Download Internet Goes Mobile

Internet Goes Mobile
Alper Yegin
KIOW 2003 at APNIC 16
August 19th, 2003. Seoul, Korea
Internet - Yesterday
T1
Enterprise Network
Internet
Dial up
DSL
Home user
Home Network
1
Internet - Today and Tomorrow
W-CDMA
Community Network
T1
Enterprise Network
Operator Network
Internet
Dial up
DSL
DSL
GPRS
PAN
Home user
Home Network
Home Network
Mobile Network
2
Challenge
• Users expect the same characteristics (greedy!)
–
–
–
–
Secure
Reliable
Seamless
High performance
• Burden is on:
– Standards bodies (IETF, IEEE, 3GPP, 3GPP2, etc.)
– Vendors
– Operators
3
Security
• First things first!
• Physical security is replaced with cryptobased security
– Threats: Eavesdropping, spoofing
– Not a full replacement!
• Crypto designs and experts get a good
exercise!
4
Solutions
• Good solutions:
– 3GPP, 3GPP2
• Bad solutions
– IEEE WEP fiasco!
• Practical but less than adequate solutions:
– WECA WISPer: HTTP redirect and web-based login
hackery
• Practical and reasonable solutions:
– IEEE 802.11b access outside VPN gateway
5
The Right Solution
• Authenticate, authorize the client
• Accounting and privacy
Home
AAA
Diameter, RADIUS
ISP
AAA
Home Network
Diameter, RADIUS
Visited Network
Access
Router
AP
host
PANA, 802.1X
6
The Right Solution
• IETF AAA, EAP, and PANA Working Groups
• IEEE 802.11i, 802.1aa
Home
AAA
Diameter, RADIUS
ISP
AAA
Home Network
Diameter, RADIUS
Visited Network
Access
Router
AP
host
PANA, 802.1X
7
Global AAA
• AAA web of trust is here (unlike global
PKI) and more capable.
AAA
server
Home Network
AAA
broker
AAA
broker
AAA
server
AAA
server
AAA
server
Visited Network
Home Network
Visited Network
8
Impact
• Security is never plug-and-play (plug-and-gethacked!)
• Additional infrastructure
– Front-end AAA servers (NAS)
– Backend AAA servers (RADIUS, Diameter servers)
– VPN gateways
• Configuration
– On the clients
– Per-client configuration on the servers (keys,
authorization parameters, etc.)
– Configuration to join the AAA web-of trust
9
Impact
• Increased popularity of IPsec and TLS
– AAA requires confidential information exchange
– VPN
– Anonymizer.com
• Strengthening internal network is a MUST
– Unless you are 100% sure that wireless access is secure
– Partitioning, IDS, enforcing strict policy execution
(social aspects)
10
But Still
• …. You are vulnerable to attacks!
• Price of going wireless
11
Mobility Management
• Host at home (fixed Internet).
Web server
Access
Router
AP
a::/64
Home Network
Visited Network
host
a::1
Access
Router
Access
Router
Access
Router
AP
AP
AP
12
Mobility Management
• You move, you break!
Web server
Access
Router
AP
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
b::/64
host
b::1
AP
AP
13
Mobile IP
• IETF Mobile IP Working Group
– www.ietf.org/html.charters/mobileip-charter.html
home
address
Home
Agent
Access
Router
AP
care-of
address
Web server
a::1b::1
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
b::/64
host
b::1
AP
AP
14
Mobile IP
• Traffic tunneled through home network
Home
Agent
Web server
Access
Router
AP
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
b::/64
host
b::1
AP
AP
15
Mobile IP
• End-to-end signaling for route optimization
home
address
Home
Agent
care-of
address
Access
Router
AP
Web server
a::1b::1
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
b::/64
host
b::1
AP
AP
16
Mobile IP
• Most direct path for data traffic.
Home
Agent
Web server
Access
Router
AP
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
b::/64
host
b::1
AP
AP
17
… Fast and Smooth
• Problem: Signaling latency.
new care-of
address
Home
Agent
Access
Router
AP
Home Network
Web server
a::1c::1
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
AP
c::/64
host
c::1
18
… Fast and Smooth
• Fast Handovers
– draft-ietf-mobileip-fast-mipv6-06.txt
• IETF Seamoby Working Group
– www.ietf.org/html.charters/seamoby-charter.html
Home
Agent
Web server
Access
Router
AP
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
old care-of
address
new care-of
address
b::1c::1
AP
c::/64
host
c::1
19
… Fast and Smooth
• Context transferred and routes fixed.
Home
Agent
Web server
Access
Router
AP
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
AP
c::/64
host
c::1
20
… Privacy
• Hide precise location and movement.
Home
Agent
Web server
Access
Router
AP
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
b::/64
AP
c::/64
cafeteria
CEO’s office
d::/64
host
d::1
employee office
21
… Privacy
• Obtain an IP address from the localized mobility
agent.
regional
care-of
address
Home
Agent
AP
Home Network
Web server
local
care-of
address
Localized
Mobility
Agent
Access
Router
home
address
a::1e::1
e::/64
e::1d::1
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
b::/64
AP
c::/64
d::/64
host
d::1
22
… Privacy
• Correspondent sends packets directly to the agent. Agent
tunnels them to the precise location.
Home
Agent
AP
Web server
Localized
Mobility
Agent
Access
Router
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
b::/64
AP
c::/64
d::/64
host
d::1
23
… Privacy
• Correspondent does not know the real IP destination, or
when it changes.
Home
Agent
AP
Web server
Localized
Mobility
Agent
Access
Router
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
host
b::1
b::/64
AP
c::/64
24
… AAA
• Mobility management is a for-profit “service”
Home
Agent
Home
AAA
Localized
Mobility
Agent
Access
Router
AP
Web server
ISP
AAA
Home Network
Visited Network
Access
Router
Access
Router
Access
Router
AP
AP
host
b::1
b::/64
AP
c::/64
25
… Network is Mobile
• IETF NEMO Working Group
– www.ietf.org/html.charters/nemo-charter.html
Visited Network
Access
Router
Base
Station
Access
Router
Access
Router
Base
Station
Base
Station
26
Impact on Intranet
• More stateful servers
– Home agents, access routers (for context transfer and
fast handovers), localized mobility agents
– Mobile IP bindings, tunnels, host-routes
– Redundancy and fault-tolerance are MUST!
• More configuration
– Per client on the servers
– Trust relations among communicating servers
27
Impact on Internet/Intranet
• Tunnels
– Several levels of nesting
Web server
Home
Agent
Home
Address
Localized
Mobility
Agent
(Regional)
Care-of
Address
Previous
Access
Router
(Older local)
Care-of
Address
Current
Access
Router
host
(Current local)
Care-of
Address
Fast Handovers
Localized Mobility Management
Mobile IP
28
Impact on Internet
• Address consumption
– Always-on hosts
– Purpose-specific address usage (home address, care-of
address)
– Multihomed devices (GPRS, IEEE 802.11b, Bluetooth)
– Sensor networks
29
Impact on Internet
• Suboptimal routing, redirect servers
host A
Home
Agent A
host B
Home
Agent B
30
Host Assumptions
• Can be anything:
• Dynamic auto-configuration needed:
– IPv6 address auto-configuration (RFC 2462)
– IPv6 prefix delegation (draft-troan-dhcpv6-opt-prefixdelegation-02.txt)
– Service discovery (IPv6 anycast address support)
31
IPv6
• IPv6 benefits:
– Ability to run server apps on devices (accept incoming
connections)
– Plug-and-play
– End-to-end IPsec for thwarting first-hop and last-hop
threats
– Mobile IPv6 : Efficient, easy to deploy and manage,
and scalable mobility protocol
– Extensibility
• Mobile and wireless Internet will expedite the
transition from IPv4-NAT to IPv6
• www.isoc.org/briefings/014/index.html
32
Conclusion
• Wireless and mobility provide tremendous
benefits, but they come with a price.
• Transitioning the Internet protocols,
architectures, products, and running
networks should be done very carefully.
33
Questions?