internet goes mobile alper yegin kiow 2003 at apnic 16 august 19th, 2003. seoul, korea
Post on 30-Dec-2015
213 Views
Preview:
TRANSCRIPT
Internet Goes Mobile
Alper Yegin
KIOW 2003 at APNIC 16
August 19th, 2003. Seoul, Korea
2
Internet - Yesterday
Internet
DSL
Home Network
Dial up
Home user
T1Enterprise Network
3
Internet - Today and Tomorrow
Internet
DSL
Home Network
DSL
Home NetworkMobile Network
GPRS
Dial up
Home user
W-CDMA
T1Enterprise Network Operator Network
Community Network
PAN
4
Challenge
• Users expect the same characteristics (greedy!)– Secure
– Reliable
– Seamless
– High performance
• Burden is on:– Standards bodies (IETF, IEEE, 3GPP, 3GPP2, etc.)
– Vendors
– Operators
5
Security
• First things first!
• Physical security is replaced with crypto-based security– Threats: Eavesdropping, spoofing– Not a full replacement!
• Crypto designs and experts get a good exercise!
6
Solutions
• Good solutions:– 3GPP, 3GPP2
• Bad solutions– IEEE WEP fiasco!
• Practical but less than adequate solutions:– WECA WISPer: HTTP redirect and web-based login
hackery
• Practical and reasonable solutions:– IEEE 802.11b access outside VPN gateway
7
The Right Solution
• Authenticate, authorize the client• Accounting and privacy
Home Network
Visited Network
host
AP
AccessRouter
HomeAAA
ISPAAA
PANA, 802.1X
Diameter, RADIUS
Diameter, RADIUS
8
The Right Solution• IETF AAA, EAP, and PANA Working Groups• IEEE 802.11i, 802.1aa
Home Network
Visited Network
host
AP
AccessRouter
HomeAAA
ISPAAA
PANA, 802.1X
Diameter, RADIUS
Diameter, RADIUS
9
Global AAA
• AAA web of trust is here (unlike global PKI) and more capable.
Home Network
Visited Network
AAAserver
AAAserver
Visited Network
AAAserver
Home Network
AAAserver
AAAbroker
AAAbroker
10
Impact
• Security is never plug-and-play (plug-and-get-hacked!)
• Additional infrastructure– Front-end AAA servers (NAS)– Backend AAA servers (RADIUS, Diameter servers)– VPN gateways
• Configuration– On the clients– Per-client configuration on the servers (keys, authorization
parameters, etc.) – Configuration to join the AAA web-of trust
11
Impact
• Increased popularity of IPsec and TLS– AAA requires confidential information exchange
– VPN
– Anonymizer.com
• Strengthening internal network is a MUST– Unless you are 100% sure that wireless access is secure
– Partitioning, IDS, enforcing strict policy execution (social aspects)
12
But Still
• …. You are vulnerable to attacks!
• Price of going wireless
13
Mobility Management
• Host at home (fixed Internet).
Home Network
Visited Network
Web server
hosta::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
a::/64
AP
14
Mobility Management
• You move, you break!
Home Network
Visited Network
Web server
AP
AP APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
hostb::1
b::/64
15
Mobile IP
• IETF Mobile IP Working Group– www.ietf.org/html.charters/mobileip-charter.html
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
a::1b::1
homeaddress
care-ofaddress
16
Mobile IP
• Traffic tunneled through home network
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
17
Mobile IP
• End-to-end signaling for route optimization
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
a::1b::1
homeaddress
care-ofaddress
18
Mobile IP
• Most direct path for data traffic.
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
19
… Fast and Smooth
• Problem: Signaling latency.
Home Network
Visited Network
Web server
hostc::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64
a::1c::1
new care-ofaddress
20
… Fast and Smooth• Fast Handovers
– draft-ietf-mobileip-fast-mipv6-06.txt
• IETF Seamoby Working Group– www.ietf.org/html.charters/seamoby-charter.html
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64b::1c::1
hostc::1
old care-ofaddress new care-of
address
21
… Fast and Smooth
• Context transferred and routes fixed.
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64
hostc::1
22
… Privacy
• Hide precise location and movement.
Home Network
Visited Network
Web server
hostd::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
AP
d::/64
c::/64b::/64
cafeteria CEO’s office employee office
23
… Privacy
• Obtain an IP address from the localized mobility agent.
Home Network
Visited Network
Web server
hostd::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
AP
d::/64
c::/64b::/64
LocalizedMobility Agent
e::1d::1
e::/64 a::1e::1
regionalcare-ofaddress
localcare-ofaddress
homeaddress
24
… Privacy
• Correspondent sends packets directly to the agent. Agent tunnels them to the precise location.
Home Network
Visited Network
Web server
hostd::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
AP
d::/64
c::/64b::/64
LocalizedMobility Agent
25
… Privacy
• Correspondent does not know the real IP destination, or when it changes.
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64b::/64
LocalizedMobility Agent
hostb::1
26
… AAA
• Mobility management is a for-profit “service”
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64b::/64
LocalizedMobility Agent
hostb::1
HomeAAA
ISPAAA
27
… Network is Mobile
• IETF NEMO Working Group– www.ietf.org/html.charters/nemo-charter.html
Visited Network
AccessRouter
AccessRouter
AccessRouter
BaseStation
BaseStation
BaseStation
28
Impact on Intranet
• More stateful servers– Home agents, access routers (for context transfer and
fast handovers), localized mobility agents
– Mobile IP bindings, tunnels, host-routes
– Redundancy and fault-tolerance are MUST!
• More configuration– Per client on the servers
– Trust relations among communicating servers
29
Impact on Internet/Intranet
• Tunnels– Several levels of nesting
Web server HomeAgent
LocalizedMobility Agent
PreviousAccessRouter
hostCurrentAccessRouter
Fast Handovers
Localized Mobility Management
Mobile IP
HomeAddress
(Regional)Care-ofAddress
(Older local)Care-ofAddress
(Current local)Care-ofAddress
30
Impact on Internet
• Address consumption– Always-on hosts– Purpose-specific address usage (home address, care-of
address)– Multihomed devices (GPRS, IEEE 802.11b, Bluetooth)– Sensor networks
31
Impact on Internet
• Suboptimal routing, redirect servers
host A
host B
HomeAgent A
HomeAgent B
32
Host Assumptions
• Can be anything:
• Dynamic auto-configuration needed:– IPv6 address auto-configuration (RFC 2462)
– IPv6 prefix delegation (draft-troan-dhcpv6-opt-prefix-delegation-02.txt)
– Service discovery (IPv6 anycast address support)
33
IPv6
• IPv6 benefits:– Ability to run server apps on devices (accept incoming
connections)– Plug-and-play– End-to-end IPsec for thwarting first-hop and last-hop threats– Mobile IPv6 : Efficient, easy to deploy and manage, and
scalable mobility protocol– Extensibility
• Mobile and wireless Internet will expedite the transition from IPv4-NAT to IPv6
• www.isoc.org/briefings/014/index.html
34
Conclusion
• Wireless and mobility provide tremendous benefits, but they come with a price.
• Transitioning the Internet protocols, architectures, products, and running networks should be done very carefully.
Questions?
top related