Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Access to Mobile Operator Core Networks using IKEv2

Published byTolga Gökçe Modified over 5 years ago

Similar presentations

Presentation on theme: "Securing Access to Mobile Operator Core Networks using IKEv2"— Presentation transcript:

1 Securing Access to Mobile Operator Core Networks using IKEv2
Master’s Thesis Author Pekka Nurmi Supervisor Joerg Ott September 21, 2018

2 Agenda Background Methodology Security Protocols for IP Networks
Operator’s Network Architectures Testing IKEv2 Implementations Feasibility in Operator’s Environment Conclusions September 21, 2018

3 Background Amount and the value of the internet traffic grows
Insecurity of the networks, risks grow IP based networks -> IP security (IPsec) Enhanced version of the IPsec defined by the IETF in December 2005 New key exchange protocol IKEv2 more efficient more secure First implementations during 2006 need for testing in Mobile Operator’s environment ” Is the IKEv2 based Virtual Private Networks (VPNs) feasible in an operator’s network environment? ” September 21, 2018

4 Methodology The study is conducted in three parts 1. Literature study
Security protocols for IP networks (IETF) Operator’s network Architectures (3GPP) Testing 3 Cases = 3 different IKEv2 implementations Measurements using network analyzer tools Feasibility evaluation Operator solutions Issues and improvements September 21, 2018

5 Security Protocols for IP networks 1/3
IPsec creates VPN tunnels and provides security for the insecure IP protocol access control, connectionless integrity, data origin authentication, confidentiality, and anti-replay protection Security protocols Encapsulating Security Payload (ESP) Authentication Header (AH) Key management Internet Key Exchange (IKEv2) September 21, 2018

6 Security Protocols for IP networks 2/3
IKEv2 Key negotiation protocol for performing mutual authentication and setting up IPsec security associations 4 message exchanges IKE_SA_INIT and IKE_AUTH CREATE_CHILD_SA INFORMATIONAL MOBIKE IKEv2 Mobility and Multihoming protocol VPN client can move and change address without breaking the SA New protocol; no implementations tested yet September 21, 2018

7 Security Protocols for IP networks 3/3
IKEv2 authentication in operator’s network AAA protocol (RADIUS, Diameter) EAP-SIM SIM card based authentication EAP-AKA for 3G September 21, 2018

8 Operator’s Network Architectures 1/3
Access Networks GERAN / UTRAN WLAN Core Network CS & PS domains AAA services IMS services September 21, 2018

9 Operator’s Network Architectures 2/3
IMS services using IKEv2 Tunneled connection to the operator’s PDG September 21, 2018

10 Operator’s Network Architectures 3/3
Mobility management in IKEv2 (in 3GPP2) MOBIKE for intra Access Network handoff MIP for inter AN handoff September 21, 2018

11 Testing IKEv2 Implementations 1/3
Case 1 IP based solution laptop client (Linux) Case 2 Mobile phone client (Symbian S60) Case 3 3G and IP based solution (TTG) 2 clients Laptop (Windows XP) PDA (Windows Mobile 5.0) September 21, 2018

12 Testing IKEv2 Implementations 2/3
Test Case Architectures Cases 1 & 2 September 21, 2018

13 Testing IKEv2 Implementations 3/3
Case 3 September 21, 2018

14 Testing IKEv2 Implementations 4/4
Measurement results September 21, 2018

15 Feasibility in Operator’s Environment 1/4
Present Situation Approx. 86 % of organizations (turnover >10M€) in Finland used VPN solutions already in 2005. Nearly 70% of mobile workers used VPN by 2006 in the U.S. IPsec is the most popular VPN technology VPN business is centralized between a few big vendors September 21, 2018

16 Feasibility in Operator’s Environment 2/4
Solution 1 Hosted VPN access to an enterprise’s intranet Same service for the 3G and IP (e.g. WLAN) access SIM-card based authentication in both cases September 21, 2018

17 Feasibility in Operator’s Environment 3/4
Solution 2 Bundle several secure network access elements in one package Laptop/mobile phone 3G and WLAN SIM-card IKEv2/IMS VPN client for enterpises and consumers September 21, 2018

18 Feasibility in Operator’s Environment 4/4
Issues and Improvements Choices for Clients Interoperability Mobility management Signalling traffic optimization September 21, 2018

19 Conclusions Secure connections are needed
IKEv2 and IPsec specifications provide enhanced IP security IKEv2 implementations appear to be promising technology A few important issues to solve with every tested implementation IMS services can be used safely through an IKEv2 tunnel Large-scale scalability testing needed The old security solutions are still valid, but for how long? September 21, 2018

20 The Nordic and Baltic telecommunications leader
September 21, 2018

Download ppt "Securing Access to Mobile Operator Core Networks using IKEv2"

Similar presentations

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.

1 Chapter 2: Networking Protocol Design Designs That Include TCP/IP Essential TCP/IP Design Concepts TCP/IP Data Protection TCP/IP Optimization.
IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.
Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.

Research Seminar on Telecommunications Business IPSEC BUSINESS Henri Ossi.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Doc.: IEEE 802.11-04/0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.

Doc.: IEEE /0408r0 Submission March 2004 Colin Blanchard, BTSlide 1 3GPP WLAN Interworking Security Colin Blanchard British Telecommunications.
Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.

Evaluation of an internet protocol security based virtual private network solution Thesis written by Arto Laukka at TeliaSonera Finland Oyj SupervisorProfessor.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.

MCTS GUIDE TO MICROSOFT WINDOWS 7 Chapter 14 Remote Access.
Industrial Strength Security for an Insecure World

Industrial Strength Security for an Insecure World
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Secure connections.

Secure connections.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Network Mobility Yanos Saravanos Avanthi Koneru. Agenda Introduction Problem Definition Benchmarks and Metrics Components of a mobile architecture Summary.

Network Mobility Yanos Saravanos Avanthi Koneru. Agenda Introduction Problem Definition Benchmarks and Metrics Components of a mobile architecture Summary.
12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.

12-Sep-15 Virtual Private Network. Why the need To transmit files securely without disclosing sensitive information to others in the Internet.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.

An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

Similar presentations

Ads by Google