Upload
alec
View
35
Download
0
Tags:
Embed Size (px)
DESCRIPTION
CSCI 6433 Internet Protocols Class 8. David C. Roberts. Topics. Mobile IP Virtual Private Networks . Mobile IP. IP was not designed with hand-held or book-sized mobile computers in mind - PowerPoint PPT Presentation
Citation preview
1
CSCI 6433Internet Protocols
Class 8
Dave Roberts
Topics
• Mobile IP• IPSec• Virtual Private Networks
2
Mobile IP
• IP was not designed with hand-held or book-sized mobile computers in mind
• Mobile IP has its limitations in today’s world, where IP address is tied to network address which is geographic
• However, Mobile IP does illustrate the basics of dealing with a roving host
3
Mobile IP
Allows portable computers to move from one network to another.
Hosts move from one network to another, not in the original design of IP!
Without mobile IP, either• Host address must change, or• Routers must send a host-specific route across the
entire Internet4
General Characteristics of Mobile IP
• Transparency—mobility transparent to applications, transport layer protocols, routers not involved in the change.
• Interoperability—mobile host can interoperate with stationery and mobile hosts using IPv4, and mobile IPv6 hosts can interoperate with stationary and mobile IPv6 hosts
• Scalability—scales to large internets• Security—authentication for all messages• Macro mobility—focuses on long-duration moves, rather than
roving as in a cellular phone system
5
Overview of Mobile IPv4
• Host can have primary and secondary address• Primary is obtained at “home” location, permanent and
fixed• Secondary obtained after a move. Sent to agent
(router) at home. • Agent intercepts datagrams, encapsulates in IP
datagrams, sends to secondary address.• Mobile host deregisters when returning home, notifies
agent of new address after another move6
Mobile IPv4 Addressing• Home address—conventional IP address• Temporary address is called care-of address• Two forms of care-of address:
• Co-located: mobile host does forwarding• Foreign: foreign agent (router) on network being visited assigns care-of address, handles forwarding
• A home agent (HA) stores information about mobile nodes whose permanent home address is in the home agent's network.
• The HA acts as a router on a mobile host's (MH) home network which tunnels datagrams for delivery to the MH when it is away from home, maintains a location directory (LD) for the MH.
• A foreign agent (FA) stores information about mobile nodes visiting its network. Foreign agents also advertise care-of addresses, which are used by Mobile IP. If there is no foreign agent in the host network, the mobile device has to take care of getting an address and advertising that address by its own means.
• The FA acts as a router on a MH’s visited network which provides routing services to the MH while registered. FA detunnels and delivers datagrams to the MH that were tunneled by the MH’s HA
7
Operation of Mobile IP
8
Mobile IP
• Mobile node finds an agent on its local network through the agent discovery process. Listens for agent advertisement messages, or can ask for one with agent solicitation
• Mobile node determines from the message whether it is at its home network
• If device has moved to foreign network, it obtains a (local) care-of address. Used to forward datagrams
• Mobile node tells home agent at home network by registering with the home network
• Home agent captures datagrams for the mobile node and forward them
9
IPv4 Foreign Agent Discovery
10
ICMP router discovery mechanism used to discover a foreign agent.
IPv4 Agent Registration
11
IPv6 Mobility
• No use of foreign agent or care-of addresses. Instead, IPv6 mobile host uses co-located care-of address
• Host can have a home address and co-located care-of address at once
• IPv6 does not depend on link-layer forwarding• IPv6 routing expansion header makes forwarding more
efficient than for IPv4• IPv6 mobile host does not need foreign agent
12
IPv6 Datagram Transmission
• IPv6 mobile host informs home agent before communicating with a destination
• Host includes a mobility header in sent datagram
• Destination can then communicate with home agent, find mobile’s current address, and send directly
13
Assessment of Mobile IP
• Designed for devices with static IP configuration—not practical with dynamic IP address assignment
• Retaining an IP address is less important than it was, due to dynamic IP address assignment
• Not practical for devices that move frequently—too much setup and teardown
• VPN allows remote device to have home address and have full access to its home network
14
Summary
• Mobile IP allows a computer to move from one network to another without changing its IP address
• Mobile either obtains a co-located care-of address or discovers a foreign mobility agent and requests a care-of address.
• Once registered, mobile can communicate with an arbitrary computer on the Internet.• Datagrams from mobile go directly to destination• Return datagrams go through mobile’s home agent
15
IPSec
• IPSec provides security services at the IP layer for other Internet protocols to use
16
What’s Needed for A Secure Path
• Mutually agreed security protocols• Mutually agreed specific encryption algorithm• Exchange of keys
17
IPSec Protocols and Components
18
Authentication Header
• The AH allows for the contents of the datagram to be authenticated
• It contains a checksum, computed using a secret key agreed between the sender and recipient
• The checksum is added by the sender, used by the recipient to validate the contents
19
Authentication Header
20
Encapsulation Security Payload
• ESP protects from intermediate devices examining the contents of the datagram
• Header is placed before encrypted data• Trailer is placed after encrypted data• Authentication data is used to check integrity
similarly to AH protocol, for ESP optional authentication feature to authenticate after encryption
21
ESP Payload
22
Internet Key Exchange
• A new security association involves a key exchange
• The following is established:• Encryption algorithm to be used• Hash algorithm • Authentication method• Diffie-Helman Group
23
IPSec Implementation Methods
• End host implementation: implementing in hosts provides “end to end” security
• Router implementation: implement in pairs of routers, provides security between routers
24
IPSec Architectures
• Built in to IP• Inserted into the stack:
“bump in the stack”• In device connected to
the router: “bump in the wire”
25
Built In to IP
• Integrated: change IP stack to include IPSec • Requires extensive software changes for IPv4. • IPv6 is designed to include IPSec.
26
“Bump in The Stack”
• Bump in the stack (BITS): IPSec a layer between IP and data link layer. IPSec intercepts datagrams, passes to data link layer.
27
“Bump in The Wire”
28
Bump in the wire (BITW): Add a hardware device between two communicating routers
IPSec Modes
• Transport mode: IPSec protects the message passed to IP from the transport layer. AH and ESP headers are added as the IP datagram is created.
• Tunnel mode: IPSec protects complete encapsulated IP datagram after IP header is applied. IP datagram is created normally, then AH and ESP headers are added. Usually associated with “bump in the stack” and “bump in the wire” implementations
29
IPSec Transport Mode
30
IPSec Tunnel Mode
31
Summary
• IPSec protects against observation and change of transmitted data by intermediate hosts
• IPSec requires setup between communicating hosts to establish security associations
32
VPN
• Extends a private network across a public network such as the Internet
• Enables user to send and receive data across shared networks as if the hosts were directly connected to the private network
• VPN is created by establishing virtual point-to-point connections, typically using virtual tunneling protocols, with or without traffic encryption
33
Virtual Private Networks (VPN)
Suppose we want to:• Allow external connections• Keep internal datagrams private
• We can use VPN to build a private internet, not connected to the public Internet
• Or we can use VPN to build a private network, and connect each site to the Internet also (hybrid network)
34
IPSec for VPNs
• IPSec can be used to provide a VPN• If IPSec is implemented in tunnel mode, it
protects the addresses as well as the contents of datagrams
• If IPSec is implemented using the “bump in the stack” architecture, then the security parameters can be used to implement a VPN using IPSec
35
VPN Example
36Source: Wikipedia
Virtual Private Network
37
Virtual Private Network
38
VPN Addressing
39
VPN with Private Addresses
40
VPN Services
• Today a great variety of VPN services are offered• One service lets you use an IP address
associated with a different location so that your messages appear to come from somewhere other than your location
• Another lets you use a constant IP address even though your ISP may use dynamic IP addressing or you might have a NAT router
41
Summary
• VPN—less costly alternative to private connection between networks
42