ICE, STUN, TURN. Mészáros Mihály NIIF Institute. Federated STUN/TURN service PoC/Pilot experiences. 4th TF-WEBRTC meeting - DFN Berlin 2016
|
|
- Cecily Hampton
- 6 years ago
- Views:
Transcription
1 ICE, STUN, TURN Federated STUN/TURN service PoC/Pilot experiences Mészáros Mihály NIIF Institute 4th TF-WEBRTC meeting - DFN Berlin 2016
2 STUN, TURN, ICE STUN Classic - RFC 3489 (2003 March) Simple Traversal of UDP Through NATs STUN - New - RFC 5389 (2008 October) Session Traversal Utilities for NAT TURN - RFC 5766 (2010 April) Traversal Using Relays around NAT (Relay Extensions to STUN) ICE RFC 5245 (2010 April) Interactive Connectivity Establishment
3 Table of Contents Overview: Firewall vs. Real Time Communication (RTC) WebRTC and ICE/STUN/TURN Types of NAT and NAT behavior Discovery ICE, STUN, TURN Auth Methods and implementation overview. GÉANT 4 SA8 T2 Proof of Concept STUN/TURN experiences Lessons learned Symposium demos Summary
4 WebRTC
5 WebRTC & Firewall / NAT Traversal
6 WebRTC WebRTC transport draft ICE is mandatory 10% 2% 7% 13% ICE depend on STUN/TURN service Direct STUN/NAT TURN/UDP TURN/TCP TURN/TLS WebRTC is not only Web Mobil, Native application WebRTC isn't only Video Call WebRTC in every browser and beyond.. 68% Datasource:callstats.io
7 Firewall vs RTC
8 Firewall keeps the unwanted traffic Outside
9 But also adds barriers to RTC
10 The Goal: Standard based solution that solves RTC Firewall/NAT traversal
11 Firewall Traversal Traversal is getting more and more complicated Moving target Today Internet: NAT (different types), Firewall (packet filters), IPv4 => IPv6 transition, Multi homing, etc. TCP not ideal for RTC
12 NAT
13 NAT types (RFC 3489) Full-cone NAT "Restricted Cone" NAT Address-restricted-cone NAT Server 1 NAT Client Port-restricted cone NAT Server 2 Symmetric NAT "Full Cone" NAT Server 1 "Port Restricted Cone" NAT NAT Server 1 NAT Client Client Server 2 Server 2
14 Symmetric NAT "Symmetric" NAT Server 1 NAT Client Server 2
15 RFC 4787 and RFC 5780 vs RFC 3489 Mapping EIM ADM APDM Filtering EIF ADF APDF Source:
16 Map Detection TEST I Primary IP, Primary Port TEST II Alternate IP, Primary Port TEST III Alternate IP, Alternate Port Image Source:
17 Filtering Detection TEST I Primary IP, Primary Port TEST II Change Request IP and Port TEST III Change Request Port Image Source:
18 Linux NAT Allow IP forwarding sysctl net.ipv4.ip_forward=1 Symmetric NAT Address and Port dependent Mapping Address and Port dependent Filtering iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --random Port restricted Cone NAT Endpoint Independent Mapping Address and Port dependent Filtering iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
19 RFC5780 and coturn NAT behavior is not always constant in time! NAT could change characteristics during attacks, or high load, etc. Still worth to understand the current behavior. RFC NAT Behavioral Requirements for Unicast UDP coturn provides a brilliant stun client library Based on it I created a utility to detect NAT type according RFC5780 bin/turnutils_natdiscovery -f -m
20 Example symmetric NAT output bin/turnutils_natdiscovery -f -m ======================================== NAT with Address and Port Dependent Mapping! ======================================== ======================================== NAT with Address and Port Dependent Filtering! ========================================
21 ICE, STUN, TURN
22 ICE step by step Discovery and Candidate gathering Allocation Prioritisation Exchange Connectivity Check Frozen Algorithm Coordination Communication
23 IP address, and port discovery Candidate pair IP address, port, protocol Types Relayed Reflexive Server, Peer Host Y:y TURN Server Public Internet X':x' NAT X:x UA
24 Why cause problem gathering all addresses? ICE gathers ALL(!) Fix is under way By Design draft-ietf-rtcweb-ip-handling to find the best way Chrome IP address leakage expose your IP addresses Private, Public, VPN etc. Solution: Limit candidate discovery Limit interface and address gathering Opt-In: Network limiter extension Step two: build in the core, and make it default Firefox New UI tools to restrict candidates
25 Trickle ICE Slide from: trickle-ice-iet86-orlando.pptx STUN Server Alice disco STUN Server Bob disco offer and candidates answer and candidates Alice STUN Server disco connectivity checks Vanilla ICE as per RFC 5245 Bob O/A with host or no cands more cands & conn checks STUN Server disco
26 RETURN RETURN Recursively Encapsulated DNS Auto-Discovery Corporate Border Proxy Corporate and Application Leakiness Leaky: Use all possible Sealed: force only enterprise TURN Proxy-t inside network / \ NAT/FW host O / \ srflx......o relay / \ relay srflx O host O \ / \ / \ / Browser Border TURN Proxy server KEY outside network / \ O O \ / Application TURN server O Candidate... Non encapsulated TURN encapsulated Double TURN encapsulated Network edge
27 STUN Auth Methods
28 Long Term vs Short Term STUN (RFC5389) define to Credential Auth Mechanism Short-term Credential mechanism Use once Every-time new encryption key ICE using it for connection check sdp (a=ice-ufrag and a=ice-pwd) Long-term Credential mechanism Credential is not limited in time. Main Usage STUN reflexive address detection and TURN relay allocation Stored in a User Database (HA1)
29 Long Term Credential User, Realm, Password Origin based REALM (draft-ietf-tram-stun-origin) /WebRTC/ User Database stores HA1 HA1=MD5( user:example.com:mysecret ) Message Integrity Algorithm (SHA1) HMAC(M, MD5( user:example.com:mysecret )) Protection against reply based attacks It is the base auth method for STUN
30 WebRTC & LTC = not perfect match Long Term Credential Summary of problems: draft-reddy-behave-turn-auth Keeping password in secret is difficulty for Web Apps Message Integrity is not protected against Off-line dictionary attacks. The Server makes lookup in the User Database for the credential. The username is not encrypted in STUN message and this way could be used for tracking. Short Term Credential (only for one connection) No protection against reply attacks Designed for short term
31 STUN auth for WebRTC = REST API (Time Limited Long Term Credential) draft-uberti-rtcweb-turn-rest-00 REST API and STUN/TURN server shared secret. The Service Provider Identified by an api_key and get on behalf the end-user request and get a time limited credential. The web application transfer this credential to the end-user browser JS API. username = timestamp and an application specific data seperated by a :.
32 REST API Operation Overview (Time Limited Long Term Credential) REST API Web App Shared Secret Turn Server
33 OAuth RFC 7635
34 Proof of Concept
35 PoC Overview Web Frontend After AAI: edugain get (LTC) usr/pwd credential get key to REST API Distributed service NIIF, UNINETT, FCT/FCCN Closest Server (GeoIP) Auth methods LTC,REST API, OAuth (coming soon)
36 Ansible Automated install central Configure even more OS (firewall,ntp,fail2ban,etc.) Certs Web Server and PHP Configure SimpleSAMLPHP EduGAIN privacy statement Install Composer MySQL master Automated install slaves OS (firewall,ntp,fail2ban,etc.) MySQL slave coturn Update php libs Checkout git Frontend REST API Setup replication Master and Slave sides
37 Design Goals Only Open Source components (Debian Jessie, etc.) Supporting all possible Authentication methods LTC, REST, OAuth AAI enabled edugain front-end site Distributed back-end database Secure Communication, IPv6, DNSSEC Support wide range of STUN/TURN transport protocols Automated deployment
38 Security Design Principles LTC user password is generated to avoid any Offline dictionary attacks. According STUN RFC recommendation the password SHOULD have at least 128 bits of randomness We use 32 alphanumeric ~190 bit (hackzilla/password-generator) REST API_KEY is generated random key and has one year expiration 32 alphanumeric char ~190 bit (hackzilla/password-generator) Shared Secret between API and coturn is rotated daily
39 TURN servers Technology Scouting Open source implementations: Commercial implementations: stun-turn-server/ /procall/5/erestunservice/dokume ntation/index.htm Etc. Commercial Services: Etc.
40 coturn TURN with co-location of multiple realms coturn.net - Open Source STUN/TURN implementation Written in C, Rock Solid and, low HW intensity It follows IETF TRAM WG works very closely. Supports multiple backend database types (5) STUN over UDP/TCP/TLS/DTLS/SCTP TCP/UDP (Relay) Auth methods: LTC, REST (Time limited LTC), OAuth IPv4 and IPv6
41 User Frontend Landing Web Page SimpleSAMLphp, edugain Auth, we request 4 attributes Bootstrapzero design Quick&Dirty PoC level implementation REST API "slim/slim": "^2.6" "zircote/swagger-php": "^2.0" "geoip/geoip": "~1.14" (IPv6) mjaschen/phpgeo": "^0.3.0"
42 Live Demo:
43 Pick the closest STUN/TURN LTC REST DNS GeoIP based Views Based on Location of DNS resolver not the client (!) OpenDNSSEC not yet supporting views! Issue: OPENDNSSEC-232 AnyCast Provider independent IPv4 /24 IPv6 /64 Input the user IP address the web server side application Local GeoIP database IP => Coordinate Vincenty's formulae Coordinates => Distance
44 Auth methods LTC and REST client behavior is not changed. Only Server side differs. coturn doesn't support both mechanism in one daemon We used that simple design approach to separate auth methods VM level. Avoiding repackaging Multiple deamon could also work on the same VM. Drawback: normal Debian package designed to run on daemon on one host. To exploit the latest coturn implementation features we deciced to use jessiebackports repository
45 IPv6 Ready service smooth IPv6 transition All service IPv6 READY and works in dual stack STUN/TURN services Dual Allocation MySQL NTP SSH DNS Resolvers Web Server Frontend, REST API
46 MySQL Separated DB for different auth methods MySQL Replication Encrypted netfilter protects ports IP address based access controll Generated passwords Replication filtered based on DB (auth method) MySQL Events: LTC Revoking LTC back after a year REST Generating daily new shared secrets Revoking API token after a year. Shared Key aging Cause a limited problem if a REST TURN server is compromised.
47 MySQL DB Schemas
48 STUN & Long Term Credential STUN LTC authentication is optional according the RFC Pros: Use the same Auth policy for STUN and TURN Avoid attacks and server discovery. Avoid crawler robots that tracking Internet for vulnerable open STUN/TURN services. (Version) Avoid detect STUN server topology alternate address and port. Contra Work involved in authenticating the request is more than the work in simply processing it. Reality: Lack of Browser implementation
49 STUN & LTC chrome Log [1:12:0418/145114:ERROR:stunport.cc(79)] reason='unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] reason='unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] reason='unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] reason='unauthorized' [1:12:0418/145114:ERROR:stunport.cc(79)] reason='unauthorized' Binding error response: class=4 number=1 Binding error response: class=4 number=1 Binding error response: class=4 number=1 Binding error response: class=4 number=1 Binding error response: class=4 number=1 Turned out from source Not handled of STUN auth challenge in stunport.cc
50 nicer: TODO src/stun/stun_client_ctx.c
51 OAuth Browser Implementation Status Chrome Open Issue 4907: Not happen in Q1 Firefox Open Bug : Not implemented warning for App Devs from Mozilla 47
52 OAuth & TURN No PHP library that supports the Authenticated-Encryption with Associated-Data (AEAD) OpenSSL samples: CoTURN self-contained OAuth token validation implemented src/client/ns_turn_msg.c Function: int encode_oauth_token(const u08bits *server_name, encoded_oauth_token *etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits *nonce)
53 Built in STUN Chrome stun.l.google.com:19302 No Service Agreement about service long term availability It is up to Browser vendor Firefox media.peerconnection.default_iceservers;[] media.peerconnection.ice.tcp;false stun.services.mozilla.com Default stun server removed from ver 41 Bug: , Built-in STUN SLA is not well defined
54 Lesson Learned STUN binding with LTC is not supported in Browsers. Port numbers Standard ports Standard Alternate port 80, 443 for strict firewalls NAT discovery Multiple IP addresses required Decisions & Lessons LTC GeoIP vs Anycast OpenDNSSEC is not supporting views. REST API GeoIP and Vincenty vs Google Maps API OAuth (coming soon..) Wait for Browser support.
55 Future directions Utilize untapped coturn features STUN origin Quotas Bandwidth, Session Admin interface Monitoring Improve User interface Frontend, REST API coturn Logging file central collection Analytics, Anomaly detection Support, Helpdesk App developer API examples Investigation problems Service Monitoring (SLA) VM, OS, DB, coturn Alerts
56 Make or Buy? We in place Infrastructure Virtual/Physical Machine Small instance required Networking Service High bandwidth capacity Non technical reasons Trust Transparency Time spent following market players offerings (moving) IPv6 Time spent negotiate price Secure and encrypted Procurement fees updated Open Source From Public Money NREN & Commercial market different priorities Education market is not big enough to implement feature
57 Symposium Demos
58 GN4 Symposium Demo WebTut Teacher <=> Student Symmetric NAT Tablet and PC What happens 1. Without STUN/TURN 2. With STUN/TURN 3. Two endpoints in the same LAN segment
59 In practice
60 Summary ICE if possible provides E2E communication (lowest latency) Standard based NAT Firewall Traversal and smooth IPv6 transition According WebRTC transport draft ICE is MUST. ICE [RFC5245] MUST be supported. ICE needs STUN/TURN server infrastructure. A GÉANT4 PoC service is up and running. Next step? Pilot... Leading edge collaboration technologies serving the NREN community communications needs.
61 Questions? CONTACT:
P2PSIP, ICE, and RTCWeb
P2PSIP, ICE, and RTCWeb T-110.5150 Applications and Services in Internet October 11 th, 2011 Jouni Mäenpää NomadicLab, Ericsson Research AGENDA Peer-to-Peer SIP (P2PSIP) Interactive Connectivity Establishment
More informationNetwork Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013
Network Address Translation (NAT) Background Material for Overlay Networks Course Jan, 2013 Prof. Sasu Tarkoma University of Helsinki, Department of Computer Science Contents Overview Background Basic
More informationNetwork Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example
Contents Network Address Translation (NAT) 13.10.2008 Prof. Sasu Tarkoma Overview Background Basic Network Address Translation Solutions STUN TURN ICE Summary What is NAT Expand IP address space by deploying
More informationNetwork Address Translators (NATs) and NAT Traversal
Network Address Translators (NATs) and NAT Traversal Ari Keränen ari.keranen@ericsson.com Ericsson Research Finland, NomadicLab Outline Introduction to NATs NAT Behavior UDP TCP NAT Traversal STUN TURN
More informationNetwork Working Group. Intended status: Standards Track Expires: September 2, 2018 March 1, 2018
Network Working Group Internet-Draft Intended status: Standards Track Expires: September 2, 2018 J. Uberti Google G. Shieh Facebook March 1, 2018 WebRTC IP Address Handling Requirements draft-ietf-rtcweb-ip-handling-06
More informationICE / TURN / STUN Tutorial
BRKCOL-2986 ICE / TURN / STUN Tutorial Kristof Van Coillie, Technical Leader, Services Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session
More informationReal-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund
Real-Time Communications for the Web Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund What is the paper about? Describes a peer-to-peer architecture that allows direct,interactive,rich
More informationNetwork Requirements
GETTING STARTED GUIDE l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l l
More informationDesktop sharing with the Session Initiation Protocol
Desktop sharing with the Session Initiation Protocol Willem Toorop willem.toorop@os3.nl February 25, 2009 How can application and desktop sharing, initiated by SIP, be realised in existing SIP infrastructure
More informationInternet Networking recitation #
recitation # UDP NAT Traversal Winter Semester 2013, Dept. of Computer Science, Technion 1 UDP NAT Traversal problems 2 A sender from the internet can't pass a packet through a NAT to a destination host.
More informationWebRTC: IETF Standards Update September Colin Perkins
WebRTC: IETF Standards Update September 2016 Colin Perkins WebRTC Goals Server SIP+SDP Server Service SIP+SDP SIP+SDP Alice RTP Bob Alice API RTP API Bob The SIP framework is overly complex and rigid hinders
More informationBecome a WebRTC School Qualified Integrator (WSQI ) supported by the Telecommunications Industry Association (TIA)
WSQI Certification Become a WebRTC School Qualified Integrator (WSQI ) supported by the Telecommunications Industry Association (TIA) Exam Objectives The WebRTC School Qualified Integrator (WSQI ) is designed
More informationNetwork Requirements
GETTING STARTED GUIDE ALCATEL-LUCENT RAINBOW TM Network Requirements GETTING STARTED GUIDE JANVIER 2017 Author: R&D - Cloud Services Disclaimer This documentation is provided for reference purposes only.
More informationTF-WebRTC. 12/15/14 Paris / France. Mihály Mészáros
12/15/14 Paris / France Mihály Mészáros Aim of the Build community & competence Gather Information and circulate it in our community. Collect usage scenarios, focus points Gravity: Connect people in the
More informationRealtime Multimedia in Presence of Firewalls and Network Address Translation
Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang Ifi/Oracle 9 Oct, 2017 1 Overview Real-time multimedia and connectivity Mobile users (roaming between devices) or
More informationRealtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015
Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang Ifi/Oracle 9 Nov, 2015 1 Overview Real-time multimedia and connectivity Mobile users (roaming between devices) or
More informationEmil Ivov, Eric Rescorla, Justin Uberti 90% Emil Ivov, Enrico Marocco, Christer Holmberg 90% TRICKLE ICE Emil Ivov, Adam Roach, Anyone Else?
TRICKLE ICE TRICKLE ICE draft-ietf-mmusic-trickle-ice Emil Ivov, Eric Rescorla, Justin Uberti 90% draft-ietf-mmusic-trickle-ice-sip Emil Ivov, Enrico Marocco, Christer Holmberg 90% draft-ivov-disspatch-sdpfrag-03
More informationSentinet for Microsoft Azure SENTINET
Sentinet for Microsoft Azure SENTINET Sentinet for Microsoft Azure 1 Contents Introduction... 2 Customer Benefits... 2 Deployment Topologies... 3 Cloud Deployment Model... 3 Hybrid Deployment Model...
More informationIntegrating Mobile Applications - Contrasting the Browser with Native OS Apps. Cary FitzGerald
Integrating Mobile Applications - Contrasting the Browser with Native OS Apps Cary FitzGerald caryfitz@employees.org Workshop Leaders Peter Dunkley Acision Adam van den Hoven Frozen Mountain Integrating
More informationInternet security and privacy
Internet security and privacy IPsec 1 Layer 3 App. TCP/UDP IP L2 L1 2 Operating system layers App. TCP/UDP IP L2 L1 User process Kernel process Interface specific Socket API Device driver 3 IPsec Create
More information[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0
[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0 Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open Specifications
More information[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions
[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open
More informationDocument Sub Title. Yotpo. Technical Overview 07/18/ Yotpo
Document Sub Title Yotpo Technical Overview 07/18/2016 2015 Yotpo Contents Introduction... 3 Yotpo Architecture... 4 Yotpo Back Office (or B2B)... 4 Yotpo On-Site Presence... 4 Technologies... 5 Real-Time
More informationNetwork Administrator s Guide
Overview Network Administrator s Guide Beam is a comprehensive Smart Presence system that couples high-end video, high-end audio, and the freedom of mobility for a crisp and immersive, video experience
More informationDNS64 and NAT64. IPv6 Migration workshop for IETF and 3GPP. November 5-6, 2009 Shanghai, China. Simon Perreault Viagénie
DNS64 and NAT64 IPv6 Migration workshop for IETF and 3GPP November 5-6, 2009 Shanghai, China Simon Perreault Viagénie simon.perreault@viagenie.ca http://www.viagenie.ca Credentials Participation in the
More informationWhere s my DNS? Sara Dickinson IDS 2. Where s my DNS?
Sara Dickinson sara@sinodun.com Stub to recursive The DNS protocol is evolving DoT: DNS-over-TLS DoH: DNS-over-HTTPS (WIP) DoT RFC7858 standard May 2016 Implemented to-date in standard open source DNS
More informationConfiguring OpenVPN on pfsense
Configuring OpenVPN on pfsense Configuring OpenVPN on pfsense Posted by Glenn on Dec 29, 2013 in Networking 0 comments In this article I will go through the configuration of OpenVPN on the pfsense platform.
More informationVirtual Private Cloud. User Guide. Issue 03 Date
Issue 03 Date 2016-10-19 Change History Change History Release Date What's New 2016-10-19 This issue is the third official release. Modified the following content: Help Center URL 2016-07-15 This issue
More informationFrom POTS to VoP2P: Step 1. P2P Voice Applications. Renato Lo Cigno
Advanced Networking P2P Voice Applications Renato Lo Cigno Credits for part of the original material to Saverio Niccolini NEC Heidelberg The Client/Server model in conversationsl communications User-plan
More informationVirtual Private Networks
EN-2000 Reference Manual Document 8 Virtual Private Networks O ne of the principal features of routers is their support of virtual private networks (VPNs). This document discusses transmission security,
More informationNAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1
NAT Tutorial Dan Wing, dwing@cisco.com IETF77, Anaheim March 21, 2010 V2.1 1 Agenda NAT and NAPT Types of NATs Application Impact Application Layer Gateway (ALG) STUN, ICE, TURN Large-Scale NATs (LSN,
More informationIP Office Platform R11.0
Issue 03d - (09 October 2018) Contents 8. Remote SIP Deskphones 8.1 Provisioning... the Deskphones 59 8.2 Configuring... Application Rules 61 1.1 Example Schematic... 4 8.3 Configuring... Media Rules 61
More informationAT&T SD-WAN Network Based service quick start guide
AT&T SD-WAN Network Based service quick start guide After you order your AT&T SD-WAN Network Based service, you can: Create administrator accounts Log in to the SD-WAN orchestrator Configure business policy
More informationMicrosoft Azure Configuration. Azure Setup for VNS3
Microsoft Azure Configuration Azure Setup for VNS3 2016 Table of Contents Requirements 3 Create Azure Private VLAN 10 Launch VNS3 Image from Azure Marketplace 15 Deliver and launch VNS3 from Azure 22 VNS3
More informationSecurity Enhancement by Detecting Network Address Translation Based on Instant Messaging
Security Enhancement by Detecting Network Address Translation Based on Instant Messaging Jun Bi, Miao Zhang, and Lei Zhao Network Research Center Tsinghua University Beijing, P.R.China, 100084 junbi@tsinghua.edu.cn
More informationSystem Requirements. Network Administrator Guide
System Requirements Network Administrator Guide 1 Beam Network Administrator Guide Suitable Technologies, Inc. May 2018 Beam is a comprehensive Presence System that couples high-end video, high-end audio,
More informationExercises with solutions, Set 3
Exercises with solutions, Set 3 EDA625 Security, 2017 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationCSE 123A Computer Netwrking
CSE 123A Computer Netwrking Winter 2005 Mobile Networking Alex Snoeren presenting in lieu of Stefan Savage Today s s issues What are implications of hosts that move? Remember routing? It doesn t work anymore
More informationCloud Security Best Practices
Cloud Security Best Practices Cohesive Networks - your applications secured Our family of security and connectivity solutions, VNS3, protects cloud-based applications from exploitation by hackers, criminal
More informationTable of Contents 1 IKE 1-1
Table of Contents 1 IKE 1-1 IKE Overview 1-1 Security Mechanism of IKE 1-1 Operation of IKE 1-1 Functions of IKE in IPsec 1-2 Relationship Between IKE and IPsec 1-3 Protocols 1-3 Configuring IKE 1-3 Configuration
More informationConfigure Proxy WebRTC With CMS over Expressway with Dual Domain
Configure Proxy WebRTC With CMS over Expressway with Dual Domain Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Technical Information DNS Configuration Internal
More informationeduvpn François Kooman
eduvpn François Kooman @fkooman Enschede, 2018-02-09 Me Software Developer (PHP, C) Freelancer traveling around Europe Used to work for SURFnet Now: lead developer eduvpn / Let s Connect!
More informationDepartment of Computer Science. Burapha University 6 SIP (I)
Burapha University ก Department of Computer Science 6 SIP (I) Functionalities of SIP Network elements that might be used in the SIP network Structure of Request and Response SIP messages Other important
More informationWhy IPv6? Roque Gagliano LACNIC
Why IPv6? Roque Gagliano LACNIC Agenda Initial Concepts. IPv6 History. What is IPv6? Planning IPv6. Agenda Initial Concepts. IPv6 History. What is IPv6? Planning IPv6. Some initial concepts. IPv6 is the
More informationCSE 123b Communications Software
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Stefan Savage Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to
More informationQuick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to be part of the
More informationHPE Remote Device Access. Security Whitepaper
HPE Remote Device Access Security Whitepaper Document Release Date: March 2018 Software Release Date: March 2018 Legal Notices Warranty The only warranties for Hewlett Packard Enterprise products and services
More informationInterconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,
More informationSentinet for Windows Azure VERSION 2.2
Sentinet for Windows Azure VERSION 2.2 Sentinet for Windows Azure 1 Contents Introduction... 2 Customer Benefits... 2 Deployment Topologies... 3 Isolated Deployment Model... 3 Collocated Deployment Model...
More informationA New Internet? RIPE76 - Marseille May Jordi Palet
A New Internet? RIPE76 - Marseille May 2018 Jordi Palet (jordi.palet@theipv6company.com) -1 (a quick) Introduction to HTTP/2, QUIC and DOH and more RIPE76 - Marseille May 2018 Jordi Palet (jordi.palet@theipv6company.com)
More informationTechnical White Paper for NAT Traversal
V300R002 Technical White Paper for NAT Traversal Issue 01 Date 2016-01-15 HUAWEI TECHNOLOGIES CO., LTD. 2016. All rights reserved. No part of this document may be reproduced or transmitted in any form
More informationGrandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide
Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide Table of Contents SUPPORTED DEVICES... 5 INTRODUCTION... 6 GWN7000 VPN FEATURE... 7 OPENVPN CONFIGURATION... 8 OpenVPN
More informationNetwork Security: IPsec. Tuomas Aura
Network Security: IPsec Tuomas Aura 3 IPsec architecture and protocols Internet protocol security (IPsec) Network-layer security protocol Protects IP packets between two hosts or gateways Transparent to
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationChapter 15 IPv6 Transition Technologies
Chapter 15 IPv6 Transition Technologies Published: April 18, 2006 Updated: November 06, 2006 Writer: Joe Davies 1 Abstract This chapter describes the mechanisms that aid in the transition of Internet Protocol
More informationAn IoT security solution based on 10 years of experience in VoIP technology. Tim Panton - CTO
An IoT security solution based on 10 years of experience in VoIP technology Tim Panton - CTO pipe My background 2FA app for Y2k rollouts Web security startup Sidetracked into VoIP Web telephony - before
More informationIPv6 support. Chris Mitchell. Program Manager Microsoft Corporation Windows Networking & Communications IPv6
IPv6 support Chris Mitchell Program Manager Microsoft Corporation Windows Networking & Communications IPv6 Introduction New scenarios and IPv6 Microsoft s IPv6 support Migration and roadmap 2 New Engaging
More informationConfigure Mobile and Remote Access
Mobile and Remote Access Overview, on page 1 Mobile and Remote Access Prerequisites, on page 3 Mobile and Remote Access Configuration Task Flow, on page 4 Mobile and Remote Access Overview Cisco Unified
More informationHIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson
HIP Host Identity Protocol October 2007 Patrik Salmela Ericsson Agenda What is the Host Identity Protocol (HIP) What does HIP try to solve HIP basics Architecture The HIP base exchange HIP basic features
More informationStateful Network Address Translation 64
The feature provides a translation mechanism that translates IPv6 packets into IPv4 packets and vice versa. The stateful NAT64 translator algorithmically translates the IPv4 addresses of IPv4 hosts to
More informationIP Security IK2218/EP2120
IP Security IK2218/EP2120 Markus Hidell, mahidell@kth.se KTH School of ICT Based partly on material by Vitaly Shmatikov, Univ. of Texas Acknowledgements The presentation builds upon material from - Previous
More informationIdentity Management and WebRTC
Identity Management and WebRTC 10/30/2014 Title Version No: 0.1/ Status: DRAFT Email: peter.dunkley@acision.com Twitter: @pdunkley 1 Acision at-a-glance Heritage & history 20 year history 270 customers
More informationSirindhorn International Institute of Technology Thammasat University
Name.............................. ID............... Section...... Seat No...... Sirindhorn International Institute of Technology Thammasat University Course Title: IT Security Instructor: Steven Gordon
More informationICE IETF#96. draft-ietf-ice-rfc5245bis. Berlin, Germany. Christer Holmberg
ICE draft-ietf-ice-rfc5245bis IETF#96 Berlin, Germany Christer Holmberg (2) AGENDA Buenos Aires decisions implemented Other changes since Buenos Aires Still to do Next steps (3) BA decisions implemented
More informationComcast IPv6 Trials NANOG50 John Jason Brzozowski
Comcast IPv6 Trials NANOG50 John Jason Brzozowski October 2010 Overview Background Goals and Objectives Trials Observations 2 Background Comcast IPv6 program started over 5 years ago Incrementally planned
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 7.4 Firewalls CSC 474/574 Dr. Peng Ning 1 Outline What are firewalls? Types Filtering Packet filtering Session filtering Proxy Circuit Level Application Level
More informationGigabit SSL VPN Security Router
As Internet becomes essential for business, the crucial solution to prevent your Internet connection from failure is to have more than one connection. PLANET is the ideal to help the SMBs increase the
More informationVNS3 Configuration. ElasticHosts
VNS3 Configuration ElasticHosts Table of Contents Introduction 3 ElasticHosts Deployment Setup 9 VNS3 Configuration Document Links 23 2 Requirements 3 Requirements You have a ElasticHosts account (For
More informationOn Host Identity Protocol
On Host Identity Protocol Miika Komu Data Communications Software Group Dep. of Computer Science and Engineering School of Science Aalto University 17.10.2011 Table of Contents Introduction
More informationUSER MANUAL. VIA IT Deployment Guide for Firmware 2.3 MODEL: P/N: Rev 7.
USER MANUAL MODEL: VIA IT Deployment Guide for Firmware 2.3 P/N: 2900-300631 Rev 7 www.kramerav.com Contents 1 Introduction 1 1.1 User Experience 2 1.2 Pre-Deployment Planning 2 2 Connectivity 3 2.1 Network
More informationA New Internet? Introduction to HTTP/2, QUIC and DOH
A New Internet? Introduction to HTTP/2, QUIC and DOH and more LACNIC 29 - Panamá May 2018 Jordi Palet (jordi.palet@theipv6company.com) -1 Internet is Changing More and more, Internet traffic is moving
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationSome of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras
Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du Firewalls Chester Rebeiro IIT Madras Firewall Block unauthorized traffic flowing from one network to another
More informationWebRTC Manual. WebRTC (Web Real-Time Communication) is an API definition drafted by the World Wide Web
WebRTC Manual Introduction of WebRTC WebRTC (Web Real-Time Communication) is an API definition drafted by the World Wide Web Consortium(W3C) and supported by companies such as Google, Mozilla and Opera
More informationOffice 365 and Azure Active Directory Identities In-depth
Office 365 and Azure Active Directory Identities In-depth Jethro Seghers Program Director SkySync #ITDEVCONNECTIONS ITDEVCONNECTIONS.COM Agenda Introduction Identities Different forms of authentication
More informationCommunications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage
CSE 123b CSE 123b Communications Software Spring 2003 Lecture 10: Mobile Networking Stefan Savage Quick announcement My office hours tomorrow are moved to 12pm May 6, 2003 CSE 123b -- Lecture 10 Mobile
More informationQuick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003
CSE 123b Communications Software Quick announcement My office hours tomorrow are moved to 12pm Spring 2003 Lecture 10: Mobile Networking Stefan Savage May 6, 2003 CSE 123b -- Lecture 10 Mobile IP 2 Last
More informationCCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,
CCNA Cisco Certified Network Associate (200-125) Exam DescrIPtion: The Cisco Certified Network Associate (CCNA) Routing and Switching composite exam (200-125) is a 90-minute, 50 60 question assessment
More informationNetwork Configuration Example
Network Configuration Example Configuring Stateful NAT64 for Handling IPv4 Address Depletion Release NCE0030 Modified: 2017-01-23 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089
More informationPlanning for Information Network
Planning for Information Network Lecture 7: Introduction to IPv6 Assistant Teacher Samraa Adnan Al-Asadi 1 IPv6 Features The ability to scale networks for future demands requires a limitless supply of
More informationLoad Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org
Load Balancing Microsoft Remote Desktop Services Deployment Guide v2.0.2 Copyright Loadbalancer.org Table of Contents About this Guide...4 2. Loadbalancer.org Appliances Supported...4 3. Loadbalancer.org
More informationSample excerpt. Virtual Private Networks. Contents
Contents Overview...................................................... 7-3.................................................... 7-5 Overview of...................................... 7-5 IPsec Headers...........................................
More informationNetwork Address Translator Traversal Using Interactive Connectivity Establishment
HELSINKI UNIVERSITY OF TECHNOLOGY Department of Communications and Networking S-38.3138 Networking Technology, Special Assignment Veera Andersson Network Address Translator Traversal Using Interactive
More informationD-Link DSR Series Router
D-Link DSR Series Router U s e r M a n u a l Copyright 2010 TeamF1, Inc. All rights reserved Names mentioned are trademarks, registered trademarks or service marks of their respective companies. Part No.:
More informationAzure Compute. Azure Virtual Machines
Azure Compute Azure Virtual Machines Virtual Machines Getting started Select image and VM size New disk persisted in storage Management portal Windows Server Boot VM from new disk >_ Scripting (Windows,
More informationM2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres
M2M / IoT Security Eurotech`s Everyware IoT Security Elements Overview Robert Andres 23. September 2015 The Eurotech IoT Approach : E2E Overview Application Layer Analytics Mining Enterprise Applications
More information[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions
[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions Intellectual Property Rights Notice for Open Specifications Documentation Technical Documentation. Microsoft publishes Open
More informationSecuring Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016
Securing Connections for IBM Traveler Apps Bill Wimer (bwimer@us.ibm.com), STSM for IBM Collaboration Solutions December 13, 2016 IBM Technote Article #21989980 Securing Connections for IBM Traveler mobile
More informationIETF Video Standards A review, some history, and some reflections. Colin Perkins
IETF Video Standards A review, some history, and some reflections Colin Perkins Internet Engineering Task Force The goal of the IETF is to make the Internet work better Technical development of protocol
More informationThis is a sample chapter of WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web by Alan B. Johnston and Daniel C. Burnett.
This is a sample chapter of WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web by Alan B. Johnston and Daniel C. Burnett. For more information or to buy the paperback or ebook editions, visit
More informationExam Questions
Exam Questions 300-101 ROUTE Implementing Cisco IP Routing https://www.2passeasy.com/dumps/300-101/ 1. When using SNMPv3 with NoAuthNoPriv, which string is matched for authentication? A. username B. password
More informationVNS3 Configuration. Quick Launch for first time VNS3 users in Azure
VNS3 Configuration Quick Launch for first time VNS3 users in Azure Table of Contents Setup 3 Notes 9 Create a Static IP 12 Create a Network Security Group 14 Launch VNS3 from Marketplace 19 VNS3 Unencrypted
More informationDolby Conference Phone. Configuration guide for Avaya Aura Platform 6.x
Dolby Conference Phone Configuration guide for Avaya Aura Platform 6.x Version 3.1 22 February 2017 Copyright 2017 Dolby Laboratories. All rights reserved. Dolby Laboratories, Inc. 1275 Market Street San
More informationWebRTC video-conferencing facilities for research, educational and art societies
WebRTC video-conferencing facilities for research, educational and art societies Bartłomiej Idzikowski, PSNC Maciej Stróżyk, PSNC CRNC2018, Dushanbe, Tajikistan 24.10.2018 The scientific/academic work
More informationVirtual Private Network
VPN and IPsec Virtual Private Network Creates a secure tunnel over a public network Client to firewall Router to router Firewall to firewall Uses the Internet as the public backbone to access a secure
More informationSophos Firewall Configuring SSL VPN for Remote Access
Sophos Firewall Configuring SSL VPN for Remote Access Product Version: 1 Document date: October 2014 Contents 1 Introduction 3 2 Configuring Sophos Firewall 4 2.1 Defining a User Account 4 2.2 Configuring
More informationSentinet for BizTalk Server SENTINET
Sentinet for BizTalk Server SENTINET Sentinet for BizTalk Server 1 Contents Introduction... 2 Sentinet Benefits... 3 SOA and API Repository... 4 Security... 4 Mediation and Virtualization... 5 Authentication
More informationSecurity Considerations for IPv6 Networks. Yannis Nikolopoulos
Security Considerations for IPv6 Networks Yannis Nikolopoulos yanodd@otenet.gr Ημερίδα Ενημέρωσης Χρηστών για την Τεχνολογία IPv6 - Αθήνα, 25 Μαίου 2011 Agenda Introduction Major Features in IPv6 IPv6
More informationGN2 JRA5: Roaming and Authorisation
GN2 JRA5: Roaming and Authorisation Jürgen Rauschenbach, DFN TF-NGN Athens 03/11/05 Introduction JRA5 builds a European Roaming Infrastructure (eduroamng) taking into account existing experience from the
More informationIPv6 in Campus Networks
IPv6 in Campus Networks Dave Twinam Manager, Technical Marketing Engineering Internet Systems Business Unit dtwinam@cisco.com Cisco Twinam IPv6 Summit 2003 Cisco Systems, Inc. All rights reserved. 1 IPv6
More information