Professional Documents
Culture Documents
Network Security PDF
Network Security PDF
Rev 1.0
www.huawei.com
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
Page 2
Department B
Department A
Intranet
All rights reserved
Page 3
Filtering
Layer 2
IP header
TCP header
Application-level
Data
header
header
Page 4
ACL Example
202.1.5.1
192.168.1.10
Page 5
Page 6
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
Page 7
LAN2
LAN1
Internet
192.168.0.0/24
The range of private address:
10.0.0.0
- 10.255.255.255
172.16.0.0
- 172.31.255.255
LAN3
192.168.0.0 - 192.168.255.255
HUAWEI TECHNOLOGIES CO., LTD.
Page 8
Why NAT?
NAT (Network Address Translation)
Why do we use NAT?
Increasingly insufficient IP address resources.
Multiple hosts in a LAN to access Internet by a public IP address,
address translation can be used.
Page 9
3000
80
192.168.1.1
195.210.5.31
4000
80
202.1.1.5
195.210.5.31
Internet
4001
80
202.1.1.5
195.210.5.31
LAN
PC2
3000
80
192.168.1.2
195.210.5.31
Local Source
Destination
Outside Source
192.168.1.1:3000 195.210.5.31:80
202.1.1.5:4000
192.168.1.2:3000 195.210.5.31:80
202.1.1.5:4001
Page 10
Address Pool
PC1
202.38.160.1
202.38.160.2
Address Pool
202.38.160.3
202.38.160.4
Internet
PC2
LAN
identified by a number.
NAT process will select an address from the address pool as the source
Page 11
Serial 0
E0
Internet
public address:202.38.160.1
map on router:
port:80
address:
10.0.1.1202.38.160.1
IP:202.39.2.3
port:
8080
extranet user
Page 12
Disadvantages of NAT
Since the IP address translation is needed for data
Page 13
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
Page 14
AAA
Platform
NMS
Core
Network
Core Layer
NAS (BRAS)
Convergence Layer
Access
Network
Access Layer
LAN Switch
AP
Ethernet
User
DSLAM
WLAN
ADSL
User
User
Page 15
AAA
Authentication
Authorization
Accounting
Page 16
Policy Server
Address
Management
Service Control
BRAS
User Packet
Connection
Management
User
Identification
AAA&UM
AAA Server
HUAWEI TECHNOLOGIES CO., LTD.
Page 17
PPP User
EAPoL packet
HTTP
packet
802.1x User
NAS
IP/ARP/DHCP
packet
Web User
IP/ARP/DHCP
packet
Bind User
HUAWEI TECHNOLOGIES CO., LTD.
Web Server
Page 18
PPP overview
Network
Network Protocol
Layer
Data Link
IP
IPX
IPCP
IPXCP
BCP
Authentication Protocol
PAP
CHAP
EAP
LCP
Layer
Physical
Physical Layer
Layer
Page 19
PAP/CHAP
Opened
Dead
Establish
Authenticate
Fail
Down
Fail
Terminate
Closing
Network
IPCP
Page 22
BRAS
PAP
Authentication_Req
(username, password)
Passwords
comparing
Accept/Reject
CHAP
Challenge
ChallengePwd
generation
Challenge
generation
Authentication_Req
(username, ChallengePwd)
Accept/Reject
Page 24
ChallengePwds
comparing
Subscriber
Access
Network
Subscriber
ETH IP DATA
Page 26
Session stage
PPP parameters negotiation
Data transmission
Maintain session
Page 27
AC
PADI
(Service-Name, Session-ID=0x0000)
PADO
Page 28
Dynamic allocation
DHCP server assign an IP address to a client for a limited
period of time (or until the client explicitly relinquishes the
address)
Manual allocation
a client's IP address is assigned by the network administrator,
and DHCP is used simply to convey the assigned address to
the client
Page 29
DHCP Client
(selected)
DHCPDICOVER
DHCPOFFER
DHCPREQUEST
DHCPACK or NAK
DHCPRELEASE
Page 30
Packet format
op (1)
htype (1)
hlen (1)
xid (4)
secs (2)
flags (2)
ciaddr (4)
yiaddr (4)
siaddr (4)
giaddr (4)
chaddr (16)
sname (64)
file (128)
options (variable)
HUAWEI TECHNOLOGIES CO., LTD.
Page 31
hops (1)
Option 82
Preventing IP address from exhausting by DHCP
requests
Realizing static allocation of IP address by DHCP
Preventing static IP address cheating
Option 82:
Agent Circuit ID
{atm|eth} frame/slot/subslot/port[:vpi.vci|outer_vlan.inner_vlan]
Agent Remote ID
AccessNodeIdentifier
Page 32
Option 82
PC
DSLAM
DISCOVER
DISCOVER
Option 82
OFFER
OFFER
Option 82
REQUEST
REQUEST
Option 82
ACK
ACK
Option 82
DHCP Server
NAS
DISCOVER
Option 82
OFFER
Option 82
REQUEST
Option 82
ACK
Option 82
Page 33
Objectives
ACL
NAT
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
Page 34
Server
Core Network
(Internet)
NAS
NAS
Access Networks
DSLAM
LAN Switch
User
HUAWEI TECHNOLOGIES CO., LTD.
User
Page 35
Policy Server
Address
Management
Service Control
NAS
User Packet
Connection
Management
User
Identification
AAA&UM
AAA Server
HUAWEI TECHNOLOGIES CO., LTD.
Page 36
Client-Server Model
AAA
Server
NAS
User
(RADIUS Client)
RADIUS
Server
Page 37
Key features
Network security
Shared secret
CHAP
Extensible Protocol
Attribute-Length-Value format
Page 38
Page 39
NAS
RADIUS Server
User request
access
Access-Request
Configure user
Access-Reject
Authentication
Access-Accept
Accounting-Request
Accounting
(start)
Accounting-Response
start
Accounting-Request
(Interim update)
Accounting-Response
User request
termination
Accounting-Request
(stop)
Accounting-Response
All rights reserved
Page 40
Interim
Accounting
Accounting
stop
RADIUS
NAS
Server
PAP
Username
Access-Request
Password
Username, Password
Access-Accept
Configure user
Access-Reject
Challenge
CHAP
Username
Encrypted challenge
Configure user
HUAWEI TECHNOLOGIES CO., LTD.
Access-Request
Username, Challenge,
Encrypted Challenge
Access-Accept
Access-Reject
All rights reserved
Page 41
Check
Why UDP?
1. If the request to a primary Authentication server fails,
use of UDP
4. UDP simplifies the server implementation
Page 42
Whats Diameter?
Diameter protocol
An AAA protocol, provide Authentication, Authorization
and Accounting (AAA) function
Advanced than radius, so it is called diameter
AAA server
Radius
AAA server
Diameter
AAA client
NAS
PPP
WLAN
DSL
3G
Traditional network
HUAWEI TECHNOLOGIES CO., LTD.
Future network
All rights reserved
Page43
Capability negotiation
Peer discovery and configuration
Page44
Diameter Framework
The Diameter protocol consists of the Diameter base protocol and
Diameter Application
Diameter Stack
SCTP
TCP
NASREQ
application
EAP
application
application
Page 45
Server
A Diameter Server is one that handles authentication,
authorization and accounting requests for a particular realm. By
its very nature, a Diameter Server MUST support Diameter
applications in addition to the base protocol.
Agent
Page46
Translation Agent
Page47
Relay/Proxy Agent
Page 48
Relay/Proxy Agent
Page 49
Redirect Agent
Page 50
Redirect Agent
Page 51
Translation Agent
Page 52
parts:
Diameter message head
Diameter AVP
0
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
version
Message Length
command flags
Message
head
Command-Code
RPETr rr r
Application-ID
Hop-by-Hop Identifier
End-to-End Identifier
Message body
HUAWEI TECHNOLOGIES CO., LTD.
AVPs
Page 53
Diameter PDU
Command code
Command-Name
Abbrev
Code
Abort-Session-Request
ASR
274
Abort-Session-Answer
ASA
274
Accounting-Request
ACR
271
Accounting-Answer
ACA
271
Capabilities-Exchange-Request
CER
257
Capabilities-Exchange- Answer
CEA
257
Device-Watchdog-Request
DWR
280
Device-Watchdog-Answer
DWA
280
Session-Termination- Request
STR
275
Session-Termination- Answer
STA
275
Page54
Diameter AVP
AVP (attribute-value pair)
The Diameter message body is composed of Diameter AVPs. Each
AVP carries a specific message parameter value, and contains an
AVP head and data. The AVP carries the authentication information,
authorization information, charging information, routing
information, security information, and the request and response
configuration information.
AVP structure
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
AVP Code
AVP flags
AVP Length
VMPrr rr r
Vendor-ID (opt)
AVP data
HUAWEI TECHNOLOGIES CO., LTD.
Page 58
Example
Use Cx message as an example
I-CSCF
HSS
Diameter message: UAA
Diameter header
AVPs
Command code
AVP header
AVP data
UAA
AVP code
AVP length
603
10415
Page60
Server
Connection
Establish
CER
CEA
When the two Diameter peers creates the connection, they need to
perform capability exchange. CER/CEA capability exchange is used to
notify the capability (such as protocol version, diameter application, and
security mechanism).
If the peer receives CER from the unknown peer, it will discard the
message or return the result code DIAMETER_UNKNOWN_PEER.
HUAWEI TECHNOLOGIES CO., LTD.
Page61
Node2
DWR
DWA
Page62
Node2
DPR
DPA
Connection
Release
Page63
DA
Capability
exchange is
successful
and link is
normal.
Sends
heartbeat
message
periodically
to maintain
the link
status
SCTP association
establishment
CER
CEA
DWR
DWA
PEER
DA
DA initiate
to
disconnect
link
The peer
initiate to
disconnect
link
DPR
DPA
SCTP association
disconnect
DPR
DPA
SCTP
association
disconnect
2.Diameter link disconnection
Page64
N
Check the
routing table
based on the
D-Realm and
forward the
mesage
Check the
adjacent peer
device based
on the D-Host?
Whether
carry the
D-Host?
M D-Host=
s D-Realm
g
Page67
Choose
the route
and
forward
Request (ApplicationID,
DestRealm= RealmB,
3.Forwarding
2.Routing
DestHost=Server.RealmB
Request ()
DA2
5.Response()
Request ()
Server
4.Response
()
Hostname=Server.RealmB
1.Routing
Client
Request ()
DA1
6.Respons
e ()
Hostname=Client.RealmA
RealmA
IETF RFC3588 Diameter Base Protocol
Switchover
Request
Queue
5.Response
DA2
2.Request
T bit is set to 1,
the message is
a retransmission
message
Server
1.Request
Client
Request
Queue
DA1
Request
Queue
6.Response
Objectives
ACL
NAT
Access Methods (PPP, PPPoE, DHCP)
AAA
RADIUS + DIAMETER
Tunneling (GRE+IPSec)
Page 72
VPN Definition
Partner
Headquarter
Remote office
Tunnel
Internet
Leased line
Employees in
business trips
Office
Page 73
Branch
Classification of VPN
Based on the applications
Access VPN
Intranet VPN
Extranet VPN
Page 74
Access VPN
Tunnel
Originated by ISP
POP
POP
POP
HQ
Originated by user
Page 75
Intranet VPN
HQ
Research Institute
Internet/ ISP IP
ATM/FR
Branch
Tunnel
Office
HUAWEI TECHNOLOGIES CO., LTD.
Page 76
Extranet VPN
HQ
Remote Office
Internet/ ISP IP
ATM/FR
Branch
Partner
Page 77
Layer 3 VPN
GRE : General Routing Encapsulation
IPSEC : IP Security Protocol
Page 78
Reliability
Economical Efficiency
Expansibility
Page 79
GRE Overview
GRE is generic routing encapsulation protocol. It will
Page 80
IP/IPX
GRE
Encapsulation Protocol
IP
Transmission Protocol
Link Layer
GRE Protocol Stack
IP
GRE
IP/IPX
Payload
Page 81
GRE Header
Tunnel
Internet
Branch
HUAWEI TECHNOLOGIES CO., LTD.
HQ
All rights reserved
Page 82
IPSec Overview
IPSecIP Security is a framework of open
Page 83
Page 84
it in cipher text.
Data Integrity: authenticate the received data so as to
Page 85
Security Association
Security Parameter Index
Sequence Number
Life Time
Data Flow
Security Proposal
Page 86
AH Protocol
IP HDR
Data
IP HDR
AH
Data
AH
Org IP HDR
Data
Transport mode
Tunnel mode
New IP HDR
AH Format
0
Next Header
16
Payload Len
31
RESERVED
Page 87
ESP Protocol
IP HDR
Data
Transport mode
IP HDR
ESP Hdr
Encryption Data
Encryption part
Tunnel mode
New IP HDR
ESP format
Data
Org IP HDR
ESP Hdr
16
24
Next Header
Page 88
IKE
IKE (Internet Key Exchange), an Internet key exchange
Page 89
Identity protection
distribute
Page 90
Peer2
Send local
IKE strategy
Strategy of sender
Search the
Confirm the
algorithm used
by both sides
Matched
Strategy of receiver conformed
SA Exchange
strategy
Strategy
confirmed
Generate Key
Key
Generation
The ID and auth data of sender
Peer Identity
ID and
Exchange
ID Exchange
ID and
and authentication
Exchange
auth
auth
Page 91
(g ,p)
peer2
c=gamodp
d=gbmodp
damodp
cbmodp
damodp= cbmodp=gabmodp
HUAWEI TECHNOLOGIES CO., LTD.
Page 92
Page 93
IKE
TCP UDP
IKE
SA
SA
IPSec
TCP UDP
IPSec
IP
Encrypted IP Packet
Page 94
Thank you
www.huawei.com