1 / 16

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2 . Outline. Nodes in the Architecture Problem description Identifier – locator split in HIP Identifier multiplexed locator translation Signaling delegation between identifiers

archer
Download Presentation

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2

  2. Outline • Nodes in the Architecture • Problem description • Identifier – locator split in HIP • Identifier multiplexed locator translation • Signaling delegation between identifiers • Conclusions

  3. Nodes in the Architecture Correspondent Node (CN) Internet Rendezvous Server (RS) Access Router (AR) Mobile Router (MR) Mobile network MR Nested mobile network Mobile Node (MN)

  4. Problem Statement • How to inform peers about MN's new location in a secure and efficient way? • How to sustain optimal routing? CN • Address Binding Update (BU) • Challenge-response Test AR AR MR ? MN

  5. Related Problems • Signaling explosion in highly populated networks. • Suboptimal routing. • Authorizing MR to signal on behalf of the MN. • Address assignment inside mobile network.

  6. Identifier - Locator Split in HIP • A new public-key based Host Identifier (HI) name space • Sockets bound to HIs, not to IP addresses. • HIs translated to IP addresses by kernel Process Transport <HI,port> Host Identity Host ID Dynamic binding IP Layer IP Address Link Layer

  7. Advantage of Cryptographic HIs • Public-key based end-point identifiers (HIs) vs. untrustworthy IP addresses. • Possible to authorize and delegate signaling rights between HIs in a secure way. • Possible to use authorization certificates, e.g., SPKI certificates.

  8. HI multiplexed Locator Translation • MN registers its HI and local unicast address to MR. • MN learns MR's HI during the registration. • MR implements HI multiplexed locator translation. Internet MR Registration MN Local unicast address space

  9. Authorizing MR to send BUs • MR hides the network mobility from MNs. • MNs authorizeMRto send Binding Update messages on behalf of them to CNs. RS CN CN BU signaling from MR AR AR MR-CoA1 MR-CoA2 MR MR MN-CoA1 MN-CoA1 Authorization MN MN

  10. Delegating Rights to Signaling Proxy • MR may delegate the signaling rights to a trusted signaling proxy. Internet Signaling proxy Delegation AR MR Authorization MN

  11. Optimizing MR-to-CNs Signaling • The signaling proxy sends BUs on behalf of the MNs to CNs. CN CN RS Signaling proxy BU signaling from Sig. Proxy Single BU from MR Internet AR AR CoA1 CoA2 MR MR MN MN

  12. Reach-ability Test • The peer nodes must verify that the MN is in the MR’s location where the signaling proxy claims the MN to be. CN CN RS Signaling proxy Internet Challenge-Response AR AR CoA1 CoA2 MR MR MN MN

  13. Optimizing CNs-to-MR Signaling • The signaling proxy may hide the regional mobility, acting as an on-the-path Mobility Anchor Point (MAP). CN CN RS Internet Signaling proxy & MAP MAP Domain Single BU from MR AR AR MR MR MN MN

  14. Many Roles of a Mobile Router • Access router (AR) • HI multiplexed locator translation device • Mobility Anchor Point (MAP) • Mobility signaling proxy

  15. Conclusions • The solution is based on the HIP and signaling rights delegation between public-key based HIs. • Optimized over-the-air mobility signaling inside a mobile network, and between the mobile network and the Internet. • Optimized routing between MNs and peer nodes.

  16. Thank You! Questions, comments?

More Related