IETF Working Group - PowerPoint PPT Presentation

About This Presentation

Title:

IETF Working Group

Description:

– PowerPoint PPT presentation

Number of Views:29

Avg rating:3.0/5.0

Slides: 28

Provided by: oneo152

Learn more at: http://employees.oneonta.edu

Category:

more less

Transcript and Presenter's Notes

Title: IETF Working Group

1
IETF Working Group
CSCI 344 Spring 1998
Presentation
ltChinni K. Chimmirigt ltMOBILEIPgt
2
General Description

This group develops or adopts architectures and
protocols to support mobility inside the
Internet.
General Discussion
mobile-ip_at_smallworks.com
To Subscribe
majordomo_at_smallworks.com
Archive
ftp//ftp.smallworks.com/mobile-ip.archive

3
Near-Term goals

Establish protocols for supporting transparent
host roaming among different subnetworks and
different media.
Be consistent with new and/or revised protocols
at (inter)network layer.
Propose modifications to higher-layer protocols
if needed.

4
Long-Term Goals

Address different types of mobility
Mobile subnets
a traveling circus
Mobile clusters of subnets
a traveling circus with a collection of subnets

5
Current Draft Topics

Route Optimization
Mobility support for IP
Tunneling
Firewall/security support for Mobile IP
Roaming

6
Internet Draft

Fire Wall Support for Mobile IP
Allowing a mobile node on a public sector of
Internet to negotiate access past a SKIP firewall
and construct a secure channel into its home
private network.
A mobile node can be established via local ISP or
a LAN network.
Mobility without a firewall
obtain an address
Will use a co-located address instead of using a
separate foreign agents care-of address.

Restrictions imposed by a Firewall
Firewalls imposes restriction on packets entering
or leaving the private network.
The packet must conform to a filtering
specification or some form of authentication to
go through the firewall.
All packets coming into the private network form
the general Internet must be targeted to firewall
if you seek entry.
Two types of firewall available
SOCKS
the mobile node establishes a TCP session
with the FW.
Uses its library to encapsulates the traffic
meant for the FW.
The steps required to accomplish this
TCP connection established to port.
Version identified/method selection negotiation.
Method-dependent negotiation.

SOCKS - Continued
Establish authenticated connections
Cant encrypt the traffic
Disadvantage is that each step makes a number
of round trips.
SKIP
A session-less IP security mechanism that
encrypts and authenticates the traffics from
the mobile node to the firewall.
Steps
FW can relay messages for mobile node as soon as
it receives the first one.
It has an authentication information (AH) in
each packet.
(ESP) Encryption that provides both
authentication encryption. In which case AH is
not needed.

SKIP - Continued
Support Nomadic Applications
Uses IP address for security
Skip allows for use of a key id to receive an
appropriate certificate
Key Id - Composed off
Name Space Identifier (NSID)
Masker Key Identifier (MKID)
Another approach for nomadic apps
Use a control list entry
Filter by key id instead of IP.
Incoming packets must have an AH so that the
firewall establishes a current address or
dynamic binding for the nomadic host. Agents
and Mobile Node Config.

Agents and Mobile Node Config
Mobile IP specifies two ways in which a mobile
node can register a mobility binding with a home
agent (HA).
A. An address advertised for this purpose
by the foreign agent (FA).
B. An address belonging to one of the mobile
nodes interfaces.
FW needs to which one is used.
The authors believes B is best solution.
FW need to get the Diffie-Hellman public
component of the node that creates the outermost
SKIP header in an incoming packet. So it needs
to which node created the packet. Can be
guaranteed using B.
If you use A the foreign agent need to examine
the packet and modify it for agent services.
A also requires that you modify code at the HA,
the FW, and the FA.

Secure Channel Configurations
Mobile node participates in two types of traffic
Mobile IP registration protocol and data.
Evaluation of secure channel configs using
initial registration request by mobile nod.
I Encryption only Outside of Private Network.
The traffic is only encrypted between mobile node
out on the general internet and firewall. Only
encrypt on private network if necessary.
II End-to-End Encryption
extends the encrypted tunnel through the FW.
This makes the FW into a relay or a gateway
function.
Authentication not carried out by FW but by the
HA.

III End-to-End Encryption, Intermediate
Auhtentication
FW is the security association between the HA and
the mobile node (MN). After verifying AH, the FW
forwards the (ESP) to the HA.
Skip is used to provide the intermediate
authentication with end-to-end security. This
means that both the HA and MN disclose their
pairwise long-term Diffie-Hellman shared secret.
IV Encryption Inside and Outside
Traffic is encrypted on the public as well as on
the private network.
Public Network encryption between MN and FW.
Private Network encryption between HA and FW.

Mobile IP Registration Procedure with a SKIP
Firewall
MN encapsulates Registration Request in a SKIP
packet destined for FW.
MN distinguishes between inside and outside
addresses. Hard to tell.
Human input might make it easy for MN to
distinguish between them.
HA must also distinguish between inside and
outside addresses.
Cant use human input for help.
MN can inform the HA of the diiffernce by
defining a Traversal Extension to the
Registration Requests and Replies.
Also useful when traversing multiple firewalls.

The MN after arriving at the foreign net and
receiving a care-of address, it must first
initiate a registration procedure.
An authenticated exchange by the MN informs the
HA of its whereabouts.
Then receives an acknowledgement.
This allows the SKIP FW to dynamically configure
its packet filter.
Registration Request through the FW

Registration Request through the FW
MN is at a foreign net.
Realizing that its not at home requests a local
address
Composes a registration request for HA.
Decides if needs to be processed by SKIP or not.
A. The mobile node is using a care-of address
that doesnt belong to the private network, and
B. either
B1. The source address of the packet is the
mobile nodes home address.
B2. The source address of the packet is the
care-of address and the destination address
belongs to the private network.

On the Outside (Public Network)
SKIP module uses the FW destination address and
the FWs certificate in order to address and
encrypt the packet.
Encryption is done using ESP protocol and
possibly the AH protocol.
The SKIP headers source NSID is set equal to 1
to indicate that MKID is the mobile nodes home
address.
On the Inside (Private Network)
The SKIP FWs dynaimc packet filtering uses this
info to establish a dynamic binding between the
care-of-address and the MNs permanent home
address.
The SKIP headers source NSID is set to 0 to
prompt the FW to process the SKIP header and
recover the internal packet and deliver it to
another outbound interface.

Registration Reply through the FW
HA processes the registration request.
Composes a Registration Reply
Examines the care-of address reported by the
mobile node to determine whether or not it
corresponds to an outside address.
If so
HA need to send all traffic through the firewall.
Done by encapsulating the original Registration
Reply in a SKIP packet destined to the FW.

On the Inside (Private Network)
Destination is mobile nodes care-of address
NSID is set to 0 with no MKID for SKIP.
On the Outside (Public Network)
The SKIP FW recovers the original Registration
Reply packet and looks at the destination
address The MNs care-of address.
Forwards the Registration Reply after it is
encrypted with the MNs public component.
The SKIP FWs dynamic packet filtering used the
initial registration request to establish a
dynamic mapping between the care-of address and
the MNs MKID.
This requires that the reply go back through the
same FW.
If MNs permanent address is obtained from the
Registration Reply then this make the FW
stateless allowing you to use any FW.

Traversal Extension
An explicit notification that there are one or
more traversal points between the MN and its HA.
A MN should include one Traversal Extension per
traversal point in its Registration requests.
If present
Their order MUST match the order in which packets
encounter them as they flow from the MN to the
HA.
Note-gt other FWs may be present, but the list
should contain only the FWs where negotiation is
necessary.
HA should include one Traversal Extension per
traversal point in its Registration Replies.
Order in which they are encountered must match.

MN to HA Traversal Address
The IP address of the intermediate system or FW
encountered by datagrams sent by the MN to the
HA. Usually the external address of a FW.
This field must be initialized in Registration
Requests.
In Registration Replies this field is typically
all 0s other the mobile node should interpret it
as a hint.
HA to MN Traversal Address
The IP address of an intermediate system or FW
encountered by datagrams sent by the HA to the
MA. Usually the internal address of a FW.

Data Transfer
almost the same as Registration Requests
Data Packet From the MN to the a Correspondent
Node.
The MN creates a packet destined for the
Correspondent Node (CN) with the private network.
Make sure it matches condition A and B1 of
Registration Requests.
MN requests the proper services of SKIP.
The MN send encrypted message to the FW.
SKIP FW intercepts the packet.
Decrypts and checks the destination address.

The packet is routed into the Private Net.
The MN may need to construct a bi-directional
tunnel with its HA if the packet needs to go
through other FW in the Private Net.
The MN need to use a bi-directional tunnel in the
Public Net.
Data packet from a CN to the MN
The HA intercepts the packet from the CN to the
MN.
Encapsulates it such that the Mobile IP
encapsulating IP headers source and destination
addresses are the home agent and care-of
addresses, respectively.
This will work for delivery within the Private
Net.

Delivery is made thought the FW for the Public
Net.
Encapsulate the datagram in a SKIP packet to the
FW.
On the Outside (Public) Network
The SKIP FW intercepts the packet and recover the
Mobile IP encapsulated datagram.
The Dynamic Packet Filter starts the encryption
of this packt.
The Dynamic Packet Filter is configured by the
original Registration Request.
At the MN SKIP process the packet sent by the FW.

24
Request For Comments

Applicability Statement for IP Mobility Support.
Protocol Overview
Provides an efficient mechanism to allows nodes
to change their location to the Internet without
changing their IP address.
Tunneling
Packet send for Mobile IP are routed to its home
network.
The home network the mobile nodes (MN) home
agent (HA) intercepts the packet and tunnels it
to the MNs most recent care-of address.

Mobile IP protocol define the following
An authenticated registration procedure by which
a MN informs its HA of its care-of address.
An extension to ICMP Router Discovery which
allows mobile nodes to discover prospective home
agents and foreign agents
The rules for routing packets to and from mobile
nodes, including specification of one mandatory
tunneling mechanism and server optional tunneling
mechanisms.
Applicability
Mobile IP is intended to solve node mobility
across changes in IP subnet.
Security
Mobile IP mandates the use of strong
cryptographic authentication for all registration
messages exchanged between MN and its HA.
Due to unavailability of an Internet Key
Management Protocol agent discovery messages are
not required to be authenticated.

All Mobile IP implementations are required to
support, at a minimum, keyed MD5 authentication
with manual key distribution.
Mobile IP defines security mechanisms only for
the registration protocols.
Implementations
Companies that have Mobile IP implemented
CMU
FTP Software
IBM
Motorola
Nokia
SUN
Telxon
Implementation Experience
list of thing that were tested and worked.