Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Arkko et al, DIMACS Workshop Nov ‘04 Secure and Efficient Network Access DIMACS Workshop, November 3 rd, 2004, Piscataway, NJ, USA Jari Arkko Ericsson.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Arkko et al, DIMACS Workshop Nov ‘04 Secure and Efficient Network Access DIMACS Workshop, November 3 rd, 2004, Piscataway, NJ, USA Jari Arkko Ericsson."— Presentation transcript:

1 1 Arkko et al, DIMACS Workshop Nov ‘04 Secure and Efficient Network Access DIMACS Workshop, November 3 rd, 2004, Piscataway, NJ, USA Jari Arkko Ericsson Research NomadicLab Pasi Eronen Nokia Research Center Pekka Nikander Vesa Torvinen Ericsson Research NomadicLab This presentation has been produced partially in the context of the Ambient Networks Project. The Ambient Networks Project is part of the European Community's Sixth Framework Program for research and is as such funded by the European Commission. All information in this document is provided ``as is'' and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. For the avoidance of all doubts, the European Commission has no liability in respect of this document, which is merely representing the authors view

2 2 Arkko et al, DIMACS Workshop Nov ‘04 Presentation Outline The Problem Ongoing work Some new ideas An example protocol run Conclusions

3 3 Arkko et al, DIMACS Workshop Nov ‘04 The Problem

4 4 Arkko et al, DIMACS Workshop Nov ‘04 Some Problems in Current Network Access Approaches (1/3) - Efficiency Attachment involves a l arge number of messages –Scanning & 802.11 attachment –802.1X and EAP messaging –802.11i four-way handshake –DNA & IP router and neighbor discovery –Address autoconfiguration, DAD –Mobile IP home registration –Mobile IPv6 correspondent node registration Over 50% of this is due to security Request/Response style, even across the Internet –Amount of data is growing with certificates, configuration, and discovery Multiple mandatory waiting periods –Even a second, such as for DAD Iteration over available accesses

5 5 Arkko et al, DIMACS Workshop Nov ‘04 Some Problems in Current Network Access Approaches (2/3) - Security “I’m one of the trusted network nodes” approach –Sufficient for large cell size, well protected base stations –Not very good for devices on the coffee shop wall Focus on authentication, not authorization –Does everyone know/agree with the service parameters ? Denial-of-Service problems –Use of cryptographic keys very late in the process – Attacks that create/leave state to network side elements –Insecure lower-layer “detach” messages –802.11 countermeasures functionality Privacy protection is non-existent or incomplete

6 6 Arkko et al, DIMACS Workshop Nov ‘04 Some Problems in Current Network Access Approaches (3/3) - Functionality Security models do not fit all types of deployment –Credit card payments –Home deployments (e.g. leap of faith or physical connection instead of a certificate exercise) Configuration, discovery, and movement support –What are the IP parameters that I can get from this access point? –Is my home operator available via this access point? –How much would accessing this network cost? –Could the network tell me when to move, and to what channel and parameters to use?

7 7 Arkko et al, DIMACS Workshop Nov ‘04 Ongoing Work

8 8 Arkko et al, DIMACS Workshop Nov ‘04 Ongoing Work to Address the Problems... IP mobility –Better implementations that employ parallism allowed by the RFCs –Faster route optimization schemes, such as moving tasks out of the critical path Address autoconfiguration –Turning DAD off –Optimistic DAD –DHCP and SEND security

9 9 Arkko et al, DIMACS Workshop Nov ‘04 Ongoing Work, Continued DNA, Router and Neighbor Discovery –Faster algorithms for detecting whether or not movement has occurred –More frequent and precise router advertisements –Elimination “first message” delays from RFC 2461 –SEND security EAP authentication –Methods work (new credentials, deployment, …) –Channel binding and parameter authentication

10 10 Arkko et al, DIMACS Workshop Nov ‘04 Ongoing Work, Continued Link layer –Pre-authentication and proactive key distribution –Better protection of payload packets (AES etc) –Better information channels from the network to the clients (e.g., 802.21) –Discovery (WIEN SG) –Faster scanning techniques, parameter tuning –Bigger subnets (less IP layer work after attachment) –...

11 11 Arkko et al, DIMACS Workshop Nov ‘04 Observations People care about this! A lot of results! Most work focused on a particular “slice” of the problem No good understanding of what the impact of individual improvement is for effiency –E.g., “I can’t afford 1 RTT in Mobile IP” Not enough system-level understanding of the security issues

12 12 Arkko et al, DIMACS Workshop Nov ‘04 Some New Ideas

13 13 Arkko et al, DIMACS Workshop Nov ‘04 Approach Focus on the problem as a whole! –There are multiple parties involved -- not just two –Who needs to communicate with who? –How are the parties identified? –What is the optimal order of messages? –What system security properties are needed? –Are there bulk information transfer needs? How can they best be addressed? –Can we learn something from solutions in other contexts?

14 14 Arkko et al, DIMACS Workshop Nov ‘04 Caveat This may not be compatible with current protocols Layer-purists might object to our views We do not have all the details, just pointers to ideas

15 15 Arkko et al, DIMACS Workshop Nov ‘04 Potential Solution Ingredients (1/5) Addressing: All nodes (not just the client) need an address Addresses are hashes of public keys Benefits: –All parties -- such as the “access network” can be addressed in communications –Avoid address stealing and functionality to bind addresses to credentials –Nodes can generate their addresses and keys on their own, without infrastructure –Privacy can be achieved via ephemeral keys Identifier vs. routing semantics

16 16 Arkko et al, DIMACS Workshop Nov ‘04 Potential Solution Ingredients (2/5) Message order: Find out what information the whole problem involves, and how many messages need to carry it And re-think message order Example: If the client’s IP address was known earlier, the authentication process with the home network could handle mobility-related registrations as well Benefits: –Number of messages can be reduced –“Ping-pong” delays can be avoided

17 17 Arkko et al, DIMACS Workshop Nov ‘04 Potential Solution Ingredients (3/5) Information transfer: Do not fetch everything from the original source –Cache information about, say, roaming consortium in the AP Learn from TCP… no req-resp across the Internet –Either run TCP-like protocols directly between the client and the, say, home network –Or have the access point do this over the Internet, and use a request- response over the final radio hop Information transfer capabilities should not be restricted to the initial authentication exchange Benefits –More and faster information transfer, at any time

18 18 Arkko et al, DIMACS Workshop Nov ‘04 Potential Solution Ingredients (4/5) Miscallenous Delegation –Does the client have to be involved in tasks? –Can some tasks be delegated to the access point/router? –For instance, router based address assignment and DAD –Even a mobility related registration could be delegated Denial-of-Service protection –No separation to “attachment” and “secure attachment” –Stateless design on the network side

19 19 Arkko et al, DIMACS Workshop Nov ‘04 Potential Solution Ingredients (5/5) Miscallenous, continued Privacy protection –Build the protocols for non-static identifiers and addresses –Protect communications from the start, not at the end

20 20 Arkko et al, DIMACS Workshop Nov ‘04 An Example Protocol Run

21 21 Arkko et al, DIMACS Workshop Nov ‘04 The Example Flows: –Current message flow –Suggested basic message flow –Variant with better mobility support –Handoff Assumptions: –Authentication needed; roaming case –IPv6 –Mobility with RO & one peer –Client - home authentication in 2 RTT (identifier / challenge / response / success)

22 22 Arkko et al, DIMACS Workshop Nov ‘04 Example: Current Flow

23 23 Arkko et al, DIMACS Workshop Nov ‘04 client access network home other node Beacon 802.11 Attachment 802.11 Authentication 802.1X and EAP 802.11i 4-Way HS IPv6 Router Discovery IPv6 DAD MIPv6 Home Reg MIPv6 RO Reg

24 24 Arkko et al, DIMACS Workshop Nov ‘04 Example: Improved Basic Flow

25 25 Arkko et al, DIMACS Workshop Nov ‘04 client access network home other node Beacon Beacon includes: - Access node identifier - Access network identifier - Possible other “advertised” information, such as capabilities, roaming partner identifiers, and so on

26 26 Arkko et al, DIMACS Workshop Nov ‘04 client access network home other node Beacon Secure Attachment The functions of the secure attachment protocol: - Authenticate the claimed identities (opportunistically) - Turn ciphering on, as in 802.11i 4-way handshake It also piggybacks the following: - Deliver IPv6 router advertisements - Authentication and authorization to the home (partially) - May perform address allocation on behalf of the client - May perform mobility registration on behalf of the client

27 27 Arkko et al, DIMACS Workshop Nov ‘04 client access network home other node Beacon Secure Attachment I1: trigger exchange --------------------------> select pre- computed R1 R1: puzzle, D-H, key, sig <------------------------- check sig remain stateless solve puzzle I2: solution, D-H, {key}, sig --------------------------> compute D-H check cookie check puzzle check sig R2: sig <-------------------------- check sig compute D-H

28 28 Arkko et al, DIMACS Workshop Nov ‘04 client access network home other node Beacon Secure Attachment Home auth & authz - The home authentication process follows the identity/challenge/response/success model (for instance) - A mobility protocol home registration is carried in the same messages -- executed after the final response message is sent

29 29 Arkko et al, DIMACS Workshop Nov ‘04 client access network home other node Beacon Secure Attachment Home auth & authz RO registration 1. Client delivers its public key, other parameters, and a statement that delegates the access network to allocate an address for it. 2. Access network has a statement from an authority about the prefixes it “owns”. It constructs an address and sends the address, the statement, and the client’s information to the home network. 3. Home network sends the information along to the correspondent node. Correspondent node believes the validity of the care-of address since it trusts the same authority. in a HIP-like mobility solution there is no need to verify the home address; client’s signed statement is sufficient.

30 30 Arkko et al, DIMACS Workshop Nov ‘04 Example: Variation with Better Mobility Support

31 31 Arkko et al, DIMACS Workshop Nov ‘04 client access network home other node Beacon Secure Attachment Home auth & authz RO registration Variation: A common authority can be avoided by a care-of address test. Care-of Address Test

32 32 Arkko et al, DIMACS Workshop Nov ‘04 Example: Handoffs

33 33 Arkko et al, DIMACS Workshop Nov ‘04 client access node 1 access node 2 access network Beacon Secure Attachment - Access node 1 has a signed statement from the access network that it is a part of the network. This is given to the client. - After authentication and authorization at the home network, a set of explicit authorization criteria are known. A signed statement is given to the client, saying that the client is allowed to move to another access node within the same network, as long as the criteria are fulfilled.

34 34 Arkko et al, DIMACS Workshop Nov ‘04 client access node 1 access node 2 access network Beacon Secure Attachment - Access node 2 has a similar statement from the access network as well. - Client presents its statements and the usual home authentication/authorization process can be skipped. Client gets access. - However, access node 2 needs to verify authorization criteria. In many case this implies contacting a central node in the access network (e.g. concurrent usage limit). Secure Attachment

35 35 Arkko et al, DIMACS Workshop Nov ‘04 Conclusions

36 36 Arkko et al, DIMACS Workshop Nov ‘04 Conclusions Need to look at the whole problem –Measurements –System-level security story –Solutions Some early solution ideas presented –Clearly more work is needed for the details, security analysis & actual benefits Feedback appreciated!

Download ppt "1 Arkko et al, DIMACS Workshop Nov ‘04 Secure and Efficient Network Access DIMACS Workshop, November 3 rd, 2004, Piscataway, NJ, USA Jari Arkko Ericsson."

Similar presentations

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
IPv6 Mobility Support Henrik Petander

IPv6 Mobility Support Henrik Petander
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
Mobile IP: enable mobility for IP-based networks CS457 presentation Xiangchuan Chen Nov 6, 2001.

Mobile IP: enable mobility for IP-based networks CS457 presentation Xiangchuan Chen Nov 6, 2001.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Inter-Subnet Mobile IP Handoffs in 802.11b Wireless LANs Albert Hasson.

Inter-Subnet Mobile IP Handoffs in b Wireless LANs Albert Hasson.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,

IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
Chapter 13 Mobile IP. Outline  ADDRESSING  AGENTS  THREE PHASES  AGENT DISCOVERY  REGISTRATION  DATA TRANSFER  INEFFICIENCY IN MOBILE IP.

Chapter 13 Mobile IP. Outline  ADDRESSING  AGENTS  THREE PHASES  AGENT DISCOVERY  REGISTRATION  DATA TRANSFER  INEFFICIENCY IN MOBILE IP.
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
Mobile IP.

Mobile IP.

Similar presentations

Ads by Google