Presentation is loading. Please wait.

Presentation is loading. Please wait.

RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000.

Published byErica Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000."— Presentation transcript:

1 RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000

2 Realm Specific IP page 2 Where is the Network Edge?  Yesterday: –Corporations –Universities  Today: –Homes –Cell phones, PDAs  Tomorrow: –Everywhere  Hotels  Airports  Conference centers  “Gas stations on the Information Superhighway”

3 Realm Specific IP page 3 The Expansion of the Edge has Accelerated the IP Address Shortage  About 4 billion total, but... –Heavy allocation to North America and Europe –Many unused (old Class A blocks) –Limited by routing architecture (prefixes, CIDR) –Conservative allocation policies  Typically must demonstrate both need and usage  Heterogeneity implies that address space usage count is intractable! –Perhaps as many as 50% unallocated –Given current growth trends, these wouldn’t last long on the open market

4 Realm Specific IP page 4 The Solution So Far… Network Address Translation (NAT)  Multiple hosts share one address –NAT router re-writes packet headers to same public IP –Application proxies for protocols that transmit addresses and ports  On the down side... –Difficult to maintain and manage –Breaks IPSEC -> no VPNs –Doesn’t work well with many next-generation protocols  mobile IP, multicast, RSVP, etc.  Nonetheless, very widespread deployment

5 Realm Specific IP page 5 NAT in a Nutshell 10.0.0.4 10.0.0.1149.112.240.55 NAT Router

6 Realm Specific IP page 6 NAT Needs ALGs for Address and Port Content in the Payload FTP control packet from private host arriving at NAT router Figure out protocol, look into packet, translate addresses and ports, change TCP sequence number, maintain running delta for lifetime of connection…yuck! Source IP address (10.0.0.4) Destination IP address (192.156.136.22) Destination TCP port (21) Source TCP port (1025) Payload (IP = 10.0.0.4, Port = 1026) IP Header TCP Header

7 Realm Specific IP page 7 Realm Specific IP (RSIP)  RSIP goals –Alternative to NAT on same network architecture –less computation at router –No need for ALGs –IPSEC integration possible  Use header tuples (e.g., ports, SPIs) to extend IP address space –IP addresses and tuples from the public routing realm are leased by private hosts –Assignments are made such that incoming packets can always be demultiplexed properly

8 Realm Specific IP page 8 RSIP in a Nutshell 10.0.0.4 10.0.0.1149.112.240.55 RSIP Router Local SRC IP 192.156.136.221192 DST IPAssigned PortDST Port 10.0.0.480 Assigned IP 149.112.240.55

9 Realm Specific IP page 9 RSIP vs. NAT  Similarities –Demultiplex on tuples (e.g., addresses, port numbers) –Mapping kept by server/router  Differences –NAT: Router modifies packets, host oblivious –RSIP: Host asks router how to make packets “Internet ready” –NAT: No modifications to host, protocol support in router –RSIP: Host modified but no protocol support required in router

10 Realm Specific IP page 10 RSIP Protocol  Lightweight negotiation between RSIP servers and hosts of arbitrary parameters –“Network” and “control” resources –Vendor-specific parameters –Error reporting –Transport agnostic  may be TCP or UDP (we use port 4455)  Message and parameter formats allow extensibility beyond our specification –E.g., IPSEC SPIs, ISAKMP cookies, PPTP call IDs, etc.

11 Realm Specific IP page 11 Registration 10.0.0.4 10.0.0.1149.112.240.55 RSIP Server REGISTRATION_REQUEST REGISTRATION_RESPONSE (client ID = 2, flow policy = local micro, remote macro)

12 Realm Specific IP page 12 Assignment 10.0.0.4 10.0.0.1149.112.240.55 RSIP Server ASSIGN_REQUEST_RSAP-IP (client ID = 2, local addr = X, local port = X, remote addr = 128.153.4.3, remote port = X) ASSIGN_RESPONSE_RSAP-IP (client ID = 2, bind ID = 1, local addr = 149.112.240.55, local port = 12345, remote addr = 128.153.4.3, remote port = X, lease = 3600, tunnel = IPIP)

13 Realm Specific IP page 13 IPSEC  Two related, but independent modules: –Secure encapsulation and transport (ESP, AH)  Rather straightforward –Secure key exchange (IKE, ISAKMP, OAKLEY)  Rather complicated

14 Realm Specific IP page 14 IPSEC Encapsulation and Transport

15 Realm Specific IP page 15 RSIP with IPSEC  ESP encrypts all ports: can’t use them to demultiplex! –Use SPI instead –Additional negotiation: ASSIGN_REQUEST_RSIPSEC  IPSEC client module must: –Use ephemeral IKE source port  Otherwise I-Cookie routing necessary - more negotiation  Using default IKE port may cause rekeying problems –Acquire SPI values from RSIP module

16 Realm Specific IP page 16 Remote Access from Airport Kiosk Internet Airport LAN NAT Router Corporate Network Mobile Client

17 Realm Specific IP page 17 Secure VPN Enabled by RSIP Internet Airport LAN RSIP Router Corporate Network Mobile Client w/ RSIP Secure Virtual Tunnel

18 Realm Specific IP page 18 RSIP and IPv6?  Part of a dual-stack transition mechanism?

19 Realm Specific IP page 19 Current Status in the IETF  draft-ietf-nat-rsip-protocol-06.txt  draft-ietf-nat-rsip-framework-04.txt  draft-ietf-nat-rsip-ipsec-03.txt  draft-ietf-nat-rsip-slp-00.txt  draft-ietf-dhc-nextserver-02.txt

Download ppt "RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000."

Similar presentations

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.

IP Security have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS however there are security concerns that.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.

1 Lecture 15: IPsec AH and ESP IPsec introduction: uses and modes IPsec concepts –security association –security policy database IPsec headers –authentication.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.

VPN – Technologies and Solutions CS158B Network Management April 11, 2005 Alvin Tsang Eyob Solomon Wayne Tsui.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations

Ads by Google