slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2 PowerPoint Presentation
Download Presentation
Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2

Loading in 2 Seconds...

play fullscreen
1 / 16

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2 - PowerPoint PPT Presentation


  • 74 Views
  • Uploaded on

Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2 . Outline. Nodes in the Architecture Problem description Identifier – locator split in HIP Identifier multiplexed locator translation Signaling delegation between identifiers

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Re-thinking Security in Network Mobility Jukka Ylitalo Ericsson Research NomadicLab NDSS '05 Workshop - February 2' - archer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1
Re-thinking Security in Network Mobility

Jukka Ylitalo

Ericsson Research NomadicLab

NDSS '05 Workshop - February 2

outline
Outline
  • Nodes in the Architecture
  • Problem description
  • Identifier – locator split in HIP
  • Identifier multiplexed locator translation
  • Signaling delegation between identifiers
  • Conclusions
nodes in the architecture
Nodes in the Architecture

Correspondent Node (CN)

Internet

Rendezvous Server (RS)

Access Router (AR)

Mobile Router (MR)

Mobile network

MR

Nested mobile network

Mobile Node (MN)

problem statement
Problem Statement
  • How to inform peers about MN's new location in a secure and efficient way?
  • How to sustain optimal routing?

CN

  • Address Binding Update (BU)
  • Challenge-response Test

AR

AR

MR

?

MN

related problems
Related Problems
  • Signaling explosion in highly populated networks.
  • Suboptimal routing.
  • Authorizing MR to signal on behalf of the MN.
  • Address assignment inside mobile network.
identifier locator split in hip
Identifier - Locator Split in HIP
  • A new public-key based Host Identifier (HI) name space
  • Sockets bound to HIs, not to IP addresses.
  • HIs translated to IP addresses by kernel

Process

Transport

<HI,port>

Host Identity

Host ID

Dynamic binding

IP Layer

IP Address

Link Layer

advantage of cryptographic his
Advantage of Cryptographic HIs
  • Public-key based end-point identifiers (HIs) vs. untrustworthy IP addresses.
  • Possible to authorize and delegate signaling rights between HIs in a secure way.
  • Possible to use authorization certificates, e.g., SPKI certificates.
hi multiplexed locator translation
HI multiplexed Locator Translation
  • MN registers its HI and local unicast address to MR.
  • MN learns MR's HI during the registration.
  • MR implements HI multiplexed locator translation.

Internet

MR

Registration

MN

Local unicast address space

authorizing mr to send bus
Authorizing MR to send BUs
  • MR hides the network mobility from MNs.
  • MNs authorizeMRto send Binding Update messages on behalf of them to CNs.

RS

CN

CN

BU signaling from MR

AR

AR

MR-CoA1

MR-CoA2

MR

MR

MN-CoA1

MN-CoA1

Authorization

MN

MN

delegating rights to signaling proxy
Delegating Rights to Signaling Proxy
  • MR may delegate the signaling rights to a trusted signaling proxy.

Internet

Signaling proxy

Delegation

AR

MR

Authorization

MN

optimizing mr to cns signaling
Optimizing MR-to-CNs Signaling
  • The signaling proxy sends BUs on behalf of the MNs to CNs.

CN

CN

RS

Signaling proxy

BU signaling from Sig. Proxy

Single BU from MR

Internet

AR

AR

CoA1

CoA2

MR

MR

MN

MN

reach ability test
Reach-ability Test
  • The peer nodes must verify that the MN is in the MR’s location where the signaling proxy claims the MN to be.

CN

CN

RS

Signaling proxy

Internet

Challenge-Response

AR

AR

CoA1

CoA2

MR

MR

MN

MN

optimizing cns to mr signaling
Optimizing CNs-to-MR Signaling
  • The signaling proxy may hide the regional mobility, acting as an on-the-path Mobility Anchor Point (MAP).

CN

CN

RS

Internet

Signaling proxy & MAP

MAP Domain

Single BU from MR

AR

AR

MR

MR

MN

MN

many roles of a mobile router
Many Roles of a Mobile Router
  • Access router (AR)
  • HI multiplexed locator translation device
  • Mobility Anchor Point (MAP)
  • Mobility signaling proxy
conclusions
Conclusions
  • The solution is based on the HIP and signaling rights delegation between public-key based HIs.
  • Optimized over-the-air mobility signaling inside a mobile network, and between the mobile network and the Internet.
  • Optimized routing between MNs and peer nodes.
thank you questions comments
Thank You!

Questions, comments?