EEET1246 Advanced Computer Network Engineering

EEET1246 Advanced Computer Network Engineering
Laboratory Assignment 3 Report
Professor: Andrew Jennins (andrew.jennis@rmit.edu.au)

Tutor: Piya Techateerawat (s3100479@student.rmit.edu.au)
Student: Xiaolin Zhang

Email: s3097029@student.rmit.edu.au
Student: Wilson Castillo

Email: s3143667@student.rmit.edu.au
Subject Code: EEET1246 Advanced Computer Network Eng.
Melbourne, October 23rd, 2006

Network Security Student: Xiaolin Zhang (s3097029)
Laboratory 3 Report Student: Wilson Castillo (s3143667)
Laboratory Report
Table of Contents
1 Introduction ......................................................................................................................................4
2 The Scenario .....................................................................................................................................4
3 The Analysis .......................................................................................................................................4
4 Security Threats.................................................................................................................................4
4.1 Passive Threats .......................................................................................................................5
4.1.1 Eavesdropping ..................................................................................................................5
4.1.2 Traffic Analysis....................................................................................................................5
4.2 Active Threats ........................................................................................................................5
4.2.1 Masquerade or Spoofing ................................................................................................5
4.2.2 Authorization Violation ....................................................................................................5
4.2.3 Denial of Services (DoS)...................................................................................................5
4.2.4 Modification or Forgery of information.........................................................................6
5 Network design goals .....................................................................................................................6
5.1 Confidentiality .......................................................................................................................6
5.2 Authentication.......................................................................................................................6
5.3 Access Control.......................................................................................................................6
5.4 Integrity ...................................................................................................................................6
5.5 Non-repudiation ....................................................................................................................6
5.6 Manageability .......................................................................................................................7
5.7 Scalability................................................................................................................................7
5.8 Implementability ...................................................................................................................7
5.9 Performance ..........................................................................................................................7
5.10 Availability ..............................................................................................................................7
6 Network Architecture......................................................................................................................7
7 Key Distribution .................................................................................................................................9
7.1 Requirements .........................................................................................................................9
7.1.1 Password Policies ..............................................................................................................9
7.2 Main Goals .............................................................................................................................9
7.3 Procedure .............................................................................................................................10
8 Mobile Network Solution through Mobile IPv6 .........................................................................11
8.1 Mobile IP ...............................................................................................................................11
8.2 IPv6.........................................................................................................................................11
8.3 Mobile IPv6 ...........................................................................................................................12
9 Conclusions .....................................................................................................................................13
9.1 Advantages of this procedure .........................................................................................13
9.2 Disadvantages.....................................................................................................................13
10 References...................................................................................................................................14
RMIT University © 2006 2 of 14

School of Electrical and Computer Engineering Melbourne, 23rd October, 2006
Laboratory Report
Table of Figures
Figure 1: Network Architecture for FACOCO's solution ....................................................................8

Figure 2: Message interchange to establish secure connection between FACCOCO and
courier......................................................................................................................................................10

Laboratory Report
Network Security
1 Introduction
Information and its protection are the key factor for every company to be successful in
their business. Likewise it is important to get a efficient way to spread key information to all
related company staff. Furthermore, companies around the world need to implement
network architectures that allow them to share information with their employees in a
secure way. For instance, it is the network administrator’s job to deal with both aspects in
the network; security and availability of the information. This laboratory report will analyse
an hypothetical scenario for a given problem related with the spread of information in a
secure way.
2 The Scenario
According with laboratory guide 3 (Jennings, 2006)… “Fast Courier Company (FACOCO)
has a fleet of 300 bicycle couriers in London. They carry high sensitivity documents,
including confidential information that could be useful commercially. But at the same time
they need to be able to interact effectively with their couriers. So each courier carries a
palmtop computer that is connected continuously to an 802.11 local network.”
3 The Analysis
As can be seen in the scenario described above each courier carries important
information which is confidential and could be useful commercially. For instance, our
solution gives a high weight to security despite the fact of performance decrease.
However, it is a trade off between network security and performance that should be
carefully analysed in the implementation stage.
Additionally, the wireless environment give more constrains to the system because all of the
nodes are exposed to hack attacks. For instance, the solution should be focused in this
situation.
The analysis will focus in the following main parts:
Firstly, it is necessary to know what are the threats to which the network should be
designed against.
Secondly, it is necessary to define the network architecture to reach the goal
(sharing information between FACOCO and its couriers in a secure way).
Thirdly, it is necessary to define how the keys are going to be distributed
Finally, to define the mobile technology to use.
4 Security Threats

Laboratory Report
The design that we suppose to give should protect FACOCO of the following security
threats (Prassad and Prassad, 2005):
4.1 Passive Threats
Passive threats are situations where the intruder collects information about the company
(FACOCO) for personal benefit or future attacks, basically two types or passive threats are
defined:
4.1.1 Eavesdropping
This is the case when the intruder listen to the network without interfering the
communication, just in order to collect as much information as it is possible. Sometimes the
intruder could be able to get important information from the communicating parties like
session key which is used for encrypting data during the session.
4.1.2 Traffic Analysis
This is an subtle advanced kind of threat where the intruder get information about the
communicating parties. For instance, the intruder could be able to get information about
who is sending information to whom.
4.2 Active Threats
This is the case where the intruder try to actively get information from the network using
different techniques:
4.2.1 Masquerade or Spoofing
This is the cases when the intruder pretends to be a trusted used. Consequently, the
intruder could get information about authentication data.
4.2.2 Authorization Violation
This is the cases when the user get access to resources they are not supposed to use. In
fact, sometimes this threat can be generated from a real trusted user trying to get access
to unauthorized resources.
4.2.3 Denial of Services (DoS)
This active attack pretends to inhibit normal use of communication facilities. For example,
in our cases generating interference to the wireless environment.

Laboratory Report
4.2.4 Modification or Forgery of information
The intruder create new information in order to pretend to be a trusted user. For example,
they could pretend modify original messages sent by the trusted user to the server.
5 Network design goals
The are some security goals that should be reached in order to FACOCO provide a secure
service to their customers. (Imai, 2006), (Prasad and Prasad, 2005) and (Rodriguez, Gatrell,
Karas and Peschke, 2001):
5.1 Confidentiality
The information sent between the couriers and FACOCO should not be disclosed to
unauthorized people. Encryption is the main one used to fulfil this goal.
5.2 Authentication
The purpose of authentication is to assure that the courier is really communicating with
FACOCO headquarters and to assure that FACOCO is really communication with one of its
couriers. Furthermore is to create a trusted relationship in the network, even if the
communication medium is untrusted.
This will avoid the possibility for an intruder to attack the network using the masquerade
threat.
5.3 Access Control
Because the FACOCO’s couriers could get access to certain services provided by
FACOCO network it is important that the system be able to discriminate who is who and to
give right access to the right users (couriers).
5.4 Integrity
The information that is sent through the network should not be modified for anyone.
Furthermore, the information should remain unaltered between two communication parties,
eg. FACOCO and its couriers.
5.5 Non-repudiation

Laboratory Report
Neither the originator (FACOCO or its couriers) nor the receiver (the couriers or FACOCO)
should be able to deny the authorship of a message.
Additional to the security requirements described above, there are some other issues that
should be taking into account in order to get a good design (Prasad and Prasad, 2005):
5.6 Manageability
Security improvement increase the load of traffic between the communicating parties. For
instance, it is a trade off between security and network load.
5.7 Scalability
It is important that if FACOCO increase the number of couriers, the basic design should be
the same. For instance, the network could be easily expanded.
5.8 Implementability
The main idea is to create a secure network but it should be feasible in a certain way.
Furthermore, the design should take into account the affordability of the component to use
in the implementation
5.9 Performance
The performance of the network should not be decrease because of the security features.
As it was described above it is a trade off between security and performance.
5.10 Availability
One of the most important issues in network communication is the availability of the
services to the users. This is related with the attack DoS which pretends to disrupt the
availability of the services to the users (couriers).
6 Network Architecture
The basic component of the network architecture selected for this design is the use of
internet as a communication media. It means that the communication path is a totally no
a trusted medium. For instance, it is important to create the secure path to transfer
information between FACOCO headquarters and every courier.
It is assumed that FACOCO has an agreement with Verisign (www.verisign.com) to allow

every courier and FACOCO itself to establish trusted relations with T-mobile.

Laboratory Report
It is assumed that FACOCO has an agreement with T-mobile which is one of the best
wireless network providers in London (www.t-mobile.co.uk).
As it will be described later, the protocol used between couriers and FACOCO will be IPsec.
For instance, FACOCO will have servers with databases working in hot standby mode to
avoid information loss. Every server will have a database where it is stored the information
related a public keys of every courier. Additionally, information related to security
associations (defined in IPsec) will be stored in this database.
As a measure of prevention of terrorist attacks or bigger events. It is necessary that

FACOCO establish a backup office with a dedicated communication channel with the
main headquarters in order to get backup of all the information.
Figure 1: Network Architecture for FACOCO's solution

Laboratory Report
It is assumed that every Palm/PDA device has an IEEE 802.11 network interface. This will
allow every courier to exchange information with FACOCO headquarters. Additionally,
every device will have a special application with an user interface that allow every courier
to exchange data with FACOCO. This application has embedded especial software
algorithms to calculate keys according to encryption algorithms defined in the following
sections.
7 Key Distribution
7.1 Requirements
At the same time the courier receive their palm/pda, every user will receive an user ID an a
default password (it could be courier national ID or similar). This password will be used to
start the first session with FACOCO servers. After the first session is established, it is a
compulsory requirement to change the password.
7.1.1 Password Policies
Password policies should be applied in order to avoid easy guessing of password for
intruders or attackers
Passwords should be minimum six characters length.

Passwords should contain, at least, one numeric character.
Passwords should contain, at least, one capital letter.
Passwords should contain, at least , one non-alphanumeric character.
Passwords should be changed every month.
The last six passwords could not be used by the user again.
After three wrong password tries the system will lock the user. The user will be able to
use the system again after communicating, in person, with FACOCO headquarters.
The next paragraphs will describe the mechanism used, for every courier, to start a session
with FACOCO’s servers.
7.2 Main Goals
The main goals of this mechanism could be described as following:
1. Courier’s authentication is based on the pre-established password that is a shared

password between every courier and FACOCO.
2. The mechanism is based on the creation a new public/private key pair used to
authenticate every courier. The courier’s private key must reside in the palm/pda. For
instance, this key will be used with FACOCO’s authentication certificate to create the new
public key.

Laboratory Report
3. It is necessary to create a trust relationship between FACOCO’s and the wireless provider
(T-mobile in our design). This relationship will be created using reciprocal authentication.
Figure 2: Message interchange to establish secure connection between FACCOCO and courier
7.3 Procedure
The network infrastructure should support a authentication infrastructure. For instance, a

protocol to exchange keys should be defined to get this goal (Hu W, Lee C and Kou W
2004):
1. Every courier is travelling around London with their own palm/pda. The device is
supposed to be locked for instance the courier needs to unlocked it using a password (it
could be the same password used to exchange information with FACOCO).
2. Once the device is turned on and it is unlocked, it start receiving a broadcast message
sent by T-mobile providing information about T-mobile (IP address and its public key).
3. Then the courier’s device sends an authentication requirement to T-mobile encrypted

with a randomly session key and with T-mobile’s public key. The content of the
authentication requirement is the FACOCO’s address with the courier identification, this
message is encrypted with the courier’s public key and FACOCO’s public key that the
courier got from the certification authority (verisign in this design). Additionally, courier

Laboratory Report
generates a hash value, HV1, with a certificate signing request, a random number (N1), its
IDc and its password. This hash value can only be verified by FACOCO because this hash
value is encrypted with courier password and FACOCO’s public key.
4. T-mobile receives the courier’s message and decrypt it with its public key, get
information about FACOCO and forward the message to FACOCO with the secure
connection created between T-mobile and FACOCO.
5. FACOCO receives the message coming from T-mobile and calculates the hash value
(HV1) to verify that it is a courier who is trying to sign into the network. Once FACOCO
compares the hash value and verifies that it matches, it will generate and ACK and a
Certificate of user (courier) X (defined in X.509). Additionally, FACOCO generates two
numbers (N2 and N3) that will be used to create session keys KS2 and KS3; KS2 will be used
between T-Mobile and Courier and KS3 will be used between FACOCO and Courier, this
last one is the session key.
6. T-mobile receives FACOCO’s message and calculate KS2. Then with KS2 T-mobile encrypts
courier ID, hash values HV1 and HV2, N3 and the certificate of user(courier) and transmits it
to courier. Once courier gets the message, they will calculate KS2 and decrypt the
message coming from T-mobile. Additional, courier calculate KS3 that is, as described
above, the session key between FACOCO and courier.
After these steps are finished a secure connection is established between courier and
FACOCO allowing them to exchange information securely.
8 Mobile Network Solution through Mobile IPv6
8.1 Mobile IP
Mobile IP (RFC 2002), a standard proposed by a working group with the Internet
Engineering Task Force (IETF), allows the use of a single fixed IP address regardless of IP
subnet changes, and hence enables the continuous reachability for mobile nodes. The
fixed IP address is called a Home Address, and the IP address acquired at each visited
network is called a Care-Of Address.
The mapping between the home address and the care-of address of a mobile node is
maintained at a special redirection server called a home agent. Home agent intercepts
packets on behalf of the mobile node and sends them to its care-of address when the
mobile node is away from its home network. Moreover for a globally routable care-of
address, a special mobility agent, called a foreign agent is deployed in this network as well.
8.2 IPv6
IPv6's flexibility and extensibility are made possible by extension headers and options in its
design. IPv6 includes many features for streamlining mobility support that are missing in IP
version 4 (current version), including Stateless Address Autoconfiguration1 and Neighbour

Laboratory Report
Discovery. IPv6 also attempts to drastically simplify the process of renumbering, which
could be critical to the future routability of the Internet.
Because the number of mobile computers accessing the Internet will likely increase,
efficient support for mobility will make a decisive difference in the Internet’s future
performance. This, along with the growing importance of the Internet and the Web,
indicates the need to pay attention to supporting mobility
Although IPv6 supports mobility to a greater degree, it will still need Mobile IP to make
mobility transparent to applications and higher level protocols such as TCP.
8.3 Mobile IPv6
Mobile IPv6 is the deployment of both IPv6 and mobile networking. It is a adoption for the
increased user convenience and the reduced need for application awareness of mobility.
Mobile IPv6 design and deployment combines both the availability of addresses supported
by Mobile IP and the extensibility provided by IPv6 protocol. Therefore, a mobile IPv6 node
can use mobility protocol wherever it can get simple IPv6 service.
For example, whenever the mobile node moves, it registers its new care-of address with its
home agent. And then when a home agent accepts the request, it begins to associate the
home address of the mobile node with the care-of address, and maintains this association
until the registration lifetime expires.
Mobile IPv6 protocol does not require or even define foreign agents. This leads to scalable
Internet-wide mobility management. Internet-wide IPv6 mobility management can be
provided by running a home agent anywhere on the Internet. Moreover, in Mobile IPv6,
IPv6 Internet access and mobility management can be provided by separate entities.
Hence, building and maintaining costly access networks is not a requirement for providing
IPv6 mobility service.
In Mobile IPv6, all IPv6 nodes are expected to implement strong authentication and
encryption to improve Internet security. This affords a major simplification for IPv6 mobility
support, since all authentication procedures can be assumed to exist when needed and
do not have to be specified in the Mobile IPv6 protocol.
Other features supported by IPv6 mobility include:

Coexistence with Internet ingress filtering.
Smooth handoffs.
Renumbering of home networks.
Automatic home agent discovery.

Laboratory Report
9 Conclusions
9.1 Advantages of this procedure
Integrity of the information are reached creating hash values HV1 and HV2. Only FACOCO
an its couriers can decrypt the information inside the hash values.
Every courier trusts in FACOCO. For instance, is FACOCO which authenticates every T-
mobile hot spot.
This procedure takes minimum usage of public keys because algorithms that use public
keys are much less efficient than shared key algorithms. Additionally, public key algorithms
take more resources (power battery and CPU processing). This key factor is important in
reduction of overhead. In fact, because of lower use of public key algorithms the
overhead in the network is kept minimum.
The use of a certification authority allow every individual to get public keys from a trusted
site (Verisign in this design).
Attack of servers is avoided since FACOCO and T-mobile use digital certificates provided
by Verisign.
Reply attacks are avoided because every message contains KS2 that is calculated with
knowledge of KS1 (created by courier).
Using Mobile IPv6 the system deals with handover. According to RFC3775, there are two
types of handovers L2 and L3 handovers.
This procedure allows the use of several encryption algorithms. However this design use
tripe-DES and RSA.
Another advantage is that Mobile IPv6 could be implemented easily over pre-existing IPv6
networks.
The use of IPsec as security protocol allow the interchange of information in a secure way.
9.2 Disadvantages
There is one disadvantage in this solution and it is DoS (Denial of Service). If an attacker
generates lot of Authentication Requirements it would cause a lot of processing resources
in FACOCO and T-mobile. It is a weakness in this design.
It could be some problems related with implementation of Mobile IPv6

Laboratory Report
10 References
Hu W, Lee C and Kou W, 2005, Advances in Security and Payment Methods for Mobile
Commerce, Idea Group Publishing, Hershey.
Imai H, Rahman M, Kobara K., 2005, Wireless Communication Security, Artech House
universal personal communication series, Norwood.
Jennins A, 2006, EEET1246 - Advanced Computer Network Engineering – Lecture Notes, RMIT
University, School of Electrical and Computer Engineering, Melbourne.
Miller S, 2003, WiFi Security, McGraw-Hill Networking Professional, New York.
Mitchell C, 2004, Security for mobility, IEE Telecommunications Series 51, Bodmin.
Prasad A and Prasad Neely, 2005, 802.11 WLANs and IP Networking Security, QoS and
Mobility, Artech House mobile communications library, Boston.
Rodriguez A, Gatrell J, Kara J and Peschke Roland, 2001, TCP/IP Tutorial and Technical
Overview, ibm.com/redbooks.
Stevens, W. Richard. 2001, TCP/IP Illustrated, Volume 1, Addison-Wesley Professional
Computing Series, Indianapolis.


EEET1246 Advanced Computer Network Engineering

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

EEET1246 Advanced Computer Network Engineering

Uploaded by

Copyright:

Available Formats

EEET1246 Advanced Computer Network Engineering

Laboratory Assignment 3 Report

Professor: Andrew Jennins (andrew.jennis@rmit.edu.au)

Student: Xiaolin Zhang

Student: Wilson Castillo

Subject Code: EEET1246 Advanced Computer Network Eng.

Melbourne, October 23rd, 2006

RMIT University © 2006 2 of 14

Figure 1: Network Architecture for FACOCO's solution ....................................................................8

RMIT University © 2006 3 of 14

The analysis will focus in the following main parts:

RMIT University © 2006 4 of 14

4.1 Passive Threats

4.1.2 Traffic Analysis

4.2 Active Threats

4.2.1 Masquerade or Spoofing

4.2.2 Authorization Violation

4.2.3 Denial of Services (DoS)

RMIT University © 2006 5 of 14

4.2.4 Modification or Forgery of information

5 Network design goals

5.3 Access Control

RMIT University © 2006 6 of 14

It is assumed that FACOCO has an agreement with Verisign (www.verisign.com) to allow

RMIT University © 2006 7 of 14

As a measure of prevention of terrorist attacks or bigger events. It is necessary that

Figure 1: Network Architecture for FACOCO's solution

RMIT University © 2006 8 of 14

7.1.1 Password Policies

Passwords should be minimum six characters length.

7.2 Main Goals

The main goals of this mechanism could be described as following:

1. Courier’s authentication is based on the pre-established password that is a shared

RMIT University © 2006 9 of 14

The network infrastructure should support a authentication infrastructure. For instance, a

3. Then the courier’s device sends an authentication requirement to T-mobile encrypted

RMIT University © 2006 10 of 14

8 Mobile Network Solution through Mobile IPv6

RMIT University © 2006 11 of 14

8.3 Mobile IPv6

Other features supported by IPv6 mobility include:

RMIT University © 2006 12 of 14

9.1 Advantages of this procedure

It could be some problems related with implementation of Mobile IPv6

RMIT University © 2006 13 of 14

RMIT University © 2006 14 of 14

You might also like