lecture 9

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved.

McGraw-Hill Technology Education

Lecture 9

Advance Topics in Networking

Host Mobility, IP and DNS Security

Host Mobility

2

Varying Degrees of User Mobility• Moves only within same access network– Single access point: mobility is irrelevant– Multiple access points: only link-link layer changes– Either way, users is not mobile at the network

layer

• Shuts down between changes access networks– Host gets new IP address at the new access

network– No need to support any ongoing transfers– Applications have become good at supporting this

• Maintains connections while changing networks– Surfing the ‘net while driving in a car or flying a

plane– Need to ensure traffic continues to reach the host

3

Maintaining Ongoing Transfers

• Seamless transmission to a mobile host

4

A B

E.g., Keep Track of Friends on the Move

• Sending a letter to a friend who moves often– How do you know where to reach him?

• Option #1: have him update you– Friend contacts you on each move– So you can mail him directly– E.g., Boeing Connexion service

• Option #2: ask his parents when needed– Parents serve as “permanent address”– So they can forward your letter to him– E.g., Mobile IP

5

Option #1: Let Routing Protocol Handle It

• Mobile node has a single, persistent address

• Address injected into routing protocol (e.g., OSPF)

6

B

12.34.45.0/24

A

12.34.45.7/32

Mobile host with IP address 12.34.45.7

Example: Boeing Connexion Service

• Boeing Connexion service– Mobile Internet access provider– WiFi “hot spot” at 35,000 feet moving 600 mph– Went out of business in December 2006…

• Communication technology– Antenna on the plane to leased satellite

transponders– Ground stations serve as Internet gateways

• Using BGP for mobility– IP address block per airplane– Ground station advertises into BGP– http://www.nanog.org/mtg-0405/abarbanel.html

Example: Boeing Connexion Service

Internet

12.78.3.0/24

Summary: Letting Routing Handle It

• Advantages– No changes to the end host– Traffic follows an efficient path to new location

• Disadvantages– Does not scale to large number of mobile hosts

• Large number of routing-protocol messages• Larger routing tables to store smaller address blocks

• Alternative– Mobile IP

9

Option #2: Home Network and Home Agent

10

Home network: permanent “home” of mobile(e.g., 128.119.40/24)

Permanent address: address in home network, can always be used to reach mobilee.g., 128.119.40.186

Home agent: entity that will perform mobility functions on behalf of mobile, when mobile is remote

wide area network

correspondent

Correspondent: wants to communicate with mobile

Visited Network and Care-of Address

11

Care-of-address: address in visited network.(e.g., 79,129.13.2)

wide area network

Visited network: network in which mobile currently resides (e.g., 79.129.13/24)

Permanent address: remains constant (e.g., 128.119.40.186)

Home agent: entity in visited network that performs mobility functions on behalf of mobile. Correspondent: wants to

communicate with mobile

Mobility: Registration

• Foreign agent knows about mobile• Home agent knows location of mobile

12

wide area network

home network visited network

1

mobile contacts foreign agent on entering visited network

2

foreign agent contacts home agent home: “this mobile is resident in my network”

Mobility via Indirect Routing

13

wide area network

homenetwork

visitednetwork

3

2

41

correspondent addresses packets using home address of mobile

home agent intercepts packets, forwards to foreign agent

foreign agent receives packets, forwards to mobile

mobile replies directly to correspondent

Indirect Routing: Efficiency Issues

• Mobile uses two addresses– Permanent address: used by correspondent (making

mobile’s location is transparent to correspondent)

– Care-of-address: used by the home agent to forward datagram to the mobile

• Mobile may perform the foreign agent functions

• Triangle routing is inefficient– E.g., correspondent and mobile in the same network

Mobility via Direct Routing

wide area network

homenetwork

visitednetwork

4

2

41correspondent requests, receives foreign address of mobile

correspondent forwards to foreign agent

foreign agent receives packets, forwards to mobile

mobile replies directly to correspondent

3

No longer transparent to the correspondent

Mobility Today

• Limited support for mobility– E.g., among base stations on a campus

• Applications increasingly robust under mobility– Robust to changes in IP address, and disconnections– E.g., e-mail client contacting the e-mail server– … and allowing reading/writing while disconnected– New Google Gears for offline Web applications

• Increasing demand for seamless IP mobility– E.g., continue a VoIP call while on the train

• Increasing integration of WiFi and cellular– E.g., dual-mode cell phones that can use both networks– Called Unlicensed Mobile Access (UMA)

Impact on Higher-Layer Protocols

• Wireless and mobility change path properties– Wireless: higher packet loss, not from congestion– Mobility: transient disruptions, and changes in RTT

• Logically, impact should be minimal …– Best-effort service model remains unchanged – TCP and UDP can (and do) run over wireless, mobile

• But, performance definitely is affected– TCP treats packet loss as a sign of congestion– TCP tries to estimate the RTT to drive retransmissions– TCP does not perform well under out-of-order packets

• Internet not designed with these issues in mind

Conclusions

• Wireless– Already a major way people connect to the Internet

– Gradually becoming more than just an access network

• Mobility– Today’s users tolerate disruptions as they move

– … and applications try to hide the effects

– Tomorrow’s users expect seamless mobility

• Challenges the design of network protocols– Wireless breaks the abstraction of a link, and the assumption that

packet loss implies congestion

– Mobility breaks association of address and location

– Higher-layer protocols don’t perform as well

IP Security

IP Security

• There is range of app-specific security mechanisms– eg. S/MIME, PGP, Kerberos, SSL/HTTPS

• However there are security concerns that cut across protocol layers

• Implement by the network for all applications?

Enter IPSec!

IPSec

• General IP Security mechanisms• Provides– authentication– confidentiality– key management

• Applicable to use over LANs, across public & private WANs, and for the Internet

IPSec Uses

Benefits of IPSec

• If in a firewall/router:– Provides strong security to all traffic

crossing the perimeter– Resistant to bypass

• Is below transport layer, hence transparent to applications

• Can be transparent to end users• Can provide security for individual users• Secures routing architecture

IP Security Architecture

• Specification is quite complex• Defined in numerous RFC’s– Incl. RFC 2401 / 2402 / 2406 / 2408

• Mandatory in IPv6, optional in IPv4• Have two security header extensions:– Authentication Header (AH)– Encapsulating Security Payload (ESP)

IPSec Services

• Access control• Connectionless integrity• Data origin authentication• Rejection of replayed packets– A form of partial sequence integrity via seq

#’s– But not as robust as if on top of TCP

• Confidentiality (encryption)• Limited traffic flow confidentiality

Transport vs. Tunnel Mode ESP

• Transport mode is used to encrypt & optionally authenticate IP data– Data protected but header left in clear– Can do traffic analysis but is efficient– Good for host-to-host traffic

• Tunnel mode encrypts entire IP packet– Add new header for next hop– Good for VPNs, gateway-to-gateway

security

LAB (Establishing VPN)

DNS Security

Source: http://nsrc.org/tutorials/2009/apricot/dnssec/dnssec-tutorial.pdf

Root level DNS attacks

• Feb. 6, 2007:– Botnet attack on the 13 Internet DNS root

servers– Lasted 2.5 hours– None crashed, but two performed badly:• g-root (DoD), l-root (ICANN)• Most other root servers use anycast

Do you trust the TLD operators?

• Wildcard DNS record for all .com and .net domain names not yet registered by others– September 15 – October 4, 2003– February 2004: Verisign sues ICANN

• Redirection for these domain names to Verisign web portal: “to help you search”– and serve you ads…and get “sponsored”

search

Defense: Replication and Caching

source: wikipedia

DNS Amplification Attack

580,000 open resolvers on Internet (Kaminsky-Shiffman’06)

DNSServer

DoSSource

DoSTarget

DNS QuerySrcIP: DoS Target

(60 bytes)

EDNS Reponse

(3000 bytes)

DNS Amplification attack: ( 40 amplification )

attacker

Solutions

ip spoofed packets

repl

ies

victim

Openamplifier

preventip spoofing

disableopen amplifiers

But should we believe it? Enter DNSSEC

• DNSSEC protects against data spoofing and corruption

• DNSSEC also provides mechanisms to authenticate servers and requests

• DNSSEC provides mechanisms to establish authenticity and integrity

PK-DNSSEC (Public Key)

• The DNS servers sign the hash of resource record set with its private (signature) keys

• Public keys can be used to verify the SIGs

• Leverages hierarchy:

– Authenticity of nameserver’s public keys is established by a signature over the keys by the parent’s private key

– In ideal case, only roots’ public keys need to be distributed out-of-band

Verifying the tree

Stubresolver

Question: www.cnn.com ?

www.cnn.com A ?

resolver

.(root)www.cnn.com A ?

ask .com server SIG (IP addr and PK of .com server)

.comwww.cnn.com A ?

ask cnn.com server SIG (IP addr and PK of cnn.com server)

cnn.com

www.cnn.com A ?

SIG (xxx.xxx.xxx.xxx)

xxx.xxx.xxx.xxx

add to cache

src.cs.biit.edu.pkdns.cs.biit.edu.pk

transaction signatures

slave serverstransaction signatures

Summary

• Network security and definitions

• Securing IP communication and DNS lookup

Assignment

• Write notes on the words highlighted in Green in this lecture

• Quiz from Highlighted Words in Next Class !

DNS Tools Lab (nslookup)

• nslookup • dig• Using zoneedit.com

lecture 9

Documents

addressespermanent address

new ip address

location of mobile

behalf of mobile

routing protocol

network layershuts

mobilevisited network

mobilityip address block