lecture 9
DESCRIPTION
Lecture 9. Advance Topics in Networking. Host Mobility, IP and DNS Security. Host Mobility. Varying Degrees of User Mobility. Moves only within same access network Single access point: mobility is irrelevant Multiple access points: only link-link layer changes - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/1.jpg)
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill Technology Education
Lecture 9
Advance Topics in Networking
Host Mobility, IP and DNS Security
![Page 2: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/2.jpg)
Host Mobility
2
![Page 3: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/3.jpg)
Varying Degrees of User Mobility• Moves only within same access network– Single access point: mobility is irrelevant– Multiple access points: only link-link layer changes– Either way, users is not mobile at the network
layer
• Shuts down between changes access networks– Host gets new IP address at the new access
network– No need to support any ongoing transfers– Applications have become good at supporting this
• Maintains connections while changing networks– Surfing the ‘net while driving in a car or flying a
plane– Need to ensure traffic continues to reach the host
3
![Page 4: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/4.jpg)
Maintaining Ongoing Transfers
• Seamless transmission to a mobile host
4
A B
![Page 5: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/5.jpg)
E.g., Keep Track of Friends on the Move
• Sending a letter to a friend who moves often– How do you know where to reach him?
• Option #1: have him update you– Friend contacts you on each move– So you can mail him directly– E.g., Boeing Connexion service
• Option #2: ask his parents when needed– Parents serve as “permanent address”– So they can forward your letter to him– E.g., Mobile IP
5
![Page 6: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/6.jpg)
Option #1: Let Routing Protocol Handle It
• Mobile node has a single, persistent address
• Address injected into routing protocol (e.g., OSPF)
6
B
12.34.45.0/24
A
12.34.45.7/32
Mobile host with IP address 12.34.45.7
![Page 7: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/7.jpg)
Example: Boeing Connexion Service
• Boeing Connexion service– Mobile Internet access provider– WiFi “hot spot” at 35,000 feet moving 600 mph– Went out of business in December 2006…
• Communication technology– Antenna on the plane to leased satellite
transponders– Ground stations serve as Internet gateways
• Using BGP for mobility– IP address block per airplane– Ground station advertises into BGP– http://www.nanog.org/mtg-0405/abarbanel.html
![Page 8: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/8.jpg)
Example: Boeing Connexion Service
Internet
12.78.3.0/24
![Page 9: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/9.jpg)
Summary: Letting Routing Handle It
• Advantages– No changes to the end host– Traffic follows an efficient path to new location
• Disadvantages– Does not scale to large number of mobile hosts
• Large number of routing-protocol messages• Larger routing tables to store smaller address blocks
• Alternative– Mobile IP
9
![Page 10: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/10.jpg)
Option #2: Home Network and Home Agent
10
Home network: permanent “home” of mobile(e.g., 128.119.40/24)
Permanent address: address in home network, can always be used to reach mobilee.g., 128.119.40.186
Home agent: entity that will perform mobility functions on behalf of mobile, when mobile is remote
wide area network
correspondent
Correspondent: wants to communicate with mobile
![Page 11: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/11.jpg)
Visited Network and Care-of Address
11
Care-of-address: address in visited network.(e.g., 79,129.13.2)
wide area network
Visited network: network in which mobile currently resides (e.g., 79.129.13/24)
Permanent address: remains constant (e.g., 128.119.40.186)
Home agent: entity in visited network that performs mobility functions on behalf of mobile. Correspondent: wants to
communicate with mobile
![Page 12: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/12.jpg)
Mobility: Registration
• Foreign agent knows about mobile• Home agent knows location of mobile
12
wide area network
home network visited network
1
mobile contacts foreign agent on entering visited network
2
foreign agent contacts home agent home: “this mobile is resident in my network”
![Page 13: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/13.jpg)
Mobility via Indirect Routing
13
wide area network
homenetwork
visitednetwork
3
2
41
correspondent addresses packets using home address of mobile
home agent intercepts packets, forwards to foreign agent
foreign agent receives packets, forwards to mobile
mobile replies directly to correspondent
![Page 14: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/14.jpg)
Indirect Routing: Efficiency Issues
• Mobile uses two addresses– Permanent address: used by correspondent (making
mobile’s location is transparent to correspondent)
– Care-of-address: used by the home agent to forward datagram to the mobile
• Mobile may perform the foreign agent functions
• Triangle routing is inefficient– E.g., correspondent and mobile in the same network
![Page 15: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/15.jpg)
Mobility via Direct Routing
wide area network
homenetwork
visitednetwork
4
2
41correspondent requests, receives foreign address of mobile
correspondent forwards to foreign agent
foreign agent receives packets, forwards to mobile
mobile replies directly to correspondent
3
No longer transparent to the correspondent
![Page 16: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/16.jpg)
Mobility Today
• Limited support for mobility– E.g., among base stations on a campus
• Applications increasingly robust under mobility– Robust to changes in IP address, and disconnections– E.g., e-mail client contacting the e-mail server– … and allowing reading/writing while disconnected– New Google Gears for offline Web applications
• Increasing demand for seamless IP mobility– E.g., continue a VoIP call while on the train
• Increasing integration of WiFi and cellular– E.g., dual-mode cell phones that can use both networks– Called Unlicensed Mobile Access (UMA)
![Page 17: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/17.jpg)
Impact on Higher-Layer Protocols
• Wireless and mobility change path properties– Wireless: higher packet loss, not from congestion– Mobility: transient disruptions, and changes in RTT
• Logically, impact should be minimal …– Best-effort service model remains unchanged – TCP and UDP can (and do) run over wireless, mobile
• But, performance definitely is affected– TCP treats packet loss as a sign of congestion– TCP tries to estimate the RTT to drive retransmissions– TCP does not perform well under out-of-order packets
• Internet not designed with these issues in mind
![Page 18: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/18.jpg)
Conclusions
• Wireless– Already a major way people connect to the Internet
– Gradually becoming more than just an access network
• Mobility– Today’s users tolerate disruptions as they move
– … and applications try to hide the effects
– Tomorrow’s users expect seamless mobility
• Challenges the design of network protocols– Wireless breaks the abstraction of a link, and the assumption that
packet loss implies congestion
– Mobility breaks association of address and location
– Higher-layer protocols don’t perform as well
![Page 19: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/19.jpg)
IP Security
![Page 20: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/20.jpg)
IP Security
• There is range of app-specific security mechanisms– eg. S/MIME, PGP, Kerberos, SSL/HTTPS
• However there are security concerns that cut across protocol layers
• Implement by the network for all applications?
Enter IPSec!
![Page 21: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/21.jpg)
IPSec
• General IP Security mechanisms• Provides– authentication– confidentiality– key management
• Applicable to use over LANs, across public & private WANs, and for the Internet
![Page 22: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/22.jpg)
IPSec Uses
![Page 23: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/23.jpg)
Benefits of IPSec
• If in a firewall/router:– Provides strong security to all traffic
crossing the perimeter– Resistant to bypass
• Is below transport layer, hence transparent to applications
• Can be transparent to end users• Can provide security for individual users• Secures routing architecture
![Page 24: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/24.jpg)
IP Security Architecture
• Specification is quite complex• Defined in numerous RFC’s– Incl. RFC 2401 / 2402 / 2406 / 2408
• Mandatory in IPv6, optional in IPv4• Have two security header extensions:– Authentication Header (AH)– Encapsulating Security Payload (ESP)
![Page 25: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/25.jpg)
IPSec Services
• Access control• Connectionless integrity• Data origin authentication• Rejection of replayed packets– A form of partial sequence integrity via seq
#’s– But not as robust as if on top of TCP
• Confidentiality (encryption)• Limited traffic flow confidentiality
![Page 26: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/26.jpg)
Transport vs. Tunnel Mode ESP
• Transport mode is used to encrypt & optionally authenticate IP data– Data protected but header left in clear– Can do traffic analysis but is efficient– Good for host-to-host traffic
• Tunnel mode encrypts entire IP packet– Add new header for next hop– Good for VPNs, gateway-to-gateway
security
![Page 27: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/27.jpg)
LAB (Establishing VPN)
![Page 28: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/28.jpg)
LAB (Establishing VPN)
![Page 29: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/29.jpg)
LAB (Establishing VPN)
![Page 30: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/30.jpg)
LAB (Establishing VPN)
![Page 31: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/31.jpg)
LAB (Establishing VPN)
![Page 32: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/32.jpg)
LAB (Establishing VPN)
![Page 33: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/33.jpg)
LAB (Establishing VPN)
![Page 34: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/34.jpg)
DNS Security
![Page 35: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/35.jpg)
Source: http://nsrc.org/tutorials/2009/apricot/dnssec/dnssec-tutorial.pdf
![Page 36: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/36.jpg)
Root level DNS attacks
• Feb. 6, 2007:– Botnet attack on the 13 Internet DNS root
servers– Lasted 2.5 hours– None crashed, but two performed badly:• g-root (DoD), l-root (ICANN)• Most other root servers use anycast
![Page 37: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/37.jpg)
Do you trust the TLD operators?
• Wildcard DNS record for all .com and .net domain names not yet registered by others– September 15 – October 4, 2003– February 2004: Verisign sues ICANN
• Redirection for these domain names to Verisign web portal: “to help you search”– and serve you ads…and get “sponsored”
search
![Page 38: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/38.jpg)
Defense: Replication and Caching
source: wikipedia
![Page 39: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/39.jpg)
DNS Amplification Attack
580,000 open resolvers on Internet (Kaminsky-Shiffman’06)
DNSServer
DoSSource
DoSTarget
DNS QuerySrcIP: DoS Target
(60 bytes)
EDNS Reponse
(3000 bytes)
DNS Amplification attack: ( 40 amplification )
![Page 40: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/40.jpg)
attacker
Solutions
ip spoofed packets
repl
ies
victim
Openamplifier
preventip spoofing
disableopen amplifiers
![Page 41: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/41.jpg)
But should we believe it? Enter DNSSEC
• DNSSEC protects against data spoofing and corruption
• DNSSEC also provides mechanisms to authenticate servers and requests
• DNSSEC provides mechanisms to establish authenticity and integrity
![Page 42: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/42.jpg)
PK-DNSSEC (Public Key)
• The DNS servers sign the hash of resource record set with its private (signature) keys
• Public keys can be used to verify the SIGs
• Leverages hierarchy:
– Authenticity of nameserver’s public keys is established by a signature over the keys by the parent’s private key
– In ideal case, only roots’ public keys need to be distributed out-of-band
![Page 43: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/43.jpg)
Verifying the tree
Stubresolver
Question: www.cnn.com ?
www.cnn.com A ?
resolver
.(root)www.cnn.com A ?
ask .com server SIG (IP addr and PK of .com server)
.comwww.cnn.com A ?
ask cnn.com server SIG (IP addr and PK of cnn.com server)
cnn.com
www.cnn.com A ?
SIG (xxx.xxx.xxx.xxx)
xxx.xxx.xxx.xxx
add to cache
src.cs.biit.edu.pkdns.cs.biit.edu.pk
transaction signatures
slave serverstransaction signatures
![Page 44: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/44.jpg)
Summary
• Network security and definitions
• Securing IP communication and DNS lookup
![Page 45: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/45.jpg)
Assignment
• Write notes on the words highlighted in Green in this lecture
• Quiz from Highlighted Words in Next Class !
![Page 46: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/46.jpg)
DNS Tools Lab (nslookup)
• nslookup • dig• Using zoneedit.com
![Page 47: Lecture 9](https://reader035.vdocuments.us/reader035/viewer/2022062519/5681518b550346895dbfc4f5/html5/thumbnails/47.jpg)
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill Technology Education
The End
Questions?