internet goes mobile alper yegin kiow 2003 at apnic 16 august 19th, 2003. seoul, korea
TRANSCRIPT
Internet Goes Mobile
Alper Yegin
KIOW 2003 at APNIC 16
August 19th, 2003. Seoul, Korea
2
Internet - Yesterday
Internet
DSL
Home Network
Dial up
Home user
T1Enterprise Network
3
Internet - Today and Tomorrow
Internet
DSL
Home Network
DSL
Home NetworkMobile Network
GPRS
Dial up
Home user
W-CDMA
T1Enterprise Network Operator Network
Community Network
PAN
4
Challenge
• Users expect the same characteristics (greedy!)– Secure
– Reliable
– Seamless
– High performance
• Burden is on:– Standards bodies (IETF, IEEE, 3GPP, 3GPP2, etc.)
– Vendors
– Operators
5
Security
• First things first!
• Physical security is replaced with crypto-based security– Threats: Eavesdropping, spoofing– Not a full replacement!
• Crypto designs and experts get a good exercise!
6
Solutions
• Good solutions:– 3GPP, 3GPP2
• Bad solutions– IEEE WEP fiasco!
• Practical but less than adequate solutions:– WECA WISPer: HTTP redirect and web-based login
hackery
• Practical and reasonable solutions:– IEEE 802.11b access outside VPN gateway
7
The Right Solution
• Authenticate, authorize the client• Accounting and privacy
Home Network
Visited Network
host
AP
AccessRouter
HomeAAA
ISPAAA
PANA, 802.1X
Diameter, RADIUS
Diameter, RADIUS
8
The Right Solution• IETF AAA, EAP, and PANA Working Groups• IEEE 802.11i, 802.1aa
Home Network
Visited Network
host
AP
AccessRouter
HomeAAA
ISPAAA
PANA, 802.1X
Diameter, RADIUS
Diameter, RADIUS
9
Global AAA
• AAA web of trust is here (unlike global PKI) and more capable.
Home Network
Visited Network
AAAserver
AAAserver
Visited Network
AAAserver
Home Network
AAAserver
AAAbroker
AAAbroker
10
Impact
• Security is never plug-and-play (plug-and-get-hacked!)
• Additional infrastructure– Front-end AAA servers (NAS)– Backend AAA servers (RADIUS, Diameter servers)– VPN gateways
• Configuration– On the clients– Per-client configuration on the servers (keys, authorization
parameters, etc.) – Configuration to join the AAA web-of trust
11
Impact
• Increased popularity of IPsec and TLS– AAA requires confidential information exchange
– VPN
– Anonymizer.com
• Strengthening internal network is a MUST– Unless you are 100% sure that wireless access is secure
– Partitioning, IDS, enforcing strict policy execution (social aspects)
12
But Still
• …. You are vulnerable to attacks!
• Price of going wireless
13
Mobility Management
• Host at home (fixed Internet).
Home Network
Visited Network
Web server
hosta::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
a::/64
AP
14
Mobility Management
• You move, you break!
Home Network
Visited Network
Web server
AP
AP APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
hostb::1
b::/64
15
Mobile IP
• IETF Mobile IP Working Group– www.ietf.org/html.charters/mobileip-charter.html
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
a::1b::1
homeaddress
care-ofaddress
16
Mobile IP
• Traffic tunneled through home network
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
17
Mobile IP
• End-to-end signaling for route optimization
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
a::1b::1
homeaddress
care-ofaddress
18
Mobile IP
• Most direct path for data traffic.
Home Network
Visited Network
Web server
hostb::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APb::/64
19
… Fast and Smooth
• Problem: Signaling latency.
Home Network
Visited Network
Web server
hostc::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64
a::1c::1
new care-ofaddress
20
… Fast and Smooth• Fast Handovers
– draft-ietf-mobileip-fast-mipv6-06.txt
• IETF Seamoby Working Group– www.ietf.org/html.charters/seamoby-charter.html
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64b::1c::1
hostc::1
old care-ofaddress new care-of
address
21
… Fast and Smooth
• Context transferred and routes fixed.
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64
hostc::1
22
… Privacy
• Hide precise location and movement.
Home Network
Visited Network
Web server
hostd::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
AP
d::/64
c::/64b::/64
cafeteria CEO’s office employee office
23
… Privacy
• Obtain an IP address from the localized mobility agent.
Home Network
Visited Network
Web server
hostd::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
AP
d::/64
c::/64b::/64
LocalizedMobility Agent
e::1d::1
e::/64 a::1e::1
regionalcare-ofaddress
localcare-ofaddress
homeaddress
24
… Privacy
• Correspondent sends packets directly to the agent. Agent tunnels them to the precise location.
Home Network
Visited Network
Web server
hostd::1
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
AP
d::/64
c::/64b::/64
LocalizedMobility Agent
25
… Privacy
• Correspondent does not know the real IP destination, or when it changes.
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64b::/64
LocalizedMobility Agent
hostb::1
26
… AAA
• Mobility management is a for-profit “service”
Home Network
Visited Network
Web server
AP
APAP
AccessRouter
AccessRouter
AccessRouter
AccessRouter
HomeAgent
APc::/64b::/64
LocalizedMobility Agent
hostb::1
HomeAAA
ISPAAA
27
… Network is Mobile
• IETF NEMO Working Group– www.ietf.org/html.charters/nemo-charter.html
Visited Network
AccessRouter
AccessRouter
AccessRouter
BaseStation
BaseStation
BaseStation
28
Impact on Intranet
• More stateful servers– Home agents, access routers (for context transfer and
fast handovers), localized mobility agents
– Mobile IP bindings, tunnels, host-routes
– Redundancy and fault-tolerance are MUST!
• More configuration– Per client on the servers
– Trust relations among communicating servers
29
Impact on Internet/Intranet
• Tunnels– Several levels of nesting
Web server HomeAgent
LocalizedMobility Agent
PreviousAccessRouter
hostCurrentAccessRouter
Fast Handovers
Localized Mobility Management
Mobile IP
HomeAddress
(Regional)Care-ofAddress
(Older local)Care-ofAddress
(Current local)Care-ofAddress
30
Impact on Internet
• Address consumption– Always-on hosts– Purpose-specific address usage (home address, care-of
address)– Multihomed devices (GPRS, IEEE 802.11b, Bluetooth)– Sensor networks
31
Impact on Internet
• Suboptimal routing, redirect servers
host A
host B
HomeAgent A
HomeAgent B
32
Host Assumptions
• Can be anything:
• Dynamic auto-configuration needed:– IPv6 address auto-configuration (RFC 2462)
– IPv6 prefix delegation (draft-troan-dhcpv6-opt-prefix-delegation-02.txt)
– Service discovery (IPv6 anycast address support)
33
IPv6
• IPv6 benefits:– Ability to run server apps on devices (accept incoming
connections)– Plug-and-play– End-to-end IPsec for thwarting first-hop and last-hop threats– Mobile IPv6 : Efficient, easy to deploy and manage, and
scalable mobility protocol– Extensibility
• Mobile and wireless Internet will expedite the transition from IPv4-NAT to IPv6
• www.isoc.org/briefings/014/index.html
34
Conclusion
• Wireless and mobility provide tremendous benefits, but they come with a price.
• Transitioning the Internet protocols, architectures, products, and running networks should be done very carefully.
Questions?