1

Securing Mobile Networks

An Enabling Technology forNational and International

Security and Beyond

2

Goals for November 6thHighlight Mobile Networking Technology

Emphasizing National and InternationalSecurity today due to time limitations.

Discuss security policyEnabling shared infrastructure (whenreasonable)

Next Steps (Afternoon Session)Other Items (Afternoon Session)

3

Today’s Audience

Big Picture PeoplePolicy MakersMediaCode WritersImplementers

Please, don’t be afraid to ask questions.

Neah Bay / Mobile Router ProjectNeah Bay / Mobile Router Project

Cleveland

Detroit

Foreign-Agent

Foreign-AgentSomewhere, USA

Foreign-Agent

Home-AgentAnywhere, USA

Internet

Neah BayOutside of wireless LAN range,connected to FA viaGlobalstar.

Neah BayConnected to FA viawireless LAN at Clevelandharbor

5

Why NASA/USCG/IndustryReal world deployment issues can only beaddressed in an operational network.USCG has immediate needs, thereforewillingness to work the problem.USCG has military network requirements.USCG is large enough network to force us toinvestigate full scale deployment issuesUSCG is small enough to work with.NASA has same network issues regardingmobility, security, network management andscalability.

6

Mobile-Router AdvantagesShare wireless and network resources withother organizations

$$$ savingsSet and forget

No onsite expertise requiredHowever, you still have to engineer the network

Continuous Connectivity(May or may not be important to yourorganization)

RobustSecondary Home Agent (Reparenting of HA)

7

Mobile Network Design Goals

SecureScalableManageableAbility to sharing network infrastructureRobust

8

PublicInternet

FA

FA

MR

MRMR

US Coast Guard

Canadian Coast Guard ACME Shipping

HA

HA

HA

HAACME

SHIPPING

MR

US Navy

Shared Network Infrastructure

Encrypting wireless linksmakes it very difficult toshare infrastructure.This is a policy issue.

9

Secondary Home Agent(reparenting the HA)

PrimaryHome Agent

SecondaryHome Agent

Reparenting Home AgentHelps resolve triangular routingProblem over long distances

X

10

Emergency Backup(Hub / Spoke Network)

If primary control site becomesphysically inaccessible but can be electronically connected, asecondary site can be established.

If primary control site isphysically incapacitated, thereis no backup capability.

11

Secondary Home Agent(Fully Meshed Network)

1

2

3

4

5

If primary control site is physically incapacitated, asecond or third or forth site take over automatically.

12

We Are Running with ReverseTunneling

ProsEnsures topologically correct addresses on foreignnetworksRequired as requests from MR LAN hosts must passthrough Proxy inside main firewallGreatly simplifies setup and management of securityassociations in encryptorsGreatly simplifies multicast – HA makes for an excellentrendezvous point.

ConsUses additional bandwidthDestroys route optimization

MobileLAN10.x.x.x

INTERNET USCGINTRANET

10.x.x.x

FA - Detroit

FA – Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

MRTunnel

Endpoint(Public Space)

HATunnel Endpoint(Public Space)

MobileLAN10.x.x.x

INTERNET USCGINTRANET

10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

USCG Officer’s Club

EAST

WEST

Dock

EAST

WEST

Dock

Open NetworkData Transfers

MobileLAN10.x.x.x

INTERNET USCGINTRANET

10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

USCG Officer’s Club

EAST

WEST

Dock

EAST

WEST

Dock

Encrypted NetworkData Transfers

MobileLAN10.x.x.x

INTERNET USCGINTRANET

10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

OpenNetwork

MonitoringPoint

OpenNetwork

MonitoringPoint

USCG Officer’s Club

EAST

WEST

Dock

EAST

WEST

Dock

Monitoring Points

MobileLAN10.x.x.x

INTERNET USCGINTRANET

10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

USCG Officer’s Club

EAST

WEST

Dock

EAST

WEST

Dock

Note, We are monitoringThe Neah Bay.

We are using lots of bandwidthTo do this.

MobileLAN10.x.x.x

INTERNET USCGINTRANET

10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

USCG Officer’s Club

EAST

WEST

Dock

EAST

WEST

Dock

Note, We are monitoringThe Neah Bay.

We are using lots of bandwidthTo do this.

MobileLAN10.x.x.x

Encr

yptio

n

EAST

WEST

Dock

RF Bandwidth

1.0 Mbps (manually set)

1.0 Mbps (manually set)

11.0 Mbps (auto-negotiated and shared with Officer’s Club)

7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)

20

Wireless Only?

Wireless can be jammedParticularly unlicensed spectrum such as802.11Satellites is a bit harderSolution is to find interferer and makethem stop.

You still want land line connectionsMobile Routing can be used over land lines.

21

Globalstar/Sea Tel MCM-8Initial market addresses maritime andpleasure boaters.Client / Server architecture

Current implementation requires call to be initiatedby client (ship).Multiplexes eight channels to obtain 56 kbps totaldata throughput.Full bandwidth-on-demand.

Requires use of Collocated Care-of-Address

22

Satellite Coverage

Globalstar

From SaVi

INMARSAT

23

Layer 2 Technology

GlobalstarMCM-8

Hypergain802.11b

Flat Panel

8 dBiDipole

L3-Comm15 dBic

Tracking Antenna

Sea Tel TrackingAntenna

Backbone Network Topology

Detail Network Diagram

(Intentionally Blank)

Neah Bay Network Topology

Detail Network Diagram

(Intentionally Blank)

USCG Officer’s Club Network Topology

Detail Network Diagram

(Intentionally Blank)

27

Securing Mobile and WirelessNetworks

Some ways may be “better”than others!

28

Constraints / Tools

PolicyArchitectureProtocols

29

PublicInternet

FAMR

US Coast GuardMobile Network

HA

US Coast GuardOperational Network

(Private Address Space)

CN

IPv4 Utopian Operation

Triangular Routing

30

PublicInternet

FAMR

US Coast GuardMobile Network

HA

US Coast GuardOperational Network

(Private Address Space)

CN

IPv4 “Real World” Operation

PROXy

Proxy had not originated therequest; therefore, theresponse is squelched.Peer-to-peer networkingbecomes problematic at best.

Glenn Research Center Policy:No UDP, No IPSec, etc…Mobile-IP stopped in its tracks.What’s your policy?

Ingress or Egress Filtering stopsTransmission due to topologicallyIncorrect source address. IPv6 Corrects this problem.

USCG Requires 3DES encryption.WEP is not acceptable due toknown deficiencies.

31

PublicInternet

FAMR

US Coast GuardMobile Network

HA

US Coast GuardOperational Network

(Private Address Space)

CN

Current Solution –Reverse Tunneling

PROXy

Anticipate similar problemsfor IPv6.

Adds Overheadand kills routeoptimization.

32

PublicInternet

FA

FA

MR

MRMR

US Coast Guard

Canadian Coast Guard ACME Shipping

HA

HA

HA

HAACME

SHIPPING

MR

US Navy

Shared Network Infrastructure

Encrypting wireless linksmakes it very difficult toshare infrastructure.This is a policy issue.

Security• Security ↑ Bandwidth Utilization ↓• Security ↑ Performance ↓• Tunnels Tunnels Tunnels and more Tunnels• Performance ↓ Security ↓

⇒ User turns OFF Security to make system usable!• Thus, we need more bandwidth to ensure security.

PAYLOADHEADER

ORIGINAL PACKET

HEADER

VIRTUAL PRIVATE NETWORK

HEADER

ENCRYPTION AT THE NETWORK LAYER

HEADER

ENCRYPTION ON THE RF LINK

34

Additional and FutureSecurity Solutions

AAARouters (available today)Wireless bridges and access points(available 2002)

IPSec on router interfaceEncrypted radio links

IPSec, type1 or type2, and future improvedWEP

35

ConclusionsSecurity Breaks Everything

At least it sometimes feels like that.

Need to change policy where appropriate.Need to develop good architectures thatconsider how the wireless systems and protocolsoperate.Possible solutions that should be investigated:

Dynamic, Protocol aware firewalls and proxies.Possibly incorporated with Authentication and Authorization.

36

Moblile-IP Operation

IPv4

Mobile Node

Foreign Agent Foreign Agent

Home Agent

“ ”

139.88.111.1

143.232.48.1NASA Ames

Corresponding Node

Internet or Intranet

139.88.112.1NASA Glenn

143.232.48.1

Home IP 128.183.13.103Care-Off-Address139.88.111.50

128.183.13.1NASA Goddard

Mobile-IP (IPv4)

Mobile Router(Mobile Node)

Foreign Agent

Home AgentCorresponding Node

139.88.112.1Internet WAN

Tunnel-0

10.2.3.101

128.183.13.1Internet WAN

Internet

10.2.2.1RoamingInterface

10.2.3.1Virtual LANInterface

Tunnel-1

128.184.25.1HA LoopbackVirtual Interface

139.88.100.1FA WAN

10.2.4.10MR Loopback

Virtual InterfaceCOA 139.88.100.1

Mobile-Router (IPv4)Mobile Router

Mobile Router(Mobile Node)

Home AgentCorresponding Node

139.88.112.1Internet WAN

Tunnel-0

10.2.3.101

128.183.13.1Internet WAN

10.2.2.1RoamingInterface

10.2.3.1Virtual LANInterface

Foreign Agent Tunnel-1

128.184.25.1HA LoopbackVirtual Interface

139.88.100.1FA WAN

10.2.4.10MR Loopback

Virtual InterfaceCOA 139.88.100.1

Mobile-Router (IPv4)Collocated Care-Of-Address

Internet No Foreign AgentNo Second Tunnel

Mobile Router(Mobile Node)

Home AgentCorresponding Node

139.88.112.1Internet WAN

Tunnel-0

10.2.3.101

128.183.13.1Internet WAN

Internet

10.2.2.1RoamingInterface

10.2.3.1Virtual LANInterface

128.184.25.1HA LoopbackVirtual Interface

139.88.100.1

10.2.4.10MR Loopback

Virtual InterfaceCOA 139.88.100.1

Mobile-Router (IPv4)Collocated Care-Of-Address

41

What’s Next

The End Game

42

Mobile NetworksShare Network Infrastructure

USCG, Canadian Coast Guard, CommercialShipping, Pleasure BoatersOpen Radio Access / Restricted Network Access

Authentication, Authorization and Accounting

ArchitectureLimited, experimental deployment onboard NeahBay

Move RIPv2 routing from Fed. Bldg to Neah BayMove to full scale deployment

Requires full commitment

MRPublic

MobileLAN10.x.x.x

INTERNET

INTRANET10.x.x.x

FA – ClevelandPublic

HAPublic

PIX- 506 – until we install our PIX FWThen we should not need the babyPIX.

PRO

XY

PIX-506

802.11b link

FA - Detroit

44

HA Outside Main FirewallFirewall between MR interfaces and publicInternet as well as the HA and PrivateIntranet.Reverse tunneling required as requestsfrom MR LAN hosts must pass throughProxy inside main firewall.

45

Areas that need to beaddressed

Home Agent PlacementInside or Outside the Firewall

AAA IssuesOpen Radio Access / Restricted Network AccessSecure Key Management

IPv6 Mobile Networking DevelopmentWork with industry and IETF

Develop radio link technologyEnable better connectivity throughout the worldfor both military and aeronautical communications(voice, video and data).

46

NASA’s Needs

Mobile Networks

47

Relevant NASA AeronauticsPrograms

Advanced Air TransportationTechnology (AATT)Weather Information Communication(WINCOMM)Small Aircraft Transportation System(SATS)

48

Aeronautic Networking IssuesMove to IPv6

IPv6 Mobile NetworkingAuthentication, Authorization andAccountingBandwidth, Bandwidth, BandwidthMedia AccessPolicy

Sending of Operations over EntertainmentChannels

Earth Observation

T1T2?

T3

51

Space Flight Implementation

Sharing InfrastructureCommon Media AccessCommon Ground Terminal CapabilitesCommon Network Access

AAA

Common Modulation and CodingSoftware Radio

Backup

53

Asymmetrical Pathing

Mobile Router

MilStar,Globalstar,

Others

DVBSatellite

Internet

Home Agent

Foreign AgentForeign Agent

54

Neah Bay

55

Papers and Presentationshttp://roland.grc.nasa.gov/~ivancic/papers_presentations/papers.html

orhttp://roland.grc.nasa.gov/~ivancic/

and pick“Papers and Presentations”