Workshop on HIP and Related Architectures Workshop Overview November 6, 2004 Tom Henderson, Pekka Nikander, and Scott Shenker
|
|
- Olivia Carroll
- 5 years ago
- Views:
Transcription
1 Workshop on HIP and Related Architectures Workshop Overview November 6, 2004 Tom Henderson, Pekka Nikander, and Scott Shenker 1
2 Goals Interaction and exchange of ideas New name space(s) for the Internet Consequences of separating ID/locator HIP experimentation and deployment Outcomes new perspectives for participants identify research/experimental directions identify areas of consensus or disagreement 2
3 HIP vs. other approaches Although HIP is a current focus of IETF/IRTF, workshop can consider other identifiers, e.g. multi6 (SIM, NOID, CB64, WIMP, LIN6, multi6dt) i3 triggers non-global identifiers (FARA) identifiers for web services SIP URIs / IMS Identity-based cryptography (DoCoMo paper) 3
4 Sessions 1. Applying and deploying an ID/locator split changing and managing applications and hosts dealing with legacy infrastructure and middleboxes introducing new infrastructure 2. Overlays, rendezvous, middleboxes, and delegation advanced middleboxes and firewalls advanced resolution and indirection 3. General architectural directions late binding encouragement of middleboxes in architecture approaches (FARA, HIP, i3, NIMROD, multi6, etc.) 4
5 Logistics $30 fee to cover catering (cash or check) Payable to whom? Hotel wireless service only? Availability of white papers on public site? Working lunch (buffet sandwiches/salad) Room vacated at 4:30 Discussions can continue at bar/dinner BOFs tonight and through IETF IRTF HIP-RG meeting Friday Nov. 12 5
6 Session 1: Applying and deploying an identifier/locator split Tom Henderson 6
7 Session discussion theme Assume that users and networks want to deploy ID/locator separation How to cross the chasm between architecture and reality (Early Adopters)? Architectures and specs Deployed systems and workable infrastructure 7
8 Relevant white papers HIP, a Marketing Analysis by Tim Shepard HIPpy Road Warriors Jumping Hoods over Road Blocks by Pekka Nikander Network Attachment and Address Configuration using HIP by Seppo Heikkinen et al. Middlebox Traversal of HIP Communication by Martin Stiemerling et al. Can SIP use HIP? by Tom Henderson 8
9 Discussion organization 1. Host: Implementing and managing an ID/locator split host and application concerns 2. Network: Making it work in today s networks firewalls middleboxes (existing NATs) (resolution) infrastructure 3. Incentives: Application/user incentives for deployment what are the killer apps? 9
10 1. Some host/application concerns Managing another set of identifiers DNS FQDN and IP can be complicated enough securing new identifiers (e.g. against phishing) APIs and application IDs the referral problem Support within network stack changes to IPsec (BEET mode) locator selection for multihoming transport responses to mobility and multihoming safekeeping of cryptographic material within systems (trusted computing) 10
11 Experience with HIP implementations HIP has been shown to work, but... Software not completely ready for prime time Not trivial to install modified kernel or tap packets to user-space HITs/HIs are cumbersome to deal with stored in insecure places how to manage multiple identities? Transport layer issues unsolved API issues and locator spoofing have been hard problems HIP conflicts with host firewall policies (sometimes outside of control of user) 11
12 Managing identifiers How are average users going to manage a new name space? existing network/dns configuration can be confusing even today privacy concerns non-repudiation/revocation concerns Many stack identifiers (e.g. HITs) are not human readable how to securely bind user-friendly names like URIs to stack names? 12
13 API issues What is the identifier used by transport and applications? Alternatives: Require apps to use to a new resolver library and become HIP-aware Legacy apps? Spoof a local scope identifier as an IP address in the name resolution Problems with referrals and delegation What if no DNS query? Use IP addresses and do a host NAT in the stack May cause ambiguity in mobility scenarios 13
14 In the network stack IPsec modifications for BEET mode locator selection and management policies (which to use when?) relevant work: MAST, CELP locators change and transport protocols Congestion control, MTU what to do when no locators are active? where to store keys? should be in hardware somewhere how to make this less cumbersome? 14
15 Discussion 1. What can be done to make management of new name space(s) easier for users? Privacy and security concerns Standard ways of including identity in applications New vs. legacy applications 2. What names are in use within applications and APIs, and how to secure the various bindings? 3. How to handle multiple identities and multiple locators within a stack securing the identifiers (e.g., key escrow) policy issues for transport connection triggers, locator selection, etc. 15
16 2. Making it work in real networks Middlebox traversal firewall restrictions traversing legacy NATs how?? Deploying basic infrastructure Resolution service (names to locators) Dynamic Association Module (NIMROD) keeping resolution up-to-date across locator changes How much will it cost to support/administer? 16
17 Legacy middlebox traversal* HIP base exchange would be a problem for IPv6 NATs suggested IPv4 UDP HIP format is problematic for NATs that use source port for demultiplexing concurrent streams well-known problem of no inbound traffic no means to indicate sender s (public) IP address Firewalls have similar (policy) concerns IPsec traversal of NATs Application-level gateway traversal (e.g. HTTP proxy) * Stiemerling, Quittek, and Eggert white paper 17
18 Infrastructure issues Can DNS RRs suffice for name resolution? What about deploying (flat) EID to locator resolution? e.g. Wide-scale DHT deployment How to optimize resolution services both for fast lookup and fast update? or should update and lookup be handled separately? How much will this all cost to deploy and administer? * Stiemerling, Quittek, and Eggert white paper 18
19 Discussion 1. Should we consider IPv4 a lost cause because of NATs/firewalls? but can we expect to have pure HIP-aware IPv6 middleboxes? or... is IPv6 deployment a lost cause? 2. How much to defile the architecture to get it to work in current or anticipated networks? Is transport port # now a fundamental piece of IP header and should be treated as such? 3. Should work on Teredo/STUNT/NUTSS-like middleboxes (relays) to traverse transparent NATs be considered a priority? 19
20 Discussion (cont.) 4. Will flat (DHT) resolution mechanisms for new identifiers work on an Internet scale? 5. Should DNS be taken advantage of, or sidestepped? 6. How to get providers to support resolution infrastructure, and punch firewall holes? how much can we expect it to cost and still get deployed? 20
21 3. Deployment incentives Can HIP (or other ID/loc split) have an SSHlike success story? What applications need this now? or are present workarounds good enough What new applications might be enabled by ID/locator split? How expensive will the deployment be? 21
22 Some possible applications HIPpy road warriors HIP + SIP use SIP control plane to exchange host identities use HIP to secure data plane and provide mobility Network configuration?? multi6 (site multihoming for IPv6) trusted computing peer to peer anti-spam 22
23 Road warrior case study (Nikander) Requirements: fully secured no user actions and taking no time mirrored synchronizing file systems Challenges: NAT and legacy firewalls legacy servers authentication through captive web pages Solutions: Upgrade NATs and firewalls Possibly combining HIP and CGA in network access HIP over UDP and related bridging/proxying 23
24 SIP+HIP case study* SIP can be used to disseminate Host Identities negates somewhat the need for HIP resolvers HIP provides man-in-the-middle security in the data plane HIP mobility similar to MIPv6 with RO Other HIP benefits similar to purpose-built-keys or traditional IPsec? (i.e., is HIP s utility to SIP only incremental, as presently defined?) *(Henderson white paper, and draft-tschofenig-hiprg-host-identities-00) 24
25 Network configuration* DHCP- Discover DHCP- Request Additional techniques (SAML, SPKI) to authenticate ephemeral IDs Related solutions?: Cisco Network Admission Control (NAC) and Microsoft Network Access Protection (NAP) Transactions for Accessing Public Infrastructure-- TAPI (Nikander et al) *(Heikkinen, Tschofenig, and Gelbord white paper) 25
26 Discussion 1. What are the possible killer apps for id/locator split in general, and HIP in particular? enhancing existing apps new applications 2. Or is HIP primarily a security (DoS and MITM prevention) enhancement? 3. Or is HIP a solution in search of a problem? 26
27 HIP and Related Architectures Session II: Infrastructure, or Overlays, Rendezvous, Delegation, and Middleboxes (Pekka Nikander)
28 About this session Related position papers Presentation outline A framework for the discussion Combinatiorial complexity Where is the state? Strapping the boots Open questions
29 Compared to Session I: More open ended Less structured About this session Just a few slides, and then let it go (Backup slides just for the case...)
30 Related position papers Arkko et al: Hi 3 Gurtov & Joseph: Friends or Rivals: HIP and i 3 Eggert et al: HIP Resolution and Rendezvous Walfish & Balakrishnan: ID/Loc Split is Useful for Middleboxes, too Tschofenig et al: HIP Middlebox Traversal Tschofenig et al: Advanced HIP-based Firewall Traversal
31 A framework for thought Maybe just one protocol (like in i 3 ) Maybe separated protocols (like HIP and ESP) Maybe additional protocols Registration, middle box internal,
32 Combinatorial complexity Combination of different types of middle boxes? Existing NATs and firewalls DHT nodes Architected HIP-based and firewall Application level intermediaries
33 Where is the state? How is the state created in the network? Snooping? Protocol? How much state is there in the packet? Soft state, but softer or harder? Packet EID EID EID* Locator*, EID Middle box EID Locator EID Locator EID Locator nothing nothing [checks EID]
34 Bootstraps How to arrange initial rendezvous? Identity based overlay routing? Look up locator(s) from the infrastructure? How to find the infrastructure? Manual configuration is a bad answer!!anycast? Router advertisement? Middle boxes that announce themselves on first communication?
35 Open questions (1) Rendezvous: overlay routing or name resolution? Bootstrap: how to find an infrastructure node? Layer 3.5 routing: How much state in packet vs middle boxes? How is the middle box state managed? Effects of asymmetric routing? What are the limiting and decisive factors?
36 Open Questions (2) Address hiding and DDoS protection Combination of different types of middle boxes? Operations and management issues? Debugging the system Dangers of having any centralization Aim for decentralised infrastructure? How to manage free riding?
37 Extra slides
38 i3
39 i3
40 Plain HIP without DHT
41 Plain HIP without DHT
42 Plain HIP with NAT
43 Plain HIP with NAT
44 FA instead of NAT and RVS
45 HIP 61 Architecture Session James Kempf DoCoMo Labs USA 45
46 Papers for this session The FARA Architectural Model, NewArch I ll include the NewArch final report in the discussion, because it touches on many of the same issues but discusses them more broadly The Benefits of Late Binding for HIP-like Mechanisms, Lakshminarayanan and Stoica, UCB Exploring Deeper Issues of Separating Identity and Location for Mobile Hosts Kempf, Fu, Wood, and Kawahara, DoCoMo 46
47 Right now in HIP: Identity in HIP identity management == key management Key management is an unsolved problem in the Internet currently Bottom line: Identifier is a computational object with undefined relationship to offline considerations 47
48 Identity 48
49 Tying HIP identifiers to the noncyberworld? What it is: Pushing identity down into the stack Why it might be a good idea: Early mitigation of phishing and other security attacks based on spoofed identity Good for naïve users Why it might be a bad idea: Compromises privacy and anonymity Are these the same? Bad for sophisticated users 49
50 DoCoMo Id Crypto Use identity-based cryptography to tie non-cyber identity to security Use identity as public key, generate private key from that Requires identity-based crypto key generator Like Kerberos Identity could be DNS name, NAI or any other string In principle, authenticatable at I3 or HI3 rendezvous Looks like a good idea but... 50
51 Performance of Boneh/Franklin v.s. RSA RSA BF Encryption Decryption Signature Verify RSA:1024 bit modulus BF: 512 bit P 51
52 Stack Architecture 52
53 Stack Architecture HIP works somewhat like a session layer but it s not at the OSI model session layer Discussion this morning on SIP and HIP HIT is session identifier across locator changes Is the OSI model out of date? Does the stack architecture need some modification? 53
54 Problem with Layers* Pressure for new layer violations due to cross layer optimization Functional dependency causes feature interactions with loss of extensibility Reluctance to change existing implementation leads to introduction of inter-layer shims Out-of-band signaling for middle boxes *from NewArch final report 54
55 NewArch Roles? Functional units of communication are roles Building blocks out of which a communication is built Remodularization of large IP protocols Congestion control Forward Packet... Organize data and metadata in packet is different But what about backward compatibility? 55
56 Compiler Model? Front end - Role modules activated by events Arrival of a packet Some application level user action ECN Back end - Events trigger compilation into standard stack layers Limited, won t handle complex cases 56
57 Routing 57
58 HIP and IP Routing HIP uses underlying IP routing Locators are IP addresses Src/dest IP address pair NATs/Firewalls and other middleboxes are reality Conventional wisdom is that they will disappear with IPv6 Well, NATs at least... But is will that really be so? 58
59 Late Binding FARA and UCB Include identifier in packet Source route to network entity that can resolve the identifier to actual locator Removes need for DNS lookup Semantics become send packet to high level id rather than send to address 59
60 Discussion What are the possible killer apps for id/locator split in general and HIP in particular? Enhancing existing apps New apps Is HIP primarily a security (DoS and MITM prevention) enhancement? Is HIP a solution in search of a problem? 60
61 Summary of workshop Pekka Nikander 61
62 Important Lowest layer of location independence Goals of HIP: Narrow or wider focus? Tradeoffs in identifier semantics Security vs. convenience How to coherently incorporate middle boxes Enumeration of what are the options Discussion on legacy middle boxes and NATs Killer apps: NAT, FW, IPv4/v6 crossing layer Configuration and management is a hard problem
63 Round table summary What was important to you in today s discussions? What are you planning to work on (based on this)?
64 What HIP is? A: Map public keys to identifiers B: Map identifiers to locators Scott & Ion
65 Paul Reachability is the important problem Confirmation that HIP is not needed No killer app needed
66 Meta-Important How IETF deals with architectural questions How one evolves into a new architecture What are the building blocks for successful apps Increased understanding of HIP and connections to other stuff Understanding that there is this confusion of what HIP really is Lack of short term motivation SIP may be more important
67 Misc points Late binding Location vs. security aspects What should there be or not be What degree of crypto is needed? In Internet, private networks, etc. Peer-to-peer as a potential killer app
Host Identity Indirection Infrastructure Hi 3. Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research
Host Identity Indirection Infrastructure Hi 3 Jari Arkko, Pekka Nikander and Börje Ohlman Ericsson Research Presentation outline Motivation Background Secure i 3 Hi 3 Summary 2 Hi 3 motivation Question:
More informationHost Identity Protocol. Miika Komu Helsinki Institute for Information Technology
Host Identity Protocol Miika Komu Helsinki Institute for Information Technology 16.11.2009 Table of Contents Introduction Naming and Layering Control Plane Data Plane Introduction Motivation
More informationOn Host Identity Protocol
On Host Identity Protocol Miika Komu Data Communications Software Group Dep. of Computer Science and Engineering School of Science Aalto University 17.10.2011 Table of Contents Introduction
More informationHost Identity Protocol
Presentation outline Host Identity Protocol Slides by: Pekka Nikander Ericsson Research Nomadiclab and Helsinki Institute for Information Technology http://www.hip4inter.net 2 What is HIP? Motivation HIP
More informationWhy do we really want an ID/locator split anyway?
Why do we really want an ID/locator split anyway? Dave Thaler dthaler@microsoft.com MobiArch 2008 1 Starting from basics Users deal with names, not addresses (esp. in IPv6) Humans need friendly identifiers
More informationHIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson
HIP Host Identity Protocol October 2007 Patrik Salmela Ericsson Agenda What is the Host Identity Protocol (HIP) What does HIP try to solve HIP basics Architecture The HIP base exchange HIP basic features
More informationHost Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6
Host Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6 by Pekka Nikander, Andrei Gurtov, and Thomas R. Henderson Johannes Bachhuber Jacobs University
More informationHost Identity Protocol (HIP):
Host Identity Protocol (HIP): Towards the Secure Mobile Internet Andrei Gurtov Helsinki Institute for Information Technology (HUT), Finland A John Wiley & Sons, Ltd, Publication Contents About the Author
More informationHost Identity Protocol, PLA, and PSIRP
Contents Host Identity Protocol, PLA, and PSIRP Prof. Sasu Tarkoma 23.02.2009 Introduction Current state Host Identity Protocol (HIP) Packet Level Authentication (PLA) Overlays (i3 and Hi3) Clean-slate
More informationInternet Engineering Task Force (IETF) Category: Standards Track ISSN: October Host Identity Protocol (HIP) Rendezvous Extension
Internet Engineering Task Force (IETF) J. Laganier Request for Comments: 8004 Luminate Wireless, Inc. Obsoletes: 5204 L. Eggert Category: Standards Track NetApp ISSN: 2070-1721 October 2016 Abstract Host
More informationArchitectural Approaches to Multi-Homing for IPv6
Architectural Approaches to Multi-Homing for IPv6 A Walk-Through of draft-huston-multi6-architectures-00 Geoff Huston June 2004 Recap Multi-Homing in IPv4 Either: Or: Obtain a local AS Obtain PI space
More informationFundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin,
Fundamental Questions to Answer About Computer Networking, Jan 2009 Prof. Ying-Dar Lin, ydlin@cs.nctu.edu.tw Chapter 1: Introduction 1. How does Internet scale to billions of hosts? (Describe what structure
More informationHost Identity Protocol. Host Identity Protocol. Outline. Outline (cont) Host Identity Protocol Why HIP? Host Identity Protocol
Outline Host Identity Protocol Petri Jokela (Editor) & Jukka Ylitalo Tik-79.5401 - October 3, 2005 Host Identity Protocol Idea behind Setting up associations Mobility and multihoming Host mobility Host
More informationIdentifier and Locator separation in IP network
Identifier and Locator separation in IP network July 10, 2007 Taewan You (twyou@etri.re.kr) ETRI, PEC Contents IP Addresses in Internet Architecture Overloaded semantic Issues of ID/Loc separation Standardization
More informationT Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.
T-0.50 Computer Networks II Mobility Issues 6.0.008 Overview Mobile IP NEMO Transport layer solutions i SIP mobility Contents Prof. Sasu Tarkoma Mobility What happens when network endpoints start to move?
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More informationIPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery
IPv6- IPv4 Threat Comparison v1.0 Darrin Miller dmiller@cisco.com Sean Convery sean@cisco.com Motivations Discussions around IPv6 security have centered on IPsec Though IPsec is mandatory in IPv6, the
More informationSolving the Routing Scalability Problem -- The Hard Parts. Jari Arkko APRICOT 2007, Bali, Indonesia
Solving the Routing Scalability Problem -- The Hard Parts Jari Arkko APRICOT 2007, Bali, Indonesia Outline Where are we on this? Some hard bits Proposed plan of action Where Are We on This? There is a
More informationInternet Research Task Force (IRTF) Category: Informational. March The Host Identity Protocol (HIP) Experiment Report
Internet Research Task Force (IRTF) Request for Comments: 6538 Category: Informational ISSN: 2070-1721 T. Henderson The Boeing Company A. Gurtov University of Oulu March 2012 The Host Identity Protocol
More informationHost Identity Protocol
Host Identity Protocol V.Gowri 1, M.Nirmala Kumari 2, R.Devendra Reddy 3 Associate Professor, Dept of CSE, Sri Venkatesa Perumal College of Engineering, Andhra Pradesh, India Assistant Professor, Dept
More informationNetwork Defenses 21 JANUARY KAMI VANIEA 1
Network Defenses KAMI VANIEA 21 JANUARY KAMI VANIEA 1 Similar statements are found in most content hosting website privacy policies. What is it about how the internet works that makes this statement necessary
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.1: Network Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) 2 Network Security INTRODUCTION 3 What
More informationShim6: Network Operator Concerns. Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI
Shim6: Network Operator Concerns Jason Schiller Senior Internet Network Engineer IP Core Infrastructure Engineering UUNET / MCI Not Currently Supporting IPv6? Many parties are going forward with IPv6 Japan
More informationCS 268: Computer Networking
CS 268: Computer Networking L-18 Naming Overview i3 Layered naming DOA SFR 2 Multicast S 1 S 2 R RP R R R R RP: Rendezvous Point C 1 C 2 3 Mobility Sender HA FA Home Network Network 5 5.0.0.1 12.0.0.4
More informationNetwork Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2011
Network Security: Broadcast and Multicast Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2011 Outline 1. Broadcast and multicast 2. Receiver access control (i.e. data confidentiality)
More informationLocation Privacy Extensions for the Host Identity Protocol
978 REVISTA DO DETUA, VOL. 4,N 8, JUNHO 2007 Location Privacy Extensions for the Host Identity Protocol Alfredo Matos, Justino Santos, João Girão, Marco Liebsch, Rui Aguiar NEC Europe Ltd, Network Laboratories
More informationIPV6 SIMPLE SECURITY CAPABILITIES.
IPV6 SIMPLE SECURITY CAPABILITIES. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB. ABSTRACT The RFC which this presentation is based upon is focused on
More informationFirmware Updates for Internet of Things Devices
Firmware Updates for Internet of Things Devices Brendan Moran, Milosch Meriac, Hannes Tschofenig Drafts: draft-moran-suit-architecture draft-moran-suit-manifest 1 WHY DO WE CARE? 2 IoT needs a firmware
More informationXIA: Lessons Learned and Open Issues
XIA: Lessons Learned and Open Issues Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Vyas Sekar, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie Mellon University
More informationILNP: a whirlwind tour
ILNP: a whirlwind tour Saleem Bhatti, University of St Andrews, UK 2010-10-03 NANOG50. Copyright 2010 Saleem Bhatti. 1 Outline 1. What? Basic information about ILNP. 2. Why? The rationale for ILNP. 3.
More informationIntroduction to IPsec. Charlie Kaufman
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine
More informationSIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)
security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, 29.03.2006, Atlanta, GA (USA) 2006 SWITCH Content and Firewall and NAT Privacy / Encryption SpIT / Authentication Identity General
More informationCisco IOS IPv6. Cisco IOS IPv6 IPv6 IPv6 service provider IPv6. IPv6. data link IPv6 Cisco IOS IPv6. IPv6
IP6FD v6 Fundamentals, Design, and Deployment v3.0 Cisco IOS IPv6 Cisco IOS IPv6 IPv6 IPv6 service provider IPv6 IP IPv6 IPv6 data link IPv6 Cisco IOS IPv6 IPv6 IPv6 DHCP DNS DHCP DNS IPv6 IPv4 IPv6 multicast
More informationCategory: Standards Track June Mobile IPv6 Support for Dual Stack Hosts and Routers
Network Working Group H. Soliman, Ed. Request for Comments: 5555 Elevate Technologies Category: Standards Track June 2009 Status of This Memo Mobile IPv6 Support for Dual Stack Hosts and Routers This document
More informationSchool of Computer Sciences Universiti Sains Malaysia Pulau Pinang
School of Computer Sciences Universiti Sains Malaysia Pulau Pinang Information Security & Assurance Assignment 2 White Paper Virtual Private Network (VPN) By Lim Teck Boon (107593) Page 1 Table of Content
More informationNext Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.
Next Week No sections Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other
More informationNetwork Security (and related topics)
Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues at Princeton
More informationChapter 12 Network Protocols
Chapter 12 Network Protocols 1 Outline Protocol: Set of defined rules to allow communication between entities Open Systems Interconnection (OSI) Transmission Control Protocol/Internetworking Protocol (TCP/IP)
More informationT Network Application Frameworks and XML Routing and mobility Tancred Lindholm. Based on slides by Sasu Tarkoma and Pekka Nikander
T-110.5140 Network Application Frameworks and XML Routing and mobility 10.2.2009 Tancred Lindholm Based on slides by Sasu Tarkoma and Pekka Nikander Contents Background IP routing and scalability Mobility
More informationFrom POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno
Advanced Networking P2P Voice Applications Renato Lo Cigno Credits for part of the original material to Saverio Niccolini NEC Heidelberg The Client/Server model in conversationsl communications User-plan
More informationOpenADN: A Case for Open Application Delivery Networking
OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer
More informationShim6: Reference Implementation and Optimization
Shim6: Reference Implementation and Optimization Jun Bi, Ping Hu, and Lizhong Xie Network Research Center, Tsinghua University, Beijing, 100084, China junbi@tsinghua.edu.cn Abstract. Shim6 is an important
More informationIP Mobility vs. Session Mobility
IP Mobility vs. Session Mobility Securing wireless communication is a formidable task, something that many companies are rapidly learning the hard way. IP level solutions become extremely cumbersome when
More informationP2PNS: A Secure Distributed Name Service for P2PSIP
P2PNS: A Secure Distributed Name Service for P2PSIP Mobile P2P 2008, Hong Kong, China Outline Decentralized VoIP (P2PSIP) Peer-to-Peer name service (P2PNS) Architecture Two-stage name resolution P2PNS
More informationOutline. Goals of work Work since Atlanta Extensions Updates Made Open Issues Ad-hoc meeting & Next Teleconference Links
Update of RTSP draft-ietf-mmusic-rfc2326bis-03.txt Authors: Henning Schulzrinne / Columbia University Robert Lanphier / Real Networks Magnus Westerlund / Ericsson (Presenting) Anup Rao / Cisco Outline
More informationCost of deploying new technologies
Cost of deploying new technologies Erkka Honkavaara Helsinki University of Technology erkka.honkavaara@tkk.fi Abstract The current Internet is very different from how it was originally designed. These
More informationCSE 123b Communications Software
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Stefan Savage Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to
More informationQuick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to be part of the
More informationSAVAH: Source Address Validation with Host Identity Protocol
SAVAH: Source Address Validation with Host Identity Protocol Dmitriy Kuptsov and Andrei Gurtov Helsinki Institute for Information Technology Helsinki University of Technology {dmitriy.kuptsov,gurtov}@hiit.fi
More informationtcpcrypt: real transport-level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford.
tcpcrypt: real transport-level encryption Andrea Bittau, Mike Hamburg, Mark Handley, David Mazieres, Dan Boneh. UCL and Stanford. What would it take to encrypt the vast majority of TCP traffic? Performance
More informationNetwork Security and Cryptography. December Sample Exam Marking Scheme
Network Security and Cryptography December 2015 Sample Exam Marking Scheme This marking scheme has been prepared as a guide only to markers. This is not a set of model answers, or the exclusive answers
More informationInternet Engineering Task Force (IETF) Request for Comments: Ericsson A. Johnston Avaya January 2011
Internet Engineering Task Force (IETF) Request for Comments: 6079 Category: Experimental ISSN: 2070-1721 G. Camarillo P. Nikander J. Hautakorpi A. Keranen Ericsson A. Johnston Avaya January 2011 HIP BONE:
More informationEvolving the Internet Architecture Through Naming
Evolving the Internet Architecture Through Naming Ran Atkinson, Cheltenham, USA Saleem Bhatti, University of St Andrews, UK Steve Hailes, University College London, UK 1 What s in a name? Juliet: "What's
More informationNetworks and Communications MS216 - Course Outline -
Networks and Communications MS216 - Course Outline - Objective Lecturer Times Overall Learning Outcomes Format Programme(s) The objective of this course is to develop in students an understanding of the
More informationCommunications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage
CSE 123b CSE 123b Communications Software Spring 2003 Lecture 10: Mobile Networking Stefan Savage Quick announcement My office hours tomorrow are moved to 12pm May 6, 2003 CSE 123b -- Lecture 10 Mobile
More informationQuick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003
CSE 123b Communications Software Quick announcement My office hours tomorrow are moved to 12pm Spring 2003 Lecture 10: Mobile Networking Stefan Savage May 6, 2003 CSE 123b -- Lecture 10 Mobile IP 2 Last
More informationNetwork Defenses 21 JANUARY KAMI VANIEA 1
Network Defenses KAMI VANIEA 21 JANUARY KAMI VANIEA 1 First, the news The Great Cannon of China https://citizenlab.org/2015/04/chinas-great-cannon/ KAMI VANIEA 2 Today Open System Interconnect (OSI) model
More informationNetwork Defenses KAMI VANIEA 1
Network Defenses KAMI VANIEA 26 SEPTEMBER 2017 KAMI VANIEA 1 First the news http://arstech nica.com/secu rity/2015/04/ meet-greatcannon-theman-in-themiddleweapon-chinaused-ongithub/ 2 First the news http://arstechni
More informationDeveloping ILNP. Saleem Bhatti, University of St Andrews, UK FIRE workshop, Chania. (C) Saleem Bhatti.
Developing ILNP Saleem Bhatti, University of St Andrews, UK 2010-07-16 FIRE workshop, Chania. (C) Saleem Bhatti. 1 What is ILNP? Identifier Locator Network Protocol: http://ilnp.cs.st-andrews.ac.uk/ ILNP
More informationIPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering
IPv6 Security Vendor Point of View Eric Vyncke, evyncke@cisco.com Distinguished Engineer Cisco, CTO/Consulting Engineering 1 ARP Spoofing is now NDP Spoofing: Threats ARP is replaced by Neighbor Discovery
More informationRule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs
Rule based Forwarding (RBF): improving the Internet s flexibility and security Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs Motivation Improve network s flexibility Middlebox support,
More informationIP without IP addresses
IP without IP addresses h"p://ilnp.cs.st-andrews.ac.uk/ Saleem Bha) School of Computer Science University of St Andrews Copyright, Saleem N. Bha?, 19 Nov 2013 1 Thanks Dr Ran Atkinson PhD students at St
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 7.4 Firewalls CSC 474/574 Dr. Peng Ning 1 Outline What are firewalls? Types Filtering Packet filtering Session filtering Proxy Circuit Level Application Level
More informationNetwork Security: IPsec. Tuomas Aura
Network Security: IPsec Tuomas Aura 3 IPsec architecture and protocols Internet protocol security (IPsec) Network-layer security protocol Protects IP packets between two hosts or gateways Transparent to
More informationCisco TelePresence Basic Cisco VCS configuration
Cisco TelePresence Basic Cisco VCS configuration Deployment Guide D14651.02 September 2011 Cisco VCS Control with Cisco VCS Expressway X7.0 Contents Document revision history 5 Introduction 6 Out of scope
More informationP2PSIP Draft Charter. Dean Willis March 2006
P2PSIP Draft Charter Dean Willis March 2006 Purpose The purpose of the Peer-to-Peer (P2P) Session Initiation Protocol working group (P2PSIP WG) is to develop guidelines and mechanisms for the use of the
More informationNetwork Address Translators (NATs) and NAT Traversal
Network Address Translators (NATs) and NAT Traversal Ari Keränen ari.keranen@ericsson.com Ericsson Research Finland, NomadicLab Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN
More informationEnabling mobile systems with ILNP
Enabling mobile systems with ILNP Saleem Bhatti, University of St Andrews, UK 2010-08-18 Ericsson Research, USA. (C) Saleem Bhatti. 1 ILNP in a nutshell Identifier Locator Network Protocol: http://ilnp.cs.st-andrews.ac.uk/
More informationSIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels
Network Security - ISA 656 Voice Over IP (VoIP) Security Simple SIP ing Alice s Bob Session Initiation Protocol Control channel for Voice over IP (Other control channel protocols exist, notably H.323 and
More informationOn the Internet, nobody knows you re a dog.
On the Internet, nobody knows you re a dog. THREATS TO DISTRIBUTED APPLICATIONS 1 Jane Q. Public Big Bank client s How do I know I am connecting to my bank? server s Maybe an attacker...... sends you phishing
More informationSeparating Friends from Spitters
Samu Varjonen, Andrei Gurtov (2010): Separating Friends from Spitters. In Gunnar Stevens (Eds.), International Reports on Socio-Informatics (IRSI), Workshop Proceedings of 9th International Conference
More informationInt ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28
Int ernet w orking Internet Security Literature: Forouzan: TCP/IP Protocol Suite : Ch 28 Internet Security Internet security is difficult Internet protocols were not originally designed for security The
More informationCS November 2018
Distributed Systems 21. Delivery Networks (CDN) Paul Krzyzanowski Rutgers University Fall 2018 1 2 Motivation Serving web content from one location presents problems Scalability Reliability Performance
More informationComputer Science 461 Final Exam May 22, :30-3:30pm
NAME: Login name: Computer Science 461 Final Exam May 22, 2012 1:30-3:30pm This test has seven (7) questions, each worth ten points. Put your name on every page, and write out and sign the Honor Code pledge
More informationDNSSEC Basics, Risks and Benefits
DNSSEC Basics, Risks and Benefits Olaf M. Kolkman olaf@ripe.net This presentation About DNS and its vulnerabilities DNSSEC status DNSSEC near term future DNS: Data Flow Registry/Registrar Provisioning
More informationConfiguring OpenVPN on pfsense
Configuring OpenVPN on pfsense Configuring OpenVPN on pfsense Posted by Glenn on Dec 29, 2013 in Networking 0 comments In this article I will go through the configuration of OpenVPN on the pfsense platform.
More informationDistributed Systems. 21. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 21. Content Delivery Networks (CDN) Paul Krzyzanowski Rutgers University Fall 2018 1 2 Motivation Serving web content from one location presents problems Scalability Reliability Performance
More informationLocator ID Separation Protocol (LISP) Overview
Locator ID Separation Protocol (LISP) is a network architecture and protocol that implements the use of two namespaces instead of a single IP address: Endpoint identifiers (EIDs) assigned to end hosts.
More informationChapter 09 Network Protocols
Chapter 09 Network Protocols Copyright 2011, Dr. Dharma P. Agrawal and Dr. Qing-An Zeng. All rights reserved. 1 Outline Protocol: Set of defined rules to allow communication between entities Open Systems
More informationRule-Based Forwarding
Building Extensible Networks with Rule-Based Forwarding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion Stoica UC Berkeley/ICSI Lancaster Univ. Intel Labs Berkeley UC Berkeley Making Internet forwarding flexible
More informationDistributed Mobility Management: Current Practices and Gap Analysis
Distributed Mobility Management: Current Practices and Gap Analysis draft-ietf-dmm-best-practices-gap-analysis-02 Juan Carlos Zuniga (Editor) Presenting Dapeng Liu (Editor) CJ. Bernardos Pierrick Seite
More informationAdvanced Computer Networks
Advanced Computer Networks Network Architectures Jianping Pan Summer 2007 5/16/07 csc485b/586b/seng480b 1 Internet architectures Design principles store-and-forward packet switching end-to-end arguments
More informationMobility Through Naming: Impact on DNS
Mobility Through Naming: Impact on DNS Ran Atkinson 1 Saleem Bhatti 2 Steve Hailes 3 1 Extreme Networks RTP, NC, USA 2 University of St Andrews St Andrews, UK 3 University College London (UCL) London,
More informationInternet Technology. 06. Exam 1 Review Paul Krzyzanowski. Rutgers University. Spring 2016
Internet Technology 06. Exam 1 Review Paul Krzyzanowski Rutgers University Spring 2016 March 2, 2016 2016 Paul Krzyzanowski 1 Question 1 Defend or contradict this statement: for maximum efficiency, at
More informationGeneral requirements for ID/locator separation in NGN
Draft Recommendation ITU-T Y.2015 (Y.ipsplit) General requirements for ID/locator separation in NGN Summary This Recommendation begins with showing the limitations of the conventional IP architecture,
More informationExam : Title : Security Solutions for Systems Engineers. Version : Demo
Exam : 642-566 Title : Security Solutions for Systems Engineers Version : Demo 1. Which one of the following elements is essential to perform events analysis and correlation? A. implementation of a centralized
More informationCSE 123A Computer Netwrking
CSE 123A Computer Netwrking Winter 2005 Mobile Networking Alex Snoeren presenting in lieu of Stefan Savage Today s s issues What are implications of hosts that move? Remember routing? It doesn t work anymore
More informationInternet Technology 3/2/2016
Question 1 Defend or contradict this statement: for maximum efficiency, at the expense of reliability, an application should bypass TCP or UDP and use IP directly for communication. Internet Technology
More informationRouting. Architecture for the Next. Generation. Internet (RANGI) Xiaohu Xu, Dayong Guo, Raj Jain, Jianli Pan, Subharthi Paul
Routing Architecture for the Next Generation Internet (RANGI) Xiaohu Xu, Dayong Guo, Raj Jain, Jianli Pan, Subharthi Paul Presented to Routing Research Group (RRG), Internet Research Task Force Meeting
More informationNETWORKING 3.0. Network Only Provably Cryptographically Identifiable Devices INSTANT OVERLAY NETWORKING. Remarkably Simple
NETWORKING 3.0 Network Only Provably Cryptographically Identifiable Devices INSTANT OVERLAY NETWORKING Highly Available Remarkably Simple Radically Secure IP complexity is holding your business back As
More informationLISP Mobile-Node. draft-meyer-lisp-mn-05.txt. Chris White, Darrel Lewis, Dave Meyer, Dino Farinacci cisco Systems
LISP Mobile-Node draft-meyer-lisp-mn-05.txt Chris White, Darrel Lewis, Dave Meyer, Dino Farinacci cisco Systems EID: dino@cisco.com RLOC: IRTF MobOpts Quebec City July 28 2011 What if... A mobile device
More informationSample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.
HP ProCurve Threat Management Services zl Module NPI Technical Training NPI Technical Training Version: 1.00 5 January 2009 2009 Hewlett-Packard Development Company, L.P. The information contained herein
More informationInternet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana. UC Berkeley SIGCOMM 2002
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Motivations Today s Internet is built around a unicast pointto-point
More informationEricsson Research NomadicLab M. Komu Helsinki Institute for Information Technology September 2008
Network Working Group Request for Comments: 5338 Category: Informational T. Henderson The Boeing Company P. Nikander Ericsson Research NomadicLab M. Komu Helsinki Institute for Information Technology September
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationNetwork Security: Broadcast and Multicast. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: Broadcast and Multicast Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Broadcast and multicast 2. Receiver access control (i.e. data confidentiality)
More information20-CS Cyber Defense Overview Fall, Network Basics
20-CS-5155 6055 Cyber Defense Overview Fall, 2017 Network Basics Who Are The Attackers? Hackers: do it for fun or to alert a sysadmin Criminals: do it for monetary gain Malicious insiders: ignores perimeter
More informationBusiness Objects Product Suite
Business Objects Product Suite IPv6 Support in BusinessObjects XI 3.1 Overview Contents With the growth of Internet Protocol Version 6 (IPv6) technology, demand for IPv6 compatible applications has increased
More informationBuilding a Coreless Internet Without Ripping Out the Core
Building a Coreless Internet Without Ripping Out the Core Geoffrey Goodell Scott Bradner Mema Roussopoulos (goodell@eecs.harvard.edu) (sob@harvard.edu) (mema@eecs.harvard.edu) VE R I TAS Harvard University
More informationCisco TelePresence Video Communication Server Basic Configuration (Control with Expressway)
Cisco TelePresence Video Communication Server Basic Configuration (Control with Expressway) Deployment Guide Cisco VCS X8.6 July 2015 Contents Introduction 4 Example network deployment 5 Network elements
More information