an enabling technology for national and international security …€¦ · · 2002-11-22an...
TRANSCRIPT
2
Goals for November 6thHighlight Mobile Networking Technology
Emphasizing National and InternationalSecurity today due to time limitations.
Discuss security policyEnabling shared infrastructure (whenreasonable)
Next Steps (Afternoon Session)Other Items (Afternoon Session)
3
Today’s Audience
Big Picture PeoplePolicy MakersMediaCode WritersImplementers
Please, don’t be afraid to ask questions.
Neah Bay / Mobile Router ProjectNeah Bay / Mobile Router Project
Cleveland
Detroit
Foreign-Agent
Foreign-AgentSomewhere, USA
Foreign-Agent
Home-AgentAnywhere, USA
Internet
Neah BayOutside of wireless LAN range,connected to FA viaGlobalstar.
Neah BayConnected to FA viawireless LAN at Clevelandharbor
5
Why NASA/USCG/IndustryReal world deployment issues can only beaddressed in an operational network.USCG has immediate needs, thereforewillingness to work the problem.USCG has military network requirements.USCG is large enough network to force us toinvestigate full scale deployment issuesUSCG is small enough to work with.NASA has same network issues regardingmobility, security, network management andscalability.
6
Mobile-Router AdvantagesShare wireless and network resources withother organizations
$$$ savingsSet and forget
No onsite expertise requiredHowever, you still have to engineer the network
Continuous Connectivity(May or may not be important to yourorganization)
RobustSecondary Home Agent (Reparenting of HA)
7
Mobile Network Design Goals
SecureScalableManageableAbility to sharing network infrastructureRobust
8
PublicInternet
FA
FA
MR
MRMR
US Coast Guard
Canadian Coast Guard ACME Shipping
HA
HA
HA
HAACME
SHIPPING
MR
US Navy
Shared Network Infrastructure
Encrypting wireless linksmakes it very difficult toshare infrastructure.This is a policy issue.
9
Secondary Home Agent(reparenting the HA)
PrimaryHome Agent
SecondaryHome Agent
Reparenting Home AgentHelps resolve triangular routingProblem over long distances
X
10
Emergency Backup(Hub / Spoke Network)
If primary control site becomesphysically inaccessible but can be electronically connected, asecondary site can be established.
If primary control site isphysically incapacitated, thereis no backup capability.
11
Secondary Home Agent(Fully Meshed Network)
1
2
3
4
5
If primary control site is physically incapacitated, asecond or third or forth site take over automatically.
12
We Are Running with ReverseTunneling
ProsEnsures topologically correct addresses on foreignnetworksRequired as requests from MR LAN hosts must passthrough Proxy inside main firewallGreatly simplifies setup and management of securityassociations in encryptorsGreatly simplifies multicast – HA makes for an excellentrendezvous point.
ConsUses additional bandwidthDestroys route optimization
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA – Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
MRTunnel
Endpoint(Public Space)
HATunnel Endpoint(Public Space)
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Open NetworkData Transfers
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Encrypted NetworkData Transfers
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
OpenNetwork
MonitoringPoint
OpenNetwork
MonitoringPoint
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Monitoring Points
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Note, We are monitoringThe Neah Bay.
We are using lots of bandwidthTo do this.
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Note, We are monitoringThe Neah Bay.
We are using lots of bandwidthTo do this.
MobileLAN10.x.x.x
Encr
yptio
n
EAST
WEST
Dock
RF Bandwidth
1.0 Mbps (manually set)
1.0 Mbps (manually set)
11.0 Mbps (auto-negotiated and shared with Officer’s Club)
7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)
20
Wireless Only?
Wireless can be jammedParticularly unlicensed spectrum such as802.11Satellites is a bit harderSolution is to find interferer and makethem stop.
You still want land line connectionsMobile Routing can be used over land lines.
21
Globalstar/Sea Tel MCM-8Initial market addresses maritime andpleasure boaters.Client / Server architecture
Current implementation requires call to be initiatedby client (ship).Multiplexes eight channels to obtain 56 kbps totaldata throughput.Full bandwidth-on-demand.
Requires use of Collocated Care-of-Address
23
Layer 2 Technology
GlobalstarMCM-8
Hypergain802.11b
Flat Panel
8 dBiDipole
L3-Comm15 dBic
Tracking Antenna
Sea Tel TrackingAntenna
29
PublicInternet
FAMR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
IPv4 Utopian Operation
Triangular Routing
30
PublicInternet
FAMR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
IPv4 “Real World” Operation
PROXy
Proxy had not originated therequest; therefore, theresponse is squelched.Peer-to-peer networkingbecomes problematic at best.
Glenn Research Center Policy:No UDP, No IPSec, etc…Mobile-IP stopped in its tracks.What’s your policy?
Ingress or Egress Filtering stopsTransmission due to topologicallyIncorrect source address. IPv6 Corrects this problem.
USCG Requires 3DES encryption.WEP is not acceptable due toknown deficiencies.
31
PublicInternet
FAMR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
Current Solution –Reverse Tunneling
PROXy
Anticipate similar problemsfor IPv6.
Adds Overheadand kills routeoptimization.
32
PublicInternet
FA
FA
MR
MRMR
US Coast Guard
Canadian Coast Guard ACME Shipping
HA
HA
HA
HAACME
SHIPPING
MR
US Navy
Shared Network Infrastructure
Encrypting wireless linksmakes it very difficult toshare infrastructure.This is a policy issue.
Security• Security ↑ Bandwidth Utilization ↓• Security ↑ Performance ↓• Tunnels Tunnels Tunnels and more Tunnels• Performance ↓ Security ↓
⇒ User turns OFF Security to make system usable!• Thus, we need more bandwidth to ensure security.
PAYLOADHEADER
ORIGINAL PACKET
HEADER
VIRTUAL PRIVATE NETWORK
HEADER
ENCRYPTION AT THE NETWORK LAYER
HEADER
ENCRYPTION ON THE RF LINK
34
Additional and FutureSecurity Solutions
AAARouters (available today)Wireless bridges and access points(available 2002)
IPSec on router interfaceEncrypted radio links
IPSec, type1 or type2, and future improvedWEP
35
ConclusionsSecurity Breaks Everything
At least it sometimes feels like that.
Need to change policy where appropriate.Need to develop good architectures thatconsider how the wireless systems and protocolsoperate.Possible solutions that should be investigated:
Dynamic, Protocol aware firewalls and proxies.Possibly incorporated with Authentication and Authorization.
Mobile Node
Foreign Agent Foreign Agent
Home Agent
“ ”
139.88.111.1
143.232.48.1NASA Ames
Corresponding Node
Internet or Intranet
139.88.112.1NASA Glenn
143.232.48.1
Home IP 128.183.13.103Care-Off-Address139.88.111.50
128.183.13.1NASA Goddard
Mobile-IP (IPv4)
Mobile Router(Mobile Node)
Foreign Agent
Home AgentCorresponding Node
139.88.112.1Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1Internet WAN
Internet
10.2.2.1RoamingInterface
10.2.3.1Virtual LANInterface
Tunnel-1
128.184.25.1HA LoopbackVirtual Interface
139.88.100.1FA WAN
10.2.4.10MR Loopback
Virtual InterfaceCOA 139.88.100.1
Mobile-Router (IPv4)Mobile Router
Mobile Router(Mobile Node)
Home AgentCorresponding Node
139.88.112.1Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1Internet WAN
10.2.2.1RoamingInterface
10.2.3.1Virtual LANInterface
Foreign Agent Tunnel-1
128.184.25.1HA LoopbackVirtual Interface
139.88.100.1FA WAN
10.2.4.10MR Loopback
Virtual InterfaceCOA 139.88.100.1
Mobile-Router (IPv4)Collocated Care-Of-Address
Internet No Foreign AgentNo Second Tunnel
Mobile Router(Mobile Node)
Home AgentCorresponding Node
139.88.112.1Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1Internet WAN
Internet
10.2.2.1RoamingInterface
10.2.3.1Virtual LANInterface
128.184.25.1HA LoopbackVirtual Interface
139.88.100.1
10.2.4.10MR Loopback
Virtual InterfaceCOA 139.88.100.1
Mobile-Router (IPv4)Collocated Care-Of-Address
42
Mobile NetworksShare Network Infrastructure
USCG, Canadian Coast Guard, CommercialShipping, Pleasure BoatersOpen Radio Access / Restricted Network Access
Authentication, Authorization and Accounting
ArchitectureLimited, experimental deployment onboard NeahBay
Move RIPv2 routing from Fed. Bldg to Neah BayMove to full scale deployment
Requires full commitment
MRPublic
MobileLAN10.x.x.x
INTERNET
INTRANET10.x.x.x
FA – ClevelandPublic
HAPublic
PIX- 506 – until we install our PIX FWThen we should not need the babyPIX.
PRO
XY
PIX-506
802.11b link
FA - Detroit
44
HA Outside Main FirewallFirewall between MR interfaces and publicInternet as well as the HA and PrivateIntranet.Reverse tunneling required as requestsfrom MR LAN hosts must pass throughProxy inside main firewall.
45
Areas that need to beaddressed
Home Agent PlacementInside or Outside the Firewall
AAA IssuesOpen Radio Access / Restricted Network AccessSecure Key Management
IPv6 Mobile Networking DevelopmentWork with industry and IETF
Develop radio link technologyEnable better connectivity throughout the worldfor both military and aeronautical communications(voice, video and data).
47
Relevant NASA AeronauticsPrograms
Advanced Air TransportationTechnology (AATT)Weather Information Communication(WINCOMM)Small Aircraft Transportation System(SATS)
48
Aeronautic Networking IssuesMove to IPv6
IPv6 Mobile NetworkingAuthentication, Authorization andAccountingBandwidth, Bandwidth, BandwidthMedia AccessPolicy
Sending of Operations over EntertainmentChannels
51
Space Flight Implementation
Sharing InfrastructureCommon Media AccessCommon Ground Terminal CapabilitesCommon Network Access
AAA
Common Modulation and CodingSoftware Radio
53
Asymmetrical Pathing
Mobile Router
MilStar,Globalstar,
Others
DVBSatellite
Internet
Home Agent
Foreign AgentForeign Agent