Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network.

Slides:

Advertisements

Similar presentations

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.

Advertisements

Internetworking II: MPLS, Security, and Traffic Engineering

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 26 IPv6 Addressing.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Chapter 6-7 IPv6 Addressing. IPv6 IP version 6 (IPv6) is the proposed solution for expanding the possible number of users on the Internet. IPv6 is also.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.

CS440 Computer Networks 1 IPv6 Neil Tang 11/10/2008.

,< 資管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.

Limited address space The most visible and urgent problem with using IPv4 on the modern Internet is the rapid depletion of public addresses. Due to the.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

IP Version 6 Next generation IP Prof. P Venkataram ECE Dept. IISc.

IPv6 Network Security.

Understanding IPv6 Slide: 1 Lesson 1 Introduction to IPv6.

Network Localized Mobility Management using DHCP

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

COS 420 Day 15. Agenda Assignment 3 Due Assignment 4 Posted Chap Due April 6 Individual Project Presentations Due IEPREP - Jeff MANETS - Donnie.

School of Information Technologies Internet Multicasting NETS3303/3603 Week 10.

COS 420 Day 18. Agenda Group Project Discussion Program Requirements Rejected Resubmit by Friday Noon Protocol Definition Due April 12 Assignment 3 Due.

IP Version 6 Addressing Architecture RFC 2373 Presented by Vickie Brown.

1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI ICACT.

TDC365 Spring 2001John Kristoff - DePaul University1 Interconnection Technologies Routing I.

Multicast DNS Draft-aboba-dnsext-mdns-00.txt. Outline Goals and objectives Scope of the multicast DNS DNS server discovery Non-zeroconf behavior Zeroconf.

Best Practices in IPv4 Anycast Routing Version 0.9 August, 2002 Bill Woodcock Packet Clearing House.

CS 6401 IPv6 Outline Background Structure Deployment.

1 Chapter Overview IP (v4) Address IPv6. 2 IPv4 Addresses Internet Protocol (IP) is the only network layer protocol with its own addressing system and.

IPv6 – part I. FUNDAMENTALS AND PROTOCOLS / ICND 1.

Group Management n Introduction n Internet Group Management Protocol (IGMP) n Multicast Listener Discovery (MLD) protocol.

CSIS 4823 Data Communications Networking – IPv6

Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, Secure Anycast Tunneling Protocol.

IP Version 6 COMT 222. © 2005 Hans Kruse & Shawn Ostermann, Ohio University 2 Why change IP Number of addresses Routing Table Size Client configuration.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Multicast routing.

Routing and Routing Protocols Routing Protocols Overview.

Brett Neely IP Next Generation. To boldly go where no network has gone before...

CSC 600 Internetworking with TCP/IP Unit 8: IP Multicasting (Ch. 17) Dr. Cheer-Sun Yang Spring 2001.

SYSTEM ADMINISTRATION Chapter 8 Internet Protocol (IP) Addressing.

Addressing IP v4 W.Lilakiatsakun. Anatomy of IPv4 (1) Dotted Decimal Address Network Address Host Address.

Multicasting Part I© Dr. Ayman Abdel-Hamid, CS4254 Spring CS4254 Computer Network Architecture and Programming Dr. Ayman A. Abdel-Hamid Computer.

The InetAddress Class Nipat J.. public class InetAddress  This class represents an Internet Protocol (IP) address.  An IP address is either a 32-bit.

Adaptive Web Caching CS411 Dynamic Web-Based Systems Flying Pig Fei Teng/Long Zhao/Pallavi Shinde Computer Science Department.

Lector: Aliyev H.U. Lecture №10 Multicast network software design TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES THE DEPARTMENT OF DATA COMMUNICATION.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

Engineering Workshops Purposes of Neighbor Solicitation.

© 2006 Cisco Systems, Inc. All rights reserved. BSCI v3.0—8-1 Implementing IPv6 Implementing Dynamic IPv6 Addresses.

IP1 The Underlying Technologies. What is inside the Internet? Or What are the key underlying technologies that make it work so successfully? –Packet Switching.

TCP/IP Protocol Suite 1 Chapter 10 Upon completion you will be able to: Internet Group Management Protocol Know the purpose of IGMP Know the types of IGMP.

Lesson 2 Introduction to IPv6.

Multicast Routing. Unicast: one source to one destination Multicast: one source to many destinations Two main functions: – Efficient data distribution.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public BSCI Module 8 Lesson 3 1 BSCI Module 8 Lesson 3 Implementing Dynamic IPv6 Addresses.

6DEPLOY. IPv6 Deployment and Support

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

Chapter 8: IP Addressing

Multicasting EECS June Multicast One-to-many, many-to-many communications Applications: – Teleconferencing – Database – Distributed computing.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

1 Internet Protocol, Version 6 (IPv6) Special Topics in Computer Sciences Second Term 1433/1434 H Dr. Loai Bani Melhim.

IPv6 Transition Mechanisms - 6DISS Workshop - 5 March 2006 IPv6 Transition Mechanisms, their Security and Management Georgios Koutepas National Technical.

Source-Specific Multicast (RFC4607) Author: H. Holbrook, Arastra, Inc. B. Cain, Acopia Networks Speaker: Wu Zhi Yu.

1 CMPT 471 Networking II Multicasting © Janice Regan,

Multicast Listener Discovery

Chapter 6 Exploring IPv6.

Ingress Filtering, Site Multihoming, and Source Address Selection

Support for Flow bindings in MIPv6 and NEMO

IPv6 Addressing.

Chapter 26 IPv6 Addressing

Neighbor discovery to support direct communication in ITS

INTERNET PROTOCOL Presented by: Md:Faruque-A-Azam ID:1642CSE00570 Batch:42 CSE,MIU.

Internet Protocol, Version 6 (IPv6)

IP Multicast COSC /5/2019.

Presentation transcript:

Research on IP Anycast Secure Group Management Wang Yue Network & Distribution Lab, Peking University Network Research Workshop th APAN Meetings

2 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

3 Review of IP Anycast An IP service defined in RFC1546 for IPv4, and in RFC2373 for IPv6. Like Multicast, an IP anycast address is assigned to a set of network interfaces. But, a packet for an anycast address is forwarded to the “topologically nearest” interface with this address.

4 Review of IP Anycast (continue) Anycast Group A is identified by its anycast address; Each member can also has an unicast address to identify itself.

5 Review of IP Anycast (continue) Address modification for stateful service dst = a1 Client  Anycast Server src = u1 ( anycast address : a1  unicast address : u1 ) dst = u  … …

6 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

7 Anycast Security Requirements Everyone can announce to the routing system or clients that it was the member of a certain group. Therefore, Anycast is vulnerable to attacks such as Masquerading, DOS, etc. “Security Requirements of IPv6 Anycast ” (internet draft) Unauthenticated anycast server announcements Source address modification by an anycast server Secure communication between anycast clients and servers

8 Secure Channel for Anycast We need secure channels between anycast members and the routing system as well as clients. Certificate-based secure protocols are good for the purpose. ( red lines denote secure channels )

9 Authorization Scheme IPv6 Anycast address format Network prefix defines a topological scope where all members reside in Global IP Anycast (GIA): prefix is null prefix Regional IP Anycast (RIA): prefix is not null AS-inner RIA : prefix insides an AS AS-outer RIA : prefix does not inside any AS

10 Authorization Scheme (continue) Three separate authorizations needed Assigning an anycast address, e.g. by IANA Entitling group membership to an interface, e.g. by the group owner Admission control for an group member residing in a certain network region or AS, e.g. by the AS

11 Authorization Scheme (continue) Authorization Hierarchy for GIA and AS-outer RIA address ( each color denotes a certificate chain )

12 Authorization Scheme (continue) Authorization Hierarchy for AS-inner RIA address ( considering an anycast address prefix covers a network inside the AS )

13 Configuration Group Discoverers need configure IANA or local addresses assigning authorities’ public key, and the public key for admission control certificate. Clients need only configure IANA’s public key. Truncation of certificate chains can be used to reduce cost, after the first try.

14 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

15 Host-based Anycast using MLD This internet draft proposes to discover anycast members the same way as Multicast Listener Discovery (MLD) protocol. Host sends Report or Leave to the adjacent router (i.e. Group Discoverer) when joining or leaving a group. Group Discoverers periodically send Query to learn status of adjacent members.

16 Anycast Group Characteristics Semantically, each anycast group provides a service. Normally, the frequency for members advertising to Group Discoverers their joining or leaving a group is low. Members should report their status more frequently. The processing delay for joining is not required strictly, as other members can provide the same service. The processing delay for leaving should be as low as possible. Locations of anycast members can be rather limited and stable, so we unnecessarily deploy one group discoverer in each access border of the routing system. It is both economical and secure in this way.

17 List of Topics Review of IP Anycast Anycast Security Model Anycast Group Characteristics Secure Anycast Listener Discovery (S-ALD)

18 Secure Anycast Listener Discovery The Scenario Secure channel between anycast member and Group Discoverer is built during the join phase on IPSec by authenticating the mentioned certificates.

19 S-ALD Features Members report actively, not driven by a query Network burst largely reduced Members and Group Discoverers may not be on the same link Group Discoverers should record status of registered members For secure sessions’s sake Other information, e.g. members’s load may be useful for anycast route choice Considering Anycast group characteristics, S-ALD is secure, totally low overhead and manageable

20 Our contributions Authorization Scheme for Secure Anycast Anycast Group Characteristics The Resulting S-ALD protocol

21 Prospect IP Anycast is useful for service discovery, automatic configuration, load balance, etc. But, concerning security, IPv6 restricts that anycast addresses must NOT assigned to hosts, “ until more experience has been gained and solutions agreed upon”. With Anycast Secure Group Management, we can break this restriction.

22 The End

23 Question ?