Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

OVERLAY PRIVATE IP ADDRESS NETWORKS OVER WIDE AREA ETHERNET

advertisement 
Asami Laboratory, The University of Tokyo
ITU-T Kaleidoscope Conference
Innovations in NGN
OVERLAY PRIVATE IP
ADDRESS NETWORKS OVER
WIDE AREA ETHERNET
L.N.Bui, Y.Kawahara, T.Asami
Asami Laboratory, The University of Tokyo
M.Tatipamula
Strategy and planning, Juniper Networks
Geneva, 12-13 May 2008
Asami Laboratory, The University of Tokyo
Outline
1.
2.
3.
4.
Introduction
Research purpose
Proposal
2 proposed methods
1.
2.
MIP+PPPoE
MIP+VLAN
5. Evaluation
2
Asami Laboratory, The University of Tokyo
1.Introduction
„The typical method to remote access to corporate network is PPP+VPN
‡A mobile node belongs to two layer 3 administration domains (ISP and corporate network) ‡Disadvantages:
„Cannot prevent malicious activities caused by the use of mobile node outside of the corporation. „The inconvenience for users working outside of the corporation. „Many of corporate networks use private IP address.
„Wide area Ethernet services have become popular but most of the VLAN configuration is set up manually.
3
Asami Laboratory, The University of Tokyo
2.Research purpose
„Overlay private IP address networks over Wide area Ethernet with low management cost.
‡Sub goals:
„Unify remote access to one layer 3 administration domain and one layer 2 administration domain.
„Unify the layer 2 access to the carrier and layer 3 access to the corporate network
‡Advantages:
„A mobile node which belongs to the corporation is always under its security policy. „The access to corporate network is unchanged at outside or inside of the corporation
4
Asami Laboratory, The University of Tokyo
2.Research purpose
„Replace PPP+VPN method with a better security and lower management cost protocol PPP
Internet
Internet
Wide area Ethernet
PC
ISP
Edge Switch
BAS
(PPPoE server)
VPN
5
Corporate
network
Asami Laboratory, The University of Tokyo
3.Proposal
„The proposal is based on Mobile IP (MIP)
‡Why Mobile IP?
„3GPP2 MIP is used in 3G cellular network. This architecture is similar to our object.
„Layer 3 access to corporate network and layer 2 access to carrier can be unified by FA‐mode Mobile IP
‡Other problems if using MIP for Wide area Ethernet:
„1. Conflict over IP address „2. Security inside the Ethernet
„3. Efficient multicast
„2 proposed methods:MIP+PPPoE and MIP+VLAN
6
Asami Laboratory, The University of Tokyo
3.FA‐mode Mobile IP (MIPv4)
„Two IPv6 version of MIP (MIPv6 and NEMO) are not suitable
Home Agent
(HA)
Home network
(HN)
MN
HoA CN Data
Moved
(1)
CoA HA HoA CN Data
IP
nn
tu
Correspondent Node
(CN)
(2)
FA
HA
CN
Agent Advertisement (AA)
Registration Request (RQ)
el
(3)
Foreign Agent
(FA)
HoA CN Data Mobile Node
MN
Foreign network
(FN)
Registration Reply (RR)
MN-CN Communication
Operating of MIPv4 MIPv4 architecture
7
Asami Laboratory, The University of Tokyo
4.1 MIP+PPPoE
„Problems solved by 3GPP2 MIP(FA=PPPoE server) used for Wide area Ethernet:
‡IP address conflict problem can be solved. ARP is not used.
‡Security in the Ethernet: communication between MN and FA is through PPPoE session.
„Other disadvantages if original 3GPP2 MIP is used for Wide area Ethernet:
‡Large bandwidth is needed to unicast AA frame to all MNs
through PPP session.
‡MN uses PPPoE at HN, multicast cannot be used at HN.
8
Asami Laboratory, The University of Tokyo
4.1 Implementation of MIP+PPPoE
„The difference of MIP+PPPoE from 3GPP2 MIP: ‡MN uses ARP at HN as normal and uses PPPoE at FN
‡MIP handshake is unified with PPPoE Discovery stage.
‡MN receives broadcast frame AA before starting PPP session.
‡ After specified time of PPPoE session idle, MN terminates the PPP session and changes to normal ARP. 3GPP2 MIP PPPoE Discovery →PPPoE Login→AA→RQ→RR
for Ethernet
MIP handshake
MIP+PPPoE
AA→RQ→RR→PPPoE Login
MIP handshake
9
Asami Laboratory, The University of Tokyo
4.1 Operating of MIP+PPPoE
Mobile
Node
MN
Foreign
Agent
FA
Home
Agent
HA
Correspondent
Node
CN
Broadcast AA (PADO)
(1)
Unicast RQ (PADR)
PPPoE Discovery
+ MIP handshake
(2)
Unicast RR (PADS)
(3)
Start PPP session
(4)
(5) LCP negotiation
(6)
IPCP negotiation
PPP session
MN-CN PPP Communication
●:implementation point
■:frames forward
10
Asami Laboratory, The University of Tokyo
4.2 MIP+VLAN
„MIP+PPPoE cannot support multicast among the group of MNs from a same HN.
„VLAN can be used to divide the Wide area Ethernet into logical networks.
„MIP+VLAN:
‡Edge switch automatically learns the VLAN of MN, which is corresponded to its HN
‡Edge switch tags the I‐tag to all frames sent by MN
IEEE 802.1ah Ethernet frame format
B-DA B-SA
B-TAG
I-Tag
C-DA
11
C-TAG
C-SA optional
Len/
Type
Client
Data
FCS
Asami Laboratory, The University of Tokyo
4.2 Implementation of MIP+VLAN
Static setup:
VLAN table of SW X
Foreign Agent
(FA)
Home Agent
(HA)
RR
RQ
RR VLAN1
AA
IP tunnel
MN
3
2
AA
Core
1
Switch X
Edge
Switch A 3
RR
1 AA
AA
RQ
N2
VLAN2
Port
Port
VLAN
1
2
3
…….....
VLAN
1
2
3
VLAN0
1
1
1
1
VLAN0
1
1
1
VLAN1
1
1
1
1
VLAN2
1
1
1
1
……
Wide area
Ethernet
Port‐VLAN table of SW A N1
VLAN1
2
VLAN0 is used for VLAN handshake
Dynamic setup :
MAC address – VLAN table of SW A
RQ
FA B-Tag VLAN1 MN
VLAN
MAC-N2
VLAN2
MAC-MN
VLAN1
VLAN0
….....
Sw A
Registration Reply:
MAC-address
12
………
1
Asami Laboratory, The University of Tokyo
4.2 Operating of MIP+VLAN
Mobile
Node
MN
Edge
Switch
SW
Foreign
Agent
FA
Home
Agent
HA
Correspondent
Node
CN
Broadcast AA (VLAN0)
(1)
Unicast Registration Request (VLAN0)
(2)
(3)
Learn MAC address of MN
(4)
Unicast Registration Reply (VLAN1)
Learn VLAN of MN
MN-CN Communication
●:implementation point
13
■:frames forward
(5)
Asami Laboratory, The University of Tokyo
4.2 MIP+VLAN messages’ frame Agent Advertisement (AA): FA→ every MN, FA tags VLAN0
ff.ff.ff.
ff.ff.ff
MAC-FA B-TAG
VLAN0
ff.ff.ff.
ff.ff.ff
Len/
Type
MAC-FA
Agent
Advertisement
FCS
Registration Request (RQ): MN→FA, SW A tags VLAN0
MAC-FA
MAC
-Sw A
B-TAG
VLAN0
MAC-FA
Len/
Type
MAC-MN
Registration
Request
FCS
Registration Reply (RR) :FA→MN, FA tags VLAN1, SW A learns VLAN1
MACSw A
MAC-FA B-TAG
VLAN1
MAC-MN MAC-FA
C-TAG
optional
Len/
Type
Registration
Reply
FCS
Data
FCS
User data frame: MN→CN, SW A tags VLAN1
FA
Or
Sw B
MACSw A
B-TAG
VLAN1
MAC-CN
14
MAC-MN
C-TAG Len/
optionalType
Asami Laboratory, The University of Tokyo
4.2 Problems solved by MIP+VLAN
„IP address conflict problem can be solved. MNs from different HN are divided into different VLAN group.
„Security in the Ethernet: 2 ways for an attacker to join the VLAN of MN
‡A)Cheating in the VLAN handshake:
‐> VLAN handshake is unified with MIP handshake. Access challenge responsibility is on the corporate network.
‡B)Replacing MN with an other device after the VLAN handshake
‐> MAC‐VLAN mode of edge switch is used
„Multicast: can be used in each VLAN group.
15
Asami Laboratory, The University of Tokyo
5.Qualitative evaluation
Evaluation index
1.
2.
3.
4.
5.
PPP+VPN MIP+PPPoE
Unify the administration domain ‐> better security
Unify the access authentication ‐> easier remote access
Group multicast
No new protocol for MN
No new function for edge switch
○:yes
×:no
16
MIP+VLAN
×
○
○
×
○
○
×
×
×
○
○
○
×
Asami Laboratory, The University of Tokyo
5.Implementation cost
„FA is made by extending function of BAS.
„The operating of methods need to be standardized.
„MIP+PPPoE:
‡MIP handshake frames are in ICMP format. PPPoE Discovery frames are in PPPoE format.
‐> High implementation cost for making a new protocol.
„MIP+VLAN:
‡Original MIPv4 protocol can be used together with IEEE802.1ah.
‡VLAN automatic learning function can be easily implemented to switches by a remote server.
‐> Low implementation cost.
17
Asami Laboratory, The University of Tokyo
5.Quantitative evaluation
„Quantitative evaluation of access delay:
‡MIPv4 handshake and VLAN: use Qualnet simulator
‡PPPoE: measured by Linux’s rp‐PPPoE software
a) MIP+PPPoE or 3GPP2 MIP used for Ethernet
IP-in-IP tunnel
CN
HA
FA
PPPoE
MN
b) MIP+VLAN
IP-in-IP tunnel
CN
HA
FA
18
VLAN
SW
MN
Asami Laboratory, The University of Tokyo
5.Quantitative evaluation
„Calculated access delay for each method
‡AA time interval is set to be 1 sec in Qualnet simulation
Method
Each access step and delay
(millisecond)
Access delay
(millisecond)
3GPP2 MIP
for Ethernet
PPPoE discovery
PPPoE login
MIP handshake
5.14
1013.79
1009.86
MIP+PPPoE
PPPoE discovery &MIP hs
PPPoE login
1010.44
1012.14
MIP+VLAN
2028.79
2022.58
1013.11
MIP&VLAN handshake
1013.11
19
Asami Laboratory, The University of Tokyo
Conclusion
„Purpose: Overlay private IP address networks over Wide area Ethernet with low management cost.
„Two proposed methods based on FA‐mode Mobile IP:
‡MIP+PPPoE
‡MIP+VLAN
„MIP+VLAN has more advantages
„Future works:
‡Layer 2 encryption and wireless security.
‡Scability for the Wide area Ethernet service which supports mobility of devices. 20
Asami Laboratory, The University of Tokyo
Thank you for your attention !
21
Related documents
Northampton Community College CISC271a – CCNA 3
Northampton Community College CISC271a – CCNA 3
Friends of MIP December 10, 2013 In attendance: Principal Scholl
Friends of MIP December 10, 2013 In attendance: Principal Scholl
MIP Board Meeting December 5, 2012 In attendance: Principal
MIP Board Meeting December 5, 2012 In attendance: Principal
Presentation
Presentation
Prevent-Teach-Reinforce (PTR)
Prevent-Teach-Reinforce (PTR)
ABSTRACT The development of Mobile IP technology
ABSTRACT The development of Mobile IP technology
Download
advertisement