Presentation is loading. Please wait.

Presentation is loading. Please wait.

PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the.

Published byJustina Matthews Modified over 9 years ago

Similar presentations

Presentation on theme: "PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the."— Presentation transcript:

1 PaC with unspecified IP address

2 Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the PaC to configure an IP address before using this protocol. Allocating IP addresses to unauthenticated PaCs may create security vulnerabilities, such as IP address depletion attacks on the access network [SECTHREAT]. IPv4 networks with limited address space are the main targets of such attacks. Launching a successful attack that can deplete the addresses in an IPv6 network is relatively harder. This threat can be mitigated by allowing the protocol to run without an IP address configured on the PaC (i.e., using unspecified source address). Such a design choice might limit the re-use of existing security mechanisms, and impose additional implementation complexity. This trade off should be taken into consideration in designing PANA.

3 Current state PANA design to allow use of unspecified IP address –PaC by default will attempt IP configuration –Deployment decision whether network allows an IP address configuration prior to PANA

4 Why allow unspecified PaC address? Security - attacks by unauthenticated clients –Address depletion attack (DHCPv4) –DAD-attack DHCP addresses IPv4 link-locals IPv6 link-locals - SEND can solve this Low-cost, directed, can be harder to detect

5 Why allow… (security) How does authenticating first, giving IP address later help? –In physically secured links: Client ID is known and bound to the link after PANA. (when attack is detected, attacker can be identified) –L2-ciphered prior to PANA: Attacker identification. –L2-ciphered after PANA: Attacker identification. –IPsec-based access control: Secure dhcp: draft-tschofenig-pana-bootstrap-rfc3118-00.txt Still need secure DAD… PANA SA might help SEND.. (a non-CGA-based scheme? For IPv4 too?) No straight forward benefit of configuring IP after PANA.

6 Utility of handling this threat Question: Does handling this DoS threat improve the overall security? [other DoS attacks]

7 Why allow… (deployment) Deployment considerations –In some scenarios, final address assignment depends on the client ID (authentication) Pre-PANA address, post-PANA address –Allocation of pre-PANA address IPv6: link-locals IPv4: –rely on IPv4 link-locals, or –Use (additional) local DHCP server –Address management If IPsec-based access control is used: –Pre-PANA address is used even after PANA auth as the IPsec tunnel end-point If IPsec is NOT used, pre-PANA IPv4 address must be disabled after post-PANA address is obtained (IPv6 LL is OK)

8 Drawbacks… Sending to unspecified IP address –Use link-layer unicast and IP broadcast, or not trivial Used by Mobile IPv4 (FA never uses ARP for MN) –Use link-layer and IP broadcast Used by DHCP Rely on a protocol field (PANA session ID) Receiving from unspecified IP address –Rely on link-layer address (not trivial), or –Rely on a protocol field (PANA session ID) Fragmentation –Not a requirement for EAP lower-layer, but for EAP methods

9 Question Do we want to (keep) allow(ing) use of unspecified IP addresses by PaCs? Do we want to assume Pac always has an IP address?

Download ppt "PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the."

Similar presentations

CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.

IPV6. Features of IPv6 New header format Large address space More efficient routing IPsec header support required Simple automatic configuration New protocol.
IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.
Configuring and Troubleshooting Network Connections

Configuring and Troubleshooting Network Connections
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.

IPv6 Address Provisioning In IPv6 world there are three provisioning aspects wich are independent of whether the IPv6 node is a Host or CE router: IPv6.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.

Transition Mechanisms for Ipv6 Hosts and Routers RFC2893 By Michael Pfeiffer.
Subnetting.

Subnetting.
1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.
بسم الله الرحمن الرحیم. Why ip V6 ip V4 Addressing Ip v4 :: 32-bits :: :: written in dotted decimal :: :: 192.168.1.1 ::

بسم الله الرحمن الرحیم. Why ip V6 ip V4 Addressing Ip v4 :: 32-bits :: :: written in dotted decimal :: :: ::
Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.

Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.
Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

Similar presentations

Ads by Google