A Scheme of Mobile Firewall in Mobile IPv6 - PowerPoint PPT Presentation

About This Presentation
Title:

A Scheme of Mobile Firewall in Mobile IPv6

Description:

... and control the activities of guarded person when they visit foreign domain ... All operations are transparent to the guarded person. ... – PowerPoint PPT presentation

Number of Views:12
Avg rating:3.0/5.0
Slides: 10
Provided by: qiuy5
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: A Scheme of Mobile Firewall in Mobile IPv6


1
A Scheme of Mobile Firewall in Mobile IPv6
  • draft-qiu-mip6-mobile-firewall-00.txt
  • Feng BAO, Robert DENG, Ying QIU, Jiangying ZHOU
  • 22 August 2018

2
What are the features of mobile firewall
  • The guardians can track and control the
    activities of guarded person when they visit
    foreign domain as well as in home domain.
  • The firewall will run at Mobility Anchor
    Point(MAP) that the Mobile Node(MN) visited.
  • The guardians could dynamically monitor and
    control the mobile nodes (MN) activities through
    a remote machine.
  • All operations are transparent to the guarded
    person.
  • The guardians could remotely specify the security
    rules of the firewall.

3
Where are the firewalls employed
  • HA Home Agent
  • CN Correspondent Node
  • MAP Mobility Anchor Point
  • AR Access Router
  • MN Mobile Node

HA
CN
Internet
CN
Firewall
MAP
AR2
AR1
movement
MN
MAPs Domain
Hierarchical MIPv6 Mobility Management (HMIPv6) framework
4
How to implement the mobile firewall
  • Security Tables (I)
  • Focuses on how to effectively manage the
    security stuff, such as security keys, security
    associations, security rules, etc. in order to
    minimize the overhead on mobile devices and
    provide strong security.
  • Trust MAP cache (in Home Agent HA)
  • Security association cache (in HA)
  • Security association cache (in MAP)

MAP address Accepted / Denied
MNs HoA MAP Add MNs RCoA MAPs RSA Public Key (PH) Encryption Key (kEN) Binding Update Key (kBU) Acknowledgement / Request Key (kBA/R) Time Stamp
MNs HoA MNs RCoA MNs LCoA MNs RSA Public Key (PH) Encryption Key (kEN) Binding Update Key (kBU) Acknowledgement / Request Key (kBA/R) Time Stamp
5
How to implement the mobile firewall
  • Security Tables (II)
  • Security rule cache (in both HA and MAP)

Item Local Address Remote Address Action Life time Restriction
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) HAs Address Accept Any All
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) CN1s Address Pass / Drop Bytes / Time / Both Application protocols / Ports
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) .. . . .
Cont- ent MNs HoA (at HA) or MNs RCoA (at MAP) CNns Address Pass / Drop Bytes / Time / Both Application protocols / Ports
6
How to implement the mobile firewall
Firewall Setup (I) MN MAP HA REG_REQgt long term lt-----------------MAP_DENY--- messages lt---IKE_MSG--- ... set up ... VPN channel ... ----IKE_MSG--gt ------------------------------------------------------ INI_REQgt ltSEC_RUL short term MN_LOGgt message for ----MN_LOG---gt monitor/control ----MN_LOG---gt ------------------------------------------------------ ltMN_LEV

Message exchange among MN, MAP and HA
7
How to implement the mobile firewall
  • Messages in Mobile Firewall
  • REG_REQ SrcHoA, DesHA, RCoA, MAP, Flag, Ran
  • MAP_DNY SrcHA, DesRCoA, HoA, MAP, Denial,
    Ran
  • IKE Negotiated messages
  • INI_REQ SrcHoA, DesCN, CoA(RCoA), Req, Ran
  • SEC_RUL SrcHoA, DesMAP, rules, SIG_h
  • rules e(k_en, security_rules)
  • SIG_h (S_h, HoAMAPrules)
  • MN_LOG SrcMAP, DesHoA, i, HoA, log
  • log e(k_en, activity_log)

8
Conclusion
There are three main parts in our scheme Authentication and authorization Management Control and Monitor All the operations are transparent to the mobile nodes A mobile node will be served in a way specified by its guardian no matter where it roams. The mobile firewall could have full features of a conventional stateful firewall.

9
Q AThanks
Write a Comment
User Comments (0)
About PowerShow.com