Blekinge Institute of Technology, Sweden
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Host Mobility Using an Internet Indirection Infrastructure by Shelley Zhuang, Kevin Lai, Ion Stoica, Randy Katz, Scott Shenker presented by Essi Vehmersalo.

Host Mobility Using an Internet Indirection Infrastructure by Shelley Zhuang, Kevin Lai, Ion Stoica, Randy Katz, Scott Shenker presented by Essi Vehmersalo.
COM555: Mobile Technologies Location-Identifier Separation.

COM555: Mobile Technologies Location-Identifier Separation.
I3 Status Ion Stoica UC Berkeley Jan 13, 2003. The Problem Indirection: a key technique in implementing many network services,

I3 Status Ion Stoica UC Berkeley Jan 13, The Problem Indirection: a key technique in implementing many network services,
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.

Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.
10/31/2007cs6221 Internet Indirection Infrastructure ( i3 ) Paper By Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Sharma Sonesh Sharma.

10/31/2007cs6221 Internet Indirection Infrastructure ( i3 ) Paper By Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Sharma Sonesh Sharma.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
CS 268: Lecture 5 (Project Suggestions) Ion Stoica February 6, 2002.

CS 268: Lecture 5 (Project Suggestions) Ion Stoica February 6, 2002.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley,

Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley,

Similar presentations

Ads by Google