Securing Mobile Networks

An Enabling Technology for

National and International
Security and Beyond
1

Goals for November 6th

Highlight Mobile Networking Technology

Discuss security policy

Emphasizing National and International

Security today due to time limitations.
Enabling shared infrastructure (when
reasonable)

Next Steps (Afternoon Session)

Other Items (Afternoon Session)
2

Todays Audience

Big Picture People

Policy Makers
Media
Code Writers
Implementers

Please, dont be afraid to ask questions.

3

Neah Bay / Mobile Router Project

Detroit

Foreign-Agent

Neah Bay
Outside of wireless LAN range,
connected to FA via
Globalstar.

Neah Bay
Connected to FA via
wireless LAN at Cleveland
harbor

Foreign-Agent
Somewhere, USA
Foreign-Agent

Home-Agent
Anywhere, USA

Internet

Clevelan
d

Why NASA/USCG/Industry

Real world deployment issues can only be

addressed in an operational network.
USCG has immediate needs, therefore
willingness to work the problem.
USCG has military network requirements.
USCG is large enough network to force us to
investigate full scale deployment issues
USCG is small enough to work with.
NASA has same network issues regarding
mobility, security, network management and
scalability.
5

Mobile-Router Advantages

Share wireless and network resources with

other organizations

Set and forget

No onsite expertise required

However, you still have to engineer the network

Continuous Connectivity

$$$ savings

(May or may not be important to your

organization)

Robust

Secondary Home Agent (Reparenting of HA)

6

Mobile Network Design Goals

Secure
Scalable
Manageable
Ability to sharing network infrastructure
Robust

Shared Network Infrastructure

MR
MR

ACME Shipping

Canadian Coast Guard

FA
FA

HA

Public
Internet

MR

HA

US Coast Guard

M
R

US Navy

Encrypting wireless links

HA
makes it very difficult to
ACME
share infrastructure.
SHIPPING
HA
This is a policy issue.
8

Secondary Home Agent

(reparenting the HA)

Primary
Home Agent

Secondary
Home Agent

Reparenting Home Agent

Helps resolve triangular routing
Problem over long distances

Emergency Backup
(Hub / Spoke Network)
If primary control site becomes
physically inaccessible but can be
electronically connected, a
secondary site can be established.
If primary control site is
physically incapacitated, there
is no backup capability.

10

Secondary Home Agent

(Fully Meshed Network)
If primary control site is physically incapacitated, a
second or third or forth site take over automatically.

5
1
2

4
11

We Are Running with Reverse

Tunneling

Pros

Ensures topologically correct addresses on foreign

networks
Required as requests from MR LAN hosts must pass
through Proxy inside main firewall
Greatly simplifies setup and management of security
associations in encryptors
Greatly simplifies multicast HA makes for an excellent
rendezvous point.

Cons

Uses additional bandwidth

Destroys route optimization
12

INTERNET

PROXY

MR
Tunnel
Endpoint
(Public Space)

FIREWALL

Encryption

Mobile
LAN
10.x.x.x

USCG
INTRANET
10.x.x.x

FA - Detroit
Encryption

HA
802.11b link
Public Address

FA Cleveland

HA
Tunnel Endpoint
(Public Space)

Dock

EAST

INTERNET

FA - Detroit

PROXY

WEST

FIREWALL

Mobile
LAN
10.x.x.x

Encryption

Open Network
Data Transfers

USCG
INTRANET
10.x.x.x

Dock
Encryption
EAST
WEST
HA
FA
Cleveland

802.11b link
Public Address
USCG Officers Club

Dock

EAST

INTERNET

PROXY

WEST

FIREWALL

Mobile
LAN
10.x.x.x

Encryption

Encrypted Network
Data Transfers

USCG
INTRANET
10.x.x.x

FA - Detroit
Encryption
EAST
WEST
HA
Dock

802.11b link
Public Address
USCG Officers Club

FA
Cleveland

Dock

EAST

INTERNET
Open
Network
Monitoring
Point

PROXY

WEST

FIREWALL

Mobile
LAN
10.x.x.x

Encryption

Monitoring Points

USCG
INTRANET
10.x.x.x

FA - Detroit
Encryption
EAST
WEST
HA
Dock

802.11b link
Public Address
USCG Officers Club

FA
Cleveland
Open
Network
Monitoring
Point

Encryption

Dock

EAST

INTERNET

FA - Detroit

PROXY

WEST

FIREWALL

Mobile
LAN
10.x.x.x

Note, We are monitoring

The Neah Bay.
We are using lots of bandwidth
To do this.

USCG
INTRANET
10.x.x.x

Dock
Encryption
EAST
WEST
HA
FA
Cleveland

802.11b link
Public Address
USCG Officers Club

Encryption

Dock

EAST

INTERNET

FA - Detroit

PROXY

WEST

FIREWALL

Mobile
LAN
10.x.x.x

Note, We are monitoring

The Neah Bay.
We are using lots of bandwidth
To do this.

USCG
INTRANET
10.x.x.x

Dock
Encryption
EAST
WEST
HA
FA
Cleveland

802.11b link
Public Address
USCG Officers Club

RF Bandwidth

Mobile
LAN
10.x.x.x

Encryption

7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)

Dock

11.0 Mbps (auto-negotiated and shared with Officers Club)

EAST

1.0 Mbps (manually set)

WEST

1.0 Mbps (manually set)

Wireless Only?

Wireless can be jammed

Particularly unlicensed spectrum such as

802.11
Satellites is a bit harder
Solution is to find interferer and make
them stop.

You still want land line connections

Mobile Routing can be used over land lines.

20

Globalstar/Sea Tel MCM-8

Initial market addresses maritime and

pleasure boaters.
Client / Server architecture

Current implementation requires call to be initiated

by client (ship).
Multiplexes eight channels to obtain 56 kbps total
data throughput.
Full bandwidth-on-demand.

Requires use of Collocated Care-of-Address

21

Satellite Coverage

Globalstar
INMARSAT

From SaVi

22

Layer 2 Technology

Globalstar
MCM-8

L3-Comm
15 dBic
Tracking Antenna

Hypergain
802.11b
Flat Panel
8 dBi
Dipole

Sea Tel Tracking

Antenna

23

Backbone Network Topology

Detail Network Diagram
(Intentionally Blank)

Neah Bay Network Topology

Detail Network Diagram
(Intentionally Blank)

USCG Officers Club Network Topology

Detail Network Diagram

(Intentionally Blank)

Securing Mobile and Wireless

Networks
Some ways may be better
than others!

27

Constraints / Tools

Policy
Architecture
Protocols

28

IPv4 Utopian Operation

CN

US Coast Guard
Operational Network
(Private Address Space)

US Coast Guard
Mobile Network

Public
Internet
HA

FA

Triangular Routing

MR

29

IPv4 Real World Operation

CN

US Coast Guard
Operational Network
(Private Address Space)

US Coast Guard
Mobile Network

Public
Internet

FA

MR

P
R
O
X
y

HA

Proxy had not originated the

Glenn
Research
Center
request;
therefore,
thePolicy:
USCG
Requires
3DES
encryption.
No
UDP,
IPSec,
etc
response
isEgress
squelched.
Ingress
orNo
Filtering
stops
WEP
is notstopped
acceptable
due
to
Mobile-IP
its
tracks.
Peer-to-peer
networking
Transmission
due
tointopologically
known
deficiencies.
Whats
your
policy?
becomes
problematic
at best.
Incorrect
source
address.
IPv6
Corrects this problem.
30

Current Solution
Reverse Tunneling
CN

Adds Overhead
and kills route
optimization.
US Coast Guard
Mobile Network

US Coast Guard
Operational Network
(Private Address Space)

Public
Internet

FA

MR

P
R
O
X
y

HA

Anticipate similar problems for

IPv6.
31

Shared Network Infrastructure

MR
MR

ACME Shipping

Canadian Coast Guard

FA
FA

HA

Public
Internet

MR

HA

US Coast Guard

M
R

US Navy

Encrypting wireless links

HA
makes it very difficult to
ACME
share infrastructure.
SHIPPING
HA
This is a policy issue.
32

Security

Security Bandwidth Utilization

Security Performance
Tunnels Tunnels Tunnels and more Tunnels
Performance Security

User turns OFF Security to make system usable!

Thus, we need more bandwidth to ensure security.

ENCRYPTION ON THE RF LINK
ENCRYPTION AT THE NETWORK LAYER

VIRTUAL PRIVATE NETWORK

ORIGINAL PACKET

HEADER

HEADER

HEADER

HEADER

PAYLOAD

Additional and Future

Security Solutions

AAA

Routers (available today)

Wireless bridges and access points
(available 2002)

IPSec on router interface

Encrypted radio links

IPSec, type1 or type2, and future improved

WEP
34

Conclusions

Security Breaks Everything

At least it sometimes feels like that.

Need to change policy where appropriate.

Need to develop good architectures that
consider how the wireless systems and protocols
operate.
Possible solutions that should be investigated:

Dynamic, Protocol aware firewalls and proxies.

Possibly incorporated with Authentication and Authorization.

35

Moblile-IP Operation
IPv4

36

Mobile-IP (IPv4)
Mobile Node

Foreign Agent
143.232.48.1

Home IP
128.183.13.103
Care-Off-Address
139.88.111.50

Foreign Agent
139.88.111.1

139.88.112.1
NASA Glenn

143.232.48.1
NASA Ames

Internet or Intranet

128.183.13.1
NASA Goddard

Home Agent

Corresponding Node

Mobile-Router (IPv4)
Mobile Router 10.2.3.1

10.2.3.101

Virtual LAN
Interface
10.2.2.1
Roaming
Interface

10.2.4.10
MR Loopback
Virtual Interface
COA 139.88.100.1

Tunnel-0
139.88.100.1
FA WAN
Tunnel-1

Foreign Agent
139.88.112.1
Internet WAN

Internet
128.183.13.1
Internet WAN

Home Agent
128.184.25.1
HA Loopback
Virtual Interface

Mobile Router
(Mobile Node)

Corresponding Node

Mobile-Router (IPv4)
Collocated Care-Of-Address

10.2.3.1
Virtual LAN
Interface

10.2.3.101

Mobile Router
(Mobile Node)

10.2.2.1
Roaming
Interface

10.2.4.10
MR Loopback
Virtual Interface
COA 139.88.100.1

Tunnel-0
139.88.100.1
FA WAN
Tunnel-1

Foreign Agent
139.88.112.1
Internet WAN

Internet
128.183.13.1
Internet WAN

No Foreign Agent
No Second Tunnel

Home Agent
128.184.25.1
HA Loopback
Virtual Interface

Corresponding Node

Mobile-Router (IPv4)
Collocated Care-Of-Address

10.2.3.1
Virtual LAN
Interface

10.2.2.1
Roaming
Interface
Tunnel-0
139.88.100.1

139.88.112.1
Internet WAN

Internet
128.183.13.1
Internet WAN

Home Agent
128.184.25.1
HA Loopback
Virtual Interface

Corresponding Node

10.2.3.101

Mobile Router
(Mobile Node)
10.2.4.10
MR Loopback
Virtual Interface
COA 139.88.100.1

Whats Next
The End Game

41

Mobile Networks

Share Network Infrastructure

USCG, Canadian Coast Guard, Commercial

Shipping, Pleasure Boaters
Open Radio Access / Restricted Network Access

Authentication, Authorization and Accounting

Architecture

Limited, experimental deployment onboard Neah

Bay

Move RIPv2 routing from Fed. Bldg to Neah Bay

Move to full scale deployment

Requires full commitment

42

Mobile
LAN
10.x.x.x

PROXY

PIX-506

MR
Public
INTERNET

INTRANET
10.x.x.x

FA Cleveland
Public

FA - Detroit
HA
Public
802.11b link

PIX- 506 until we install our PIX FW

Then we should not need the baby
PIX.

HA Outside Main Firewall

Firewall between MR interfaces and public

Internet as well as the HA and Private
Intranet.
Reverse tunneling required as requests
from MR LAN hosts must pass through
Proxy inside main firewall.

44

Areas that need to be

addressed

Home Agent Placement

AAA Issues

Open Radio Access / Restricted Network Access

Secure Key Management

IPv6 Mobile Networking Development

Inside or Outside the Firewall

Work with industry and IETF

Develop radio link technology

Enable better connectivity throughout the world

for both military and aeronautical communications
(voice, video and data).
45

NASAs Needs
Mobile Networks

46

Relevant NASA Aeronautics

Programs

Advanced Air Transportation

Technology (AATT)
Weather Information Communication
(WINCOMM)
Small Aircraft Transportation System
(SATS)

47

Aeronautic Networking Issues

Move to IPv6

IPv6 Mobile Networking

Authentication, Authorization and

Accounting
Bandwidth, Bandwidth, Bandwidth
Media Access
Policy

Sending of Operations over Entertainment

Channels
48

Earth Observation
T3
T1
T2
?

Space Flight Implementation

Sharing Infrastructure

Common Media Access

Common Ground Terminal Capabilites
Common Network Access

AAA

Common Modulation and Coding

Software Radio

51

Backup

Asymmetrical Pathing
DVB
Satellite

MilStar,
Globalstar,
Others

Mobile Router
Internet

Foreign Agent

Foreign Agent
Home Agent

53

Neah Bay

54

Papers and Presentations

http://roland.grc.nasa.gov/~ivancic/papers_presentations/papers.html
or
http://roland.grc.nasa.gov/~ivancic/
and pick
Papers and Presentations

55