Upload
emadeldinezzat
View
218
Download
0
Embed Size (px)
Citation preview
8/10/2019 Secure Services
1/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
HIP Secure Service Discovery
Leo Bhebhe
Helsinki University of TechnologyDepartment Of Computer Science
[email protected]@[email protected]@nokia.com
8/10/2019 Secure Services
2/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
CONTENTS
Introduction
Services
Service Discovery System
Service Discovery Protocols
Service Discovery mechanism
Security Concerns
Host Identity Protocol
Name Resolution
Secure-i3
HI3 Shortcoming of HIP
Conclusion
8/10/2019 Secure Services
3/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Introduction
What is a service?
A service is a component or application that performs the work on behalf of arequesting application or client
8/10/2019 Secure Services
4/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Services Offered by networks in distributed systems, e.g. those offered by
printers,
copiers,
scanners,
fax machines,
Internet service providers, e.g. conversational (e.g. voice over IP),
streaming (video+music),
interactive (e.g. gaming)
background (e.g. e-mail delivery)
Information services Nearest Pizza hut , weather forecast, todays flight schedule
Transport services in case of emergency (e.g. car break down, lost in the wild, coast guard
help, taxi)
Payment services
Etc
8/10/2019 Secure Services
5/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Service Discovery System
Allow users and their devices to discover services over any specific underlyingnetworking technology (e.g., cellular systems, wireless local area networks,DSL)
Independent of the underlying networking technologies so that it can supportheterogeneous and changing network technologies.
Not be limited to only the traditional client-server based systems.
May be realized using peer-to-peer technologies or a combination of client-
server and peer-to-peer technologies
8/10/2019 Secure Services
6/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
SDPs & Security Features Solutions.
SLPv2 Jini UPnP Salutation Bluetooth
Message Encription Symetric(SSL/TLS)
Symetric
Key Exchange Asymetric(SSL/TLS) Plain text
AuthroizationDigital signitures
X.509Password
e.g. UPnP, SLP are built on top of the TCP/IP protocol stack
8/10/2019 Secure Services
7/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
UPnP
Adding a waist to the protocol may give it some basic security
Physical
Link(Ethernet,PPP)
Network(IP)
Transport(TCP,UDP)
Application(HTTP,SMTP)
HTTP (extension)
UPnP API
Application
UPnP
Physical
Link(Ethernet,PPP)
Network(IP)
Transport(TCP,UDP)
Application(HTTP,SMTP)
Host Identity
e.g. UPnP, SLP are built on top of the TCP/IP protocol stack
8/10/2019 Secure Services
8/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Service Discovery Mechanism
Knowledge of services
Search for services involves two steps
DNS name resolution of end host
Contacting the host directly for data/service
Concern
DNS resolution time (typical resolution time O (log n)) Security: data integrity, i.e. no else can change the resolution of an entitys
name, DoS
Retrieval of data and service [Registration & authentication]
Secure data transmission or service provision
8/10/2019 Secure Services
9/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Security
The discovery function is a source of security concern
Security is an integral part of service discovery
Denial of service attacks (DOS) or distributed Denial of serviceattacks (DDOS)
Confidentiality and integrity in service discovery are primary forcommunication security
Security needs will vary from application to application
8/10/2019 Secure Services
10/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Host Identity Protocol
New cryptographic identifiers
Host Identities (Public key of a asymmetric key pair)
Host Identity Tags (128 bits) - A hash of the HI
IP addresses as locators
An authentication and key exchange protocol
IPsec ESP transport mode for data traffic security.
8/10/2019 Secure Services
11/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Bindings in the current and new architecture
Naming endpoints with HIs provide natural solutions for mobility and multipoint
If an endpoint identified by HI[i] changes its IP address, the host identity layer onthe peer of the endpoint will re-resolve HI[i] to find a new IP address.
8/10/2019 Secure Services
12/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
HIP Base Exchange
I1: trigger exchange [HITI,HITR]
R1: HITR,HITI puzzle, DHR, PKR, Sig
I2: HITI, HITR, SPII, solution, DHI, {PKI}, Sig
R2: HITR,HITI,SPIR, Sig
ESP protected message
Initiator Responder
8/10/2019 Secure Services
13/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Name Resolution
Network
IPSec
HIP
Transport
Socket layer
Application Resolver
DNS
1.
2.
3.
4. 5. 6. ED [HI, Address]
HIs in the DNS
DNS query asks for addresses and HITs
Requires one to have a DNS name
HITs not resolvable due to name space being flat
DNS resolution time
Possible DoS Attacks (knowledge of DNS IP add)
8/10/2019 Secure Services
14/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
HIP With Rendezvous Server
Mappings are registered at theDNS
Update of IP(R) at RVS, if IP(R)
changes
ReceiverInitiator
RVS
FQDN (R)->HI(R)
FQDN (R)->)->IP(RVS)
DNS
1.
QueryFQDN(R)
2.H
I(R),IP(RVS).
3.I1toIP(R
VS) 4. I1toIP(R)
5. R1
6. I2 to IP(R)
7. R2
HI(R)->IP(R)
8/10/2019 Secure Services
15/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Secure Internet Indirection Infrastructure (i3)
Add an efficient indirection layer on top of IP
Use an overlay network to implement it
Incrementally deployable; no need to change IP
When initiator acquires and ID from DNS, it sends the packets with the ID to theclosest i3 node.
The i3 nodes searches for the particular trigger (id, addr) and send the packets tothe receiver
IP router
i3 node
ID DATA
Data packet
ID ADDR
Trigger
ADDR=IP or [email protected]
initiator
receiver
8/10/2019 Secure Services
16/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
DOS Prevention Mechanism (Secure-i3)
1. Send (pubid, data) to i3 server storing public key
2. i3 server storing public key sends (privid, data) to I3 server storing the private id
3. i3 server storing the private id send (R, data) to the receiver R
4. Receiver sends back to i3 server storing the private id (S, data) + privid
5. i3 server storing the private id sends to sender (S, data) + privid
6. The initiator then sends (privid, data) to I3 server storing the private id
7. i3 server storing the private id then forwards (R, data) to receiver
IP router
i3 node
I3 serverstoring thepublic id
pubid privid
I3 serverstoring theprivate id
privid R
8/10/2019 Secure Services
17/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Host Internet Indirection Infrastructure (HI3)
ReceiverInitiator
I3 server storingpublic triggers
FQDN (R)->HI(R)
FQDN (R)->)->IP(RVS)
DNS
1.
QueryFQDN(R)
2.
HIT,
Address.
3.I1
4. R1
3. I1
4.R1
[private
trigg
er]
5.I2
6.R2
I3 server storingprivate triggers
5. I2
5. I26. R2
6. R2
IPsec Data Traffic
In HI3, the HIT can act as a trigger.
8/10/2019 Secure Services
18/22
8/10/2019 Secure Services
19/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Problems with NATs
IPv6 and IPv4 using IP payload do not work with current (multiplexing) NATs
NATs do create state for TCP/UDP ports and ICMP codes
They need to be extended to do the same for HITs
Would work well with non-multiplexing (IPv6) NATs
IPv4 over UDP works, but not if source port is fixed (to 272)
Firewalls and NATs block applications that choose port numbers dynamically
Solution
UDP encapsulation (some Firewalls block UDP)
Intercept the flow id during Initial stages
8/10/2019 Secure Services
20/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
HI3 aware NAT/FWs
HI3 aware NAT/FWs are needed
to support simultaneous mobility
Secure Trigger Insertion mechanism
Intercept the flow identifier during base exchange
Authenticate requesting HI3 nodes before creating a NAT binding or FW pinhole
Authorize the requesting HI3 nodes
DoS attack resistance
8/10/2019 Secure Services
21/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
QoS
Service ability aims at explaining how well to serve a customer
Service discovery mechanisms lack the ability to discover and negotiate the
QoS services supported by devices or required by users
QoS service verification
Users experienceYour friends knowledge
Resolution service providers
Form a competitive economic model cooperating market much like ISPs
Incentives would come from how well the processed their customers
8/10/2019 Secure Services
22/22
T-110.7190 Research Seminar on telecom software/29.11.2005/LB
Conclusion
The Host identity Protocol (HIP) uses cryptographic host identities to provide secure and efficientend-to-end communication without requiring a distributed key authority.However HIP can bevulnerable to attacks and requires some infrastructures like secure-i3, HI3 aware NAT/FWs tosupport a secure service discovery.
For HIP to be used for dynamic service discovery in a heterogeneous network lot of protocols needto be changed to support HIP and terminals just like the heterogeneous networks need to be HIPaware.
Its possible to implement, but requires joint forces from all governments to make this happen andas usual a good business case should substantiate the need.
Currently HIP is undergoing tests and specification and its too early to think about its deployment.
However, the HI3 infrastructure looks promising as compared to the current Internet. However,functionalities like multicast, anycast and service composition are still an issue and needs furtherwork.