Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol.

Published byRosanna White Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol."— Presentation transcript:

1 Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol

2 Advanced Computer Networks - IAIK 2 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Content Anycast Secure Anycast Tunneling Protocol (SATP)‏ Usage Scenarios Anytun (a SATP implementation)‏ Demonstration

3 Advanced Computer Networks - IAIK 3 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Anycast

4 Advanced Computer Networks - IAIK 4 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Types of addresses in IP networks Unicast –1 IP address / host –Data is sent to exactly that host Broadcast –1 IP address / network –Data is sent to all hosts on the network Multicast –1 IP address for multiple hosts –Data is sent to all hosts having the IP address

5 Advanced Computer Networks - IAIK 5 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Types of addresses in IP networks Anycast –1 IP address for multiple hosts –Data is sent to only one host –Which host receives the data might change at any time Why to use anycast? –Load balancing –Fault tolerance / redundancy –Build scalable clusters –Extend or shrink clusters while in operation

6 Advanced Computer Networks - IAIK 6 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Anycast example (DNS)‏

7 Advanced Computer Networks - IAIK 7 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol How to realise anycast The simple way –Give two hosts in a LAN the same IP address –Works but has many problems (ARP table cache timeouts...)‏ The more powerful way –Use a routing protocol to decide which host receives the data –Works great –Fault tolerance only the the anycast host runs a routing daemon

8 Advanced Computer Networks - IAIK 8 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Routing in the Internet What is the „Internet“ anyway? –The Internet is an interconnect of independent networks –Such independent networks are called Autonomous Systems (e.g. Telekom Austria, UPC, Geant,...)‏ Where is routing done? –Inside Autonomous Systems by interior gateway protocols like OSPF or ISIS –Between autonomous systems by the exterior routing protocol BGP4 (border gateway protocol version 4)‏

9 Advanced Computer Networks - IAIK 9 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol What is an Autonomous System (AS)‏ An AS is multi homed –Has a connection to at least two other AS (upstream ISPs, customers or peering partners)‏ An AS has it's own IP addresses –At least /24 for IPv4 (256 addresses)‏ –At least /32 for IPv6 (65536 end customer networks = /48 )‏ Has an Autonomous System Number (ASN)‏ –IP addresses and ASNs for Europe are managed by RIPE

10 Advanced Computer Networks - IAIK 10 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol How to announce an anycast route? Inside an AS –Give 2 hosts the same IP address –Connect the hosts to separate routers –Announce the route in the routers –The network will see only one multi homed host Global –Announce a whole network at different routers / locations –Connect the anycast hosts to the routers –Again it looks like a multi homed network to the Internet

11 Advanced Computer Networks - IAIK 11 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol BGPlay

12 Advanced Computer Networks - IAIK 12 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Why to do global anycast? Anycast advantages –Load balancing –Fault tolerance / redundancy –Build scalable clusters –Extend or shrink clusters while in operation anycast routing advantages –Geographic load balancing –Shortest route in the Internet –minimum delay for the data

13 Advanced Computer Networks - IAIK 13 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Secure Anycast Tunneling Protocol (SATP)‏

14 Advanced Computer Networks - IAIK 14 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP Encapsulation Key Handshake / NAT Transversal Crypto Replay Protection Synchronisation

15 Advanced Computer Networks - IAIK 15 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Encapsulation SATP is a tunnel protocol similar to GRE or IPSec ESP in tunnel mode

16 Advanced Computer Networks - IAIK 16 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP Header

17 Advanced Computer Networks - IAIK 17 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP – encrypted part

18 Advanced Computer Networks - IAIK 18 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP – authenticated part

19 Advanced Computer Networks - IAIK 19 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Keyexchange / NAT Transversal OpenVPN IPSec

20 Advanced Computer Networks - IAIK 20 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Keyexchange / NAT Transversal cont'd SATP –external Key Exchange (i.e. IKE)‏ –NAT Transversal and Encapsulation is done by SATP

21 Advanced Computer Networks - IAIK 21 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Crypto - cryptographic context used for key calculation consists of packet independent and packet specific data packet independent –Master Key –Master Salt packet specific –Sequence Number –Sender ID –Mux

22 Advanced Computer Networks - IAIK 22 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Crypto – Encryption

23 Advanced Computer Networks - IAIK 23 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Crypto - Authentication

24 Advanced Computer Networks - IAIK 24 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Replay Protection attacker may record any packet and resend it to you store all sequence numbers received in a list use a sequence window to save memory

25 Advanced Computer Networks - IAIK 25 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Replay Protection and anycast anycast sender doesn't know about sequence numbers used by other anycast senders sequence numbers would have to be synchronised every anycast sender would have to send a synchronise packet to every other anycast send for every packet it sends out on the internet this is too much overhead

26 Advanced Computer Networks - IAIK 26 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP - Replay Protection own sequence window for each sender for anycast sender the sender id is used to distinguish between sequence windows IPSec doesn't have sender id's therefore you can't use replay protection and anycast

27 Advanced Computer Networks - IAIK 27 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Syncronisation synchronisation has to be done between anycast senders only view information has to be synchronised –master key and salt –peers IP address and port SATP only defines what to synchronise and not how

28 Advanced Computer Networks - IAIK 28 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP Usage Scenarios

29 Advanced Computer Networks - IAIK 29 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP applications: VPN

30 Advanced Computer Networks - IAIK 30 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP applications: VPN

31 Advanced Computer Networks - IAIK 31 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP apps: securing anycast services

32 Advanced Computer Networks - IAIK 32 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol SATP apps: SIP/anyRTPProxy

33 Advanced Computer Networks - IAIK 33 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Special Thanks Netidee / Internet Privatstiftung Austria Mur.at –LIR: IP addresses, AS –Server Housing (with BGP4)‏ FunkFeuer Vienna & Graz –Server Housing (with BGP4)‏

34 Advanced Computer Networks - IAIK 34 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Anytun ( a SATP implementation)‏

35 Advanced Computer Networks - IAIK 35 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Anytun SATP Reference Implementation Implemented in C++ Similar Interface to OpenVPN tun / tap devices Full customizable topology Client/server, P2P, mesh Full customizable routing Access to the internal routing information

36 Advanced Computer Networks - IAIK 36 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Anytun Tunneling of IPv4, IPv6 and Ethernet over UDP Support for NAT and changing IP addresses Full support for cluster synchronisation and load balancing State of the art encryption –AES encryption –SHA1 authentication

37 Advanced Computer Networks - IAIK 37 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Questions

38 Advanced Computer Networks - IAIK 38 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Questions What is anycast? –1 IP address for multiple hosts –Data is sent to only one host –Which host receives the data might change at any time Describe the advantages of anycast –Load balancing –Fault tolerance / redundancy –Build scalable clusters –Extend or shrink clusters while in operation

39 Advanced Computer Networks - IAIK 39 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Questions What are requirements for encryption used with anycast? –The cryptographic context has to be present in every packet (e.g. sequence number) or has to be statically known (e.g. master key)‏ What is replay protection and why is it needed –It's a list of received packages. –Duplicate packages are ignored. –It's needed to protect against data that is recorded by the attacker and replayed at a later time.

40 Advanced Computer Networks - IAIK 40 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Questions List 3 applications for anycast –DNS –6to4 –VPN –anycast RTP-Proxy How can anycast be realised (two variants)‏ –give 2 hosts the same IP address on the LAN –announce the IP address multiple times in a routing protocol

41 Advanced Computer Networks - IAIK 41 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol Live Demonstration

Download ppt "Advanced Computer Networks - IAIK 1 Gsenger, Nindl, Pointner Graz, 23.5.2008 Secure Anycast Tunneling Protocol."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Nov 11, 2004CS573: Network Protocols and Standards1 IP Routing: OSPF Network Protocols and Standards Autumn 2004-2005.

Nov 11, 2004CS573: Network Protocols and Standards1 IP Routing: OSPF Network Protocols and Standards Autumn
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.

Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.
SMUCSE 8344 MPLS Virtual Private Networks (VPNs).

SMUCSE 8344 MPLS Virtual Private Networks (VPNs).
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)

1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
NetComm Wireless VPN Functionality Feature Spotlight.

NetComm Wireless VPN Functionality Feature Spotlight.
Chapter 8 Advanced TCP/IP Network Design. Classful IP Addressing There are three basic classes of addresses known as class A, B, or C networks.

Chapter 8 Advanced TCP/IP Network Design. Classful IP Addressing There are three basic classes of addresses known as class A, B, or C networks.
TCP/IP Protocol Suite 1 Chapter 14 Upon completion you will be able to: Unicast Routing Protocols: RIP, OSPF, and BGP Distinguish between intra and interdomain.

TCP/IP Protocol Suite 1 Chapter 14 Upon completion you will be able to: Unicast Routing Protocols: RIP, OSPF, and BGP Distinguish between intra and interdomain.
1 Chapter 27 Internetwork Routing (Static and automatic routing; route propagation; BGP, RIP, OSPF; multicast routing)

1 Chapter 27 Internetwork Routing (Static and automatic routing; route propagation; BGP, RIP, OSPF; multicast routing)
S305 – Network Infrastructure Chapter 5 Network and Transport Layers.

S305 – Network Infrastructure Chapter 5 Network and Transport Layers.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
Chapter 22 Network Layer: Delivery, Forwarding, and Routing

Chapter 22 Network Layer: Delivery, Forwarding, and Routing

Similar presentations

Ads by Google