Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Securing Access to Mobile Operator Core Networks using IKEv2 Master’s Thesis 16.1.2006

advertisement 
Securing Access to Mobile Operator Core Networks
using IKEv2
16.1.2006
Author
Supervisor
July 24, 2016
Master’s Thesis
Pekka Nurmi
Joerg Ott
Agenda
• Background
• Methodology
• Security Protocols for IP Networks
• Operator’s Network Architectures
• Testing IKEv2 Implementations
• Feasibility in Operator’s Environment
• Conclusions
July 24, 2016
2
Background
• Amount and the value of the internet traffic grows
• Insecurity of the networks, risks grow
• IP based networks -> IP security (IPsec)
– Enhanced version of the IPsec defined by the IETF in
December 2005
• New key exchange protocol IKEv2
– more efficient
– more secure
• First implementations during 2006
– need for testing in Mobile Operator’s environment
” Is the IKEv2 based Virtual Private Networks (VPNs) feasible in
an operator’s network environment? ”
July 24, 2016
3
Methodology
•
The study is conducted in three parts
1. Literature study
– Security protocols for IP networks (IETF)
– Operator’s network Architectures (3GPP)
2. Testing
– 3 Cases = 3 different IKEv2 implementations
– Measurements using network analyzer tools
3. Feasibility evaluation
– Operator solutions
– Issues and improvements
July 24, 2016
4
Security Protocols for IP networks 1/3
IPsec
• creates VPN tunnels and provides
security for the insecure IP protocol
• access control, connectionless
integrity, data origin authentication,
confidentiality, and anti-replay
protection
Transport Mode
Client
Client
Internet
Tunnel Mode
PDG
Client
• Security protocols
– Encapsulating Security Payload
(ESP)
– Authentication Header (AH)
plain
Original IP
packet
Original IP
header
ESP in
Tunnel Mode
New IP header
TCP
Data
encryption
encr. + integrity
ESP
Original IP
header
• Key management
– Internet Key Exchange (IKEv2)
July 24, 2016
5
TCP
Data
ESP
trailer
ESP
ICV
Security Protocols for IP networks 2/3
IKEv2
• Key negotiation protocol for performing mutual authentication and
setting up IPsec security associations
• 4 message exchanges
– IKE_SA_INIT and IKE_AUTH
– CREATE_CHILD_SA
– INFORMATIONAL
MOBIKE
• IKEv2 Mobility and Multihoming protocol
• VPN client can move and change address without breaking the SA
• New protocol; no implementations tested yet
July 24, 2016
6
Security Protocols for IP networks 3/3
IKEv2 authentication in operator’s network
• AAA protocol (RADIUS, Diameter)
• EAP-SIM
– SIM card based authentication
• EAP-AKA
– for 3G
Corporate Network (trusted)
AAA protocol
IKEv2 exchange
Carrying EAP
AAA Server
IKEv2 Initiator
VPN client
July 24, 2016
IKEv2 Responder
(VPN GW)
7
Operator’s Network Architectures 1/3
• Access Networks
– GERAN / UTRAN
3GPP Rel 6
Core Networks
– WLAN
UE
HSS
GERAN
CS domain
HLR
• Core Network
– CS & PS domains
BTS
BSC
MGW
UTRAN
AAA
PS domain
– AAA services
– IMS services
PSTN
MSC
Node B
IMS
RNC
SGSN
GGSN
Internet /
Intranet
MGCF
WLAN
CSCF
AP
July 24, 2016
Access
Router
MGW
WAG
PDG
8
Operator’s Network Architectures 2/3
• IMS services using IKEv2
– Tunneled connection to the operator’s PDG
IMS
GGSN
RAN
IKEv2 exchange
WLAN
UE
PDG
CSCF
MGCF
BGCF
SGW
MGW
HSS
SLF
...
MGCF – Media Gateway Control Function BGCF – Breakout GCF
SGW – Security Gateway
CSCF – Call Session Control Function
SLF – Subscriber Location Function MGW – Media Gateway
July 24, 2016
9
Operator’s Network Architectures 3/3
• Mobility management in IKEv2 (in 3GPP2)
– MOBIKE for intra Access Network handoff
– MIP for inter AN handoff
WLAN AN
MOBIKE
Core Network
Intra
AN
handoff
Inter
AN
handoff
MOBIKE
PDG
MIP
MIP
UTRAN
July 24, 2016
10
Testing IKEv2 Implementations 1/3
• Case 1
– IP based solution
– laptop client (Linux)
• Case 2
– IP based solution
– Mobile phone client (Symbian
S60)
• Case 3
– 3G and IP based solution
(TTG)
– 2 clients
– Laptop (Windows XP)
AAA
server
PDG
WAG
WLAN
UE
TTG
Subset of
GGSN
functions
– PDA (Windows Mobile 5.0)
July 24, 2016
11
IP
network
Testing IKEv2 Implementations 2/3
• Test Case Architectures
Internet
WLAN UE
(Case 1)
WLAN AN
FW / Router
PDG
AAA Server
Management
HLR
WLAN UE
(Case 2)
• Cases 1 & 2
July 24, 2016
12
Testing IKEv2 Implementations 3/3
HLR
Internet
AAA Server
PD G
Management
WLAN UE
GGSN
WLAN AN
TTG
WAG / AC
WLAN UE
2G/3G Client
GERAN/
UTRAN
SGSN
DNS
2G/3G Client
• Case 3
July 24, 2016
13
Testing IKEv2 Implementations 4/4
Measurement results
Client
Tested
services
test device
OS
WLAN option
integrated 3G/GPRS option
LAN option
interoperability options
cryptographic suites
simultaneous IKE SAs
WAP / Mobile TV
IMS / videoshare&IM
Case 1
Case 2
laptop
Linux
yes
no
yes
fair
4 + more
4
-
mobile phone
Symbian S60
yes
no
no
poor
1
1
X
-
Case 3
laptop
Windows XP
yes
yes*
no
poor
1
1
X
PDA
Windows Mobile 5.0
yes
yes
no
poor
1
1
-
* = works with specific vendor's 3G cards
ike_sa_init
ike_auth
radius/eap-sim
re-transmitted (avg)
time [s]
IKEv2 tunnel
avg size of
ike_sa_init
ike_auth
the packets
radius
[B]
all packets
total size
without re[kB]
transmissions
number of
the packets
Case 3
2
10
6
0
1.480
352
185
217
3.856
2
10
8
0
9.390
361
327
355
6.831
2
8
6+2
1
2.008
419
282
179
4.679
3.856
6.831
4.527
10
9
8
time [s]
Case 1* Case 2
7
6
RADIUS/EAP-SIM
5
IKE tunnel
4
3
2
1
0
Case1
Case2
Case3
* = uses ready-configured IMSI and HLR simulator
July 24, 2016
14
Feasibility in Operator’s Environment 1/4
• Present Situation
– Approx. 86 % of organizations
(turnover >10M€) in Finland
used VPN solutions already in
2005.
– Nearly 70% of mobile workers
used VPN by 2006 in the U.S.
– IPsec is the most popular
VPN technology
100 %
80 %
IPsec
60 %
MPLS
MPLS/IPsec
40 %
SSL
20 %
0%
2003
2004
2005
2006
2007
– VPN business is centralized
between a few big vendors
July 24, 2016
15
2008
Feasibility in Operator’s Environment 2/4
• Solution 1
– Hosted VPN access to an enterprise’s intranet
– Same service for the 3G and IP (e.g. WLAN) access
– SIM-card based authentication in both cases
2G/3G
Operator’s
network
UE
Any IP
access
network
SGSN
GGSN
Intranet
AAA Server
IKEv2 tunnel
PDG
July 24, 2016
16
Feasibility in Operator’s Environment 3/4
• Solution 2
– Bundle several secure
network access elements in
one package
Operator’s customer package
– Laptop/mobile phone
– 3G and WLAN
– SIM-card
– IKEv2/IMS VPN client
– for enterpises and consumers
Mobile device
with
USIM-card reader
USIMcard
IKEv2/IMS
VPN client
Operator provides
Access
to intra-/
internet
July 24, 2016
GPRS/3G/
HSDPA/
WLAN
connectivity
PDG
AAA services
17
Operator’s
Network services
Feasibility in Operator’s Environment 4/4
•
Issues and Improvements
1. Choices for Clients
2. Interoperability
3. Mobility management
4. Signalling traffic optimization
July 24, 2016
18
Conclusions
• Secure connections are needed
• IKEv2 and IPsec specifications provide enhanced IP
security
• IKEv2 implementations appear to be promising
technology
• A few important issues to solve with every tested
implementation
• IMS services can be used safely through an IKEv2
tunnel
• Large-scale scalability testing needed
• The old security solutions are still valid, but for how
long?
July 24, 2016
19
The Nordic and Baltic
telecommunications leader
July 24, 2016
Related documents
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
Download
advertisement