IPv6/IPv4 Automatic Dual Authentication Technique for Campus Network



Similar documents
THE ROAD TO IPV6: KU SERVICE EXPERIENCES ON DUAL-STACK

Layer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers

Network Security TCP/IP Refresher

Protecting and controlling Virtual LANs by Linux router-firewall

SIIT-DC: IPv4 Service Continuity for IPv6 Data Centres. Tore Anderson Redpill Linpro AS RIPE69, London, November 2014

Telematics. 14th Tutorial - Proxies, Firewalls, P2P

Cisco Application Networking Manager Version 2.0

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

D-Link Central WiFiManager Configuration Guide

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

INTRODUCTION TO FIREWALL SECURITY

FIREWALL AND NAT Lecture 7a

ZEN LOAD BALANCER EE v3.04 DATASHEET The Load Balancing made easy

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

AERONAUTICAL COMMUNICATIONS PANEL (ACP) ATN and IP

Stateful Firewalls. Hank and Foo

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Network Security Management

Table of Contents. Cisco Using the Cisco IOS Firewall to Allow Java Applets From Known Sites while Denying Others

VXLAN: Scaling Data Center Capacity. White Paper

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

How To Connect Ipv4 To Ipv6 On A Ipv2 (Ipv4) On A Network With A Pnet 2.5 (Ipvin4) Or Ipv3 (Ip V6) On An Ipv5

Introduction to Firewalls Open Source Security Tools for Information Technology Professionals

Improving DNS performance using Stateless TCP in FreeBSD 9

How To - Implement Clientless Single Sign On Authentication with Active Directory

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

CIT 480: Securing Computer Systems. Firewalls

Lecture Objectives. Lecture 6 Mobile Networks: Nomadic Services, DHCP, NAT, and VPNs. Agenda. Nomadic Services. Agenda. Nomadic Services Functions

How To Set Up Foglight Nms For A Proof Of Concept

TECHNICAL WHITEPAPER. Author: Tom Kistner, Chief Software Architect. Table of Contents

Basic Networking Concepts. 1. Introduction 2. Protocols 3. Protocol Layers 4. Network Interconnection/Internet

Monitoring high-speed networks using ntop. Luca Deri

SVN5800 Secure Access Gateway

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

IP address format: Dotted decimal notation:

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

Load Balancing and Sessions. C. Kopparapu, Load Balancing Servers, Firewalls and Caches. Wiley, 2002.

CIT 480: Securing Computer Systems. Firewalls

Single Pass Load Balancing with Session Persistence in IPv6 Network. C. J. (Charlie) Liu Network Operations Charter Communications

ZEN LOAD BALANCER EE v3.02 DATASHEET The Load Balancing made easy

Firewalls P+S Linux Router & Firewall 2013

Outline VLAN. Inter-VLAN communication. Layer-3 Switches. Spanning Tree Protocol Recap

VIA CONNECT PRO Deployment Guide

Firewalls. Ahmad Almulhem March 10, 2012

Appliance Quick Start Guide. v7.6

Security of IPv6 and DNSSEC for penetration testers

IxLoad - Layer 4-7 Performance Testing of Content Aware Devices and Networks

Firewall. IPTables and its use in a realistic scenario. José Bateira ei10133 Pedro Cunha ei05064 Pedro Grilo ei09137 FEUP MIEIC SSIN

Netfilter Performance Testing

Application Delivery Networking

NEFSIS DEDICATED SERVER

Firewalls. Chapter 3

Internet Peering, IPv6, and NATs. Mike Freedman V Networks

SIIT-DC: Stateless IP/ICMP Translation for IPv6 Data Centre Environments & SIIT-DC: Dual Translation Mode

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Autonomous NetFlow Probe

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

ANNEXURE TO TENDER NO. MRPU/IGCAR/COMP/5239

Monitoring of Tunneled IPv6 Traffic Using Packet Decapsulation and IPFIX

Chapter 9. IP Secure

Ignify ecommerce. Item Requirements Notes

Introduction to MPIO, MCS, Trunking, and LACP

NetFlow/IPFIX Various Thoughts

Gigabit SSL VPN Security Router

VIA COLLAGE Deployment Guide

50. DFN Betriebstagung

Network Agent Quick Start

Watch your Flows with NfSen and NFDUMP 50th RIPE Meeting May 3, 2005 Stockholm Peter Haag

Optimisacion del ancho de banda (Introduccion al Firewall de Linux)

Deploying Load balancing for Novell Border Manager Proxy using Session Failover feature of NBM and L4 Switch

CMPT 471 Networking II

Network Traffic Analysis

VLAN und MPLS, Firewall und NAT,

Securing Networks with PIX and ASA

Server Iron Hands-on Training

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Firewalls und IPv6 worauf Sie achten müssen!

Cisco PIX vs. Checkpoint Firewall

ELEN 689: Topics in Network Security: Firewalls. Ellen Mitchell Computing and Information Services 20 April 2006

OpenFlow and Onix. OpenFlow: Enabling Innovation in Campus Networks. The Problem. We also want. How to run experiments in campus networks?

Rebasoft Auditor Quick Start Guide

OpenDaylight & PacketFence install guide. for PacketFence version 4.5.0

EdgeRouter Lite 3-Port Router. Datasheet. Model: ERLite-3. Sophisticated Routing Features. Advanced Security, Monitoring, and Management

Chapter 8 Network Security

Firewalls. Chien-Chung Shen

CSCE 465 Computer & Network Security

Proof of Concept Guide

Load Balancing Smoothwall Secure Web Gateway

Alteon Web OS. Intelligent Internet. What s New in Alteon Web OS Alteon Web OS Benefits. Product Brief

Open Source in Network Administration: the ntop Project

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

Load Balancing Microsoft Remote Desktop Services. Deployment Guide

Category: Informational Juniper Networks, Inc. August Load Sharing using IP Network Address Translation (LSNAT)

Transcription:

IPv6/IPv4 Automatic Dual Authentication Technique for Campus Network S. CHITPINITYON, S. SANGUANPONG, K. KOHT-ARSA, W. PITTAYAPITAK, S. ERJONGMANEE AND P. WATANAPONGSE

Agenda Introduction Design And Implementation Result and Measurement Conclusion 2

Introduction Transition from IPv4 to IPv6 is inevitable Not a sudden replacement Will coexist for a long period of time IPv4 and IPv6 are incompatible protocol Need NATs in order to communicate Or running both protocols in parallel 3

Introduction (con t) Today s OS can handle both IPv4 and IPv6 simultaneously (dualstack) A dual-stack client has two identity IPv4 address when connects to IPv4 server and IPv6 address when connects to IPv6 server The OS or the client s software decides which IP family it will use It might use IPv4 for some particular servers and vise versa 4

Current Obstacles Requirement of double authentication for dual-stack users Once for IPv4 and again for IPv6 Lack of complete platform to support lawful and accounting, and security Dual-stack aware system and infrastructure is needed management 5

Goals Provide a dual-stack network infrastructure Authentication mechanism Web captive portal with automatic IPv4 and IPv6 addresses binding WPA based (No web authentication) Dual-stack traffic logging Systematic integration Dual-stack: firewall, login, traffic log and quota management Accelerate the adoption of IPv6 for enterprise networks 6

Agenda Introduction Design And Implementation Result and Measurement Conclusion 7

Design and Implementation Implementation of software modules as the following components Login Servers Parallel Firewalls with Lightweight Stateless HTTP Redirector (LSHR) Session Manager Traffic Logger Quota Manager Deployment of the system using Commercial-off-the-shelf (COTS) hardware 8

Design & Implementation System components 3. Session Manager 1. Login servers Login servers Internal network Core Router 2. Parallel Firewall Gateway Router Internet 5. Quota Manager 4. Traffic Logger 9

Design & Implementation: System Components 1) Login Server The authenticator 3. Session Manager 1. Login servers Login servers Display a login page and asking for user s credential Core Router 2. Parallel Firewall Gateway Router Address discoveries and bindings are also performed by the login server 5. Quota Manager 4. Traffic Logger 10

Design & Implementation: System Components 2) Parallel Firewalls High-availability, highly scalable and stateful IPv4/IPv6 parallel firewalls 3. Session Manager Core Router 1. Login servers Login servers 2. Parallel Firewall Gateway Router Acting as redirector for unauthenticated clients Lightweight Stateless HTTP Redirector (LSHR) 5. Quota Manager 4. Traffic Logger 11

Design & Implementation: System Components: Parallel Firewalls Parallel Firewalls Load Balancer Load Balancer Switch COTS Ethernet switch Distribute/aggregate packets by modifying packet s VLAN tag Hash based packet distributions FW1 FW2 FW3 Switch Load Balancer 12

Design & Implementation: System Components: Parallel Firewalls Lightweight Stateless HTTP Redirector (LSHR) Robust, low-latency, small footprint Immune to SYN-flood Incoming packet Corresponding reply packet Application HTTP Application HTTP SYN SYN + ACK TCP/IP OS Stack Transport Internet Data Link TCP IP Frame Transport Internet Data Link TCP IP Frame ACK no payload ACK HTTP request ACK unknown payload (None) ACK+ FIN + HTTP redirect payload (None) (a) Standard HTTP Server (b) Lightweight Stateless HTTP Redirector ACK + FIN ACK 13

Design & Implementation: System Components 3) Session Manager 3. Session Manager Core Router 1. Login servers Login servers 2. Parallel Firewall Gateway Router Keeps track of all active users sessions IPv4 and IPv6 addresses from the same session are bundled together as a single entry Automatic time-out for inactive session 5. Quota Manager 4. Traffic Logger 14

Design & Implementation: System Components Session Manager: In Action Parallel Firewall LSHR 7. Firewall control Session Manager 1. HTTP Request 2. Redirected message 6. Session's login Information Login Server 3. Request Login Page 4. Login Page 5. User s Credential Client 15

Design & Implementation: System Components 4) Traffic Logger 3. Session Manager Core Router 5. Quota Manager 1. Login servers Login servers 2. Parallel Firewall 4. Traffic Logger Gateway Router Record user s activity for security and legal purposes Web-log: request date/time, client IP addr., server IP addr., client port, server port, URL requested, and URL referrer. Per-packet Log: date/time, src IP, dst IP, pkt size (byte), protocol version (4 or 6), protocol type (TCP, UDP, etc.), src port (for TCP/UDP), dst port (for TCP/UDP), and flags (for TCP). 16

Design & Implementation: System Components 5) Quota Manager Individual user s bandwidth accounting 3. Session Manager Core Router 1. Login servers Login servers 2. Parallel Firewall Gateway Router Adopts token bucket algorithm Filling rate and bucket size are adjustable individually or per group Rate limit per user (all current sessions) 5. Quota Manager 4. Traffic Logger 17

Design & Implementation: Address discoveries and binding technique Address Discoveries and Binding Embedded Image in the Login Page : <td> <img src= https://login9-v4.ku.ac.th/v4.php?hash=f1f2464d5532 > <img src= https://login9-v6.ku.ac.th/v6.php?hash=f1f2464d5532 > </td> : 18

Design & Implementation: Address discoveries and binding technique Addresses Binding Client Addresses binding using hash code f1f2464d5532 loginx loginx-v4 IPv4 Stack An IPv4-request to loginx-v4 with f1f2464d5532 IPv4 Stack loginx-v6 IPv6 Stack An IPv6-request to loginx-v6 with f1f2464d5532 IPv6 Stack 19

Agenda Introduction Design And Implementation Result and Measurement Conclusion 20

Result and Measurement Testbed Kasetsart University campus network Commercial-grade, dual-stack routers and switches in the campus backbone Parallel firewall 8 nodes 2.4 GHz dual-cores Xeon X5270 CPUs, 4 GB RAM 4 Gigabit Ethernet Interfaces Linux 2.6.29.1, Netfilter, iptables 21

Result and Measurement Test Environments Data collected from November 1, 2014 to January 31, 2015 88,000 authentication sessions per day 100,000+ user accounts 66,000+ students 34,000+ faculties and staffs from 4 campuses and 20 research centers) 25,650 unique user per day, on average 22

Result and Measurement Login statistics Login statistics Quantity Number of IPv4/IPv6 login requests 6,218,911 Number of IPv6 login requests 1,053,019 (~16.9%) Number of unique usernames 77,498 Number of unique IPv4 addresses 33,862 Number of unique IPv6 addresses 898,295 Number of unique IPv4 NAT 45,906 23

Result and Measurement IPv6 HTTP request statistics IPv6 HTTP request statistics Quantity Number of URL requests 12,7531,311 Number of unique host names 216,122 Number of unique domain names 18,488 Number of unique Thai host names 1,310 (~0.06%) Number of unique Thai domain names 119 (~0.64%) 24

Result and Measurement Top 10 domains Rank Domain # Requests % 1 youtube.com 15,026,017 11.78% 2 googlevideo.com 14,108,829 11.06% 3 google-analytics.com 9,179,113 7.20% 4 google.com 9,167,368 7.19% 5 googlesyndication.com 8,450,931 6.63% 6 windowsupdate.com 7,744,331 6.07% 7 ytimg.com 7,194,367 5.64% 8 doubleclick.net 6,445,956 5.05% 9 instagram.com 6,433,370 5.04% 10 gstatic.com 4,440,211 3.48% 25

Result and Measurement Unique users login with IPv6 41% of users never login with IPv6 57% of users occasionally login with IPv6 2% of users always use IPv6 26

Result and Measurement Unique IPv4 addresses with IPv6 binding 38% of IPv4 addresses are never bound with IPv6 55% of IPv4 addresses are occasionally bound with IPv6 7% of IPv4 addresses are always bound with IPv6 address 27

Next Plan Dual-Stack service on Eduroam On testing Software Release for Community to promote IPv6 in Thailand Transparent auto address discovery system Firewall Integration Module Current support Linux IPtable Development of middleware plugin for other firewall such as IPFW IPv4/IPv6 Logging 28

Agenda Introduction Design And Implementation Result and Measurement Conclusion 29

Conclusion We proposed a dual-stack network infrastructure that fully supports both IPv4 and IPv6 The system supports dual-stack authentication, traffic logging, and quota based usage control We implemented and deployed the system in the large-scale campus network with 25,000+ concurrent user login 30

Q&A 31