ebook img

Security in broadband satellite systems for the aeronautical and other scenarios PDF

143 Pages·2012·4.28 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security in broadband satellite systems for the aeronautical and other scenarios

Security in broadband satellite systems for the aeronautical and other scenarios Double-diplôme Ingénieur SUPAERO (ISAE) – Enginyeria de telecomunicacions (UPC) Projet de fin d’études (Master Thesis Report) by Dirk Gómez Depoorter SUPAERO supervisor: José Radzik TriaGnoSys supervisor: Eriza Hafid Fazli 2011 Munich, Germany 1 Table of Contents TABLE OF CONTENTS ........................................................................................................................................ 2 LIST OF TABLES ................................................................................................................................................. 6 LIST OF FIGURES ............................................................................................................................................... 7 ABBREVIATIONS ............................................................................................................................................... 9 1 INTRODUCTION ..................................................................................................................................... 10 2 THE ESA REQUEST .................................................................................................................................. 11 2.1 THE PROJECT ..................................................................................................................................... 11 2.2 OBJECTIVES ....................................................................................................................................... 11 2.3 PROJECT ORGANISATION ....................................................................................................................... 11 2.3.1 Task 1 ........................................................................................................................................ 11 2.3.2 Task 2 ........................................................................................................................................ 12 2.3.3 Task 3 ........................................................................................................................................ 12 2.3.4 Task 4 ........................................................................................................................................ 12 3 CONCEPTS .............................................................................................................................................. 13 3.1 SATELLITE LINKS .................................................................................................................................. 13 3.1.1 Long delay ................................................................................................................................. 13 3.1.2 Bandwidth-Delay Product ........................................................................................................... 14 3.1.3 High Bit Error Rate (BER) ............................................................................................................ 14 3.2 TRANSMISSION CONTROL PROTOCOL (TCP) .............................................................................................. 14 3.2.1 The TCP header .......................................................................................................................... 15 3.2.2 Segment transmission ................................................................................................................ 17 3.2.3 Flow control: The receive window ............................................................................................... 19 3.2.4 TCP congestion avoidance mechanisms ...................................................................................... 20 3.3 INTERNET PROTOCOL (IP) ..................................................................................................................... 26 3.3.1 Functions ................................................................................................................................... 26 3.3.2 IP versions .................................................................................................................................. 26 3.3.3 IP header ................................................................................................................................... 26 3.3.4 IP addressing ............................................................................................................................. 30 3.3.5 IP Fragmentation ....................................................................................................................... 31 3.3.6 IP NAT ........................................................................................................................................ 31 3.4 DIFFERENTIATED SERVICES FIELD AND CLASSES ............................................................................................ 31 3.5 VPN TECHNOLOGIES ........................................................................................................................... 33 3.5.1 Internet Protocol Security (IPsec) ................................................................................................ 33 3.5.2 High Assurance Internet Protocol Encryptor (HAIPE) ................................................................... 35 3.5.3 SSL/TLS/HTTPS ........................................................................................................................... 36 4 TECHNICAL ISSUES ................................................................................................................................. 37 4.1 WORDING......................................................................................................................................... 37 4.2 PROTOCOL ENHANCING PROXIES (PEP) & ENHANCED PROTOCOLS ................................................................. 37 4.2.1 Definition ................................................................................................................................... 37 4.2.2 Placement related to VPNs ......................................................................................................... 37 4.2.3 Bandwidth delay product ........................................................................................................... 39 4.2.4 TCP slow start ............................................................................................................................ 40 4.2.5 Continuous acknowledgements .................................................................................................. 40 4.2.6 Frequently revised content ......................................................................................................... 41 4.2.7 Redundancy ............................................................................................................................... 41 4.3 IP FRAGMENTATION ............................................................................................................................ 41 4.3.1 Fragmentation ........................................................................................................................... 41 4.3.2 VPN issue ................................................................................................................................... 42 4.4 OVERHEAD BANDWIDTH CONSUMPTION ................................................................................................... 42 2 4.5 ISSUES WITH THE IPSEC ANTI-REPLAY SYSTEM ............................................................................................. 44 4.6 MULTICAST ....................................................................................................................................... 44 4.7 MOBILITY ......................................................................................................................................... 44 4.8 QOS ENFORCEMENT ............................................................................................................................ 45 4.9 NETWORK ADDRESS TRANSLATION .......................................................................................................... 45 5 REFERENCE SCENARIOS .......................................................................................................................... 46 5.1 DEFINITION OF THE SCENARIOS ............................................................................................................... 46 5.2 PUBLIC SAFETY COMMUNICATIONS .......................................................................................................... 46 5.2.1 Scenario description ................................................................................................................... 46 5.2.2 Types of communications ........................................................................................................... 47 5.2.3 Security choices .......................................................................................................................... 48 5.2.4 VPN issues ................................................................................................................................. 48 5.3 ISP SCENARIO .................................................................................................................................... 50 5.3.1 Scenario description ................................................................................................................... 50 5.3.2 Types of communications ........................................................................................................... 50 5.3.3 Security choices .......................................................................................................................... 50 5.3.4 VPN issues ................................................................................................................................. 51 5.4 AEROPLANE SCENARIO ......................................................................................................................... 52 5.4.1 Scenario description ................................................................................................................... 52 5.4.2 Types of communications ........................................................................................................... 52 5.4.3 Security choices .......................................................................................................................... 53 5.4.4 VPN issues ................................................................................................................................. 53 5.5 CONSUMER SCENARIO .......................................................................................................................... 54 5.5.1 Scenario description ................................................................................................................... 54 5.5.2 Types of communications ........................................................................................................... 55 5.5.3 Security choices .......................................................................................................................... 55 5.5.4 VPN issues ................................................................................................................................. 55 6 TECHNICAL SOLUTIONS .......................................................................................................................... 57 6.1 PEP ISSUE ......................................................................................................................................... 57 6.1.1 Position of the PEP ..................................................................................................................... 57 6.1.2 PEP solutions.............................................................................................................................. 57 6.1.3 Choice of VPN depending on the PEPs ......................................................................................... 58 6.1.4 Other VPN solutions that support the use of PEPs and enhanced protocols.................................. 58 6.2 IP FRAGMENTATION ............................................................................................................................ 58 6.2.1 Adapting the path ...................................................................................................................... 58 6.2.2 Adapting to the path .................................................................................................................. 58 6.3 OVERHEAD ........................................................................................................................................ 61 6.3.1 Overview of the solution ............................................................................................................. 61 6.3.2 RObust Header Compression (ROHC) .......................................................................................... 62 6.3.3 ROHCv2 ..................................................................................................................................... 63 6.3.4 ROHC, ROHCv2 and ROHCoIPsec ................................................................................................. 64 6.4 IPSEC ANTI-REPLAY ISSUE ...................................................................................................................... 64 6.4.1 Disabling the protection ............................................................................................................. 64 6.4.2 Increasing the window size ......................................................................................................... 64 6.4.3 Multiple SA ................................................................................................................................ 64 6.4.4 Shutting down QoS..................................................................................................................... 64 6.5 MULTICAST ....................................................................................................................................... 64 6.6 MOBILITY ISSUE .................................................................................................................................. 65 6.6.1 IPsec and mobility ...................................................................................................................... 65 6.6.2 Mobile IP ................................................................................................................................... 65 6.6.3 NEtwork MObility (NEMO) ......................................................................................................... 67 6.6.4 IKEv2 Mobility and Multihoming Protocol (MOBIKE) ................................................................... 67 6.6.5 Comparison between Mobile IP and MOBIKE .............................................................................. 67 6.7 QOS ENFORCEMENT ............................................................................................................................ 67 6.8 NETWORK ADDRESS PORT TRANSLATION (NAPT) ISSUE ............................................................................... 68 6.9 TECHNICAL SOLUTIONS FOR THE AERONAUTICAL SCENARIO............................................................................ 69 3 6.9.1 PEP issue .................................................................................................................................... 69 6.9.2 IP fragmentation ........................................................................................................................ 69 6.9.3 Overhead ................................................................................................................................... 70 6.9.4 IPsec anti-replay issue ................................................................................................................ 70 6.9.5 Mobility ..................................................................................................................................... 70 6.9.6 Quality of service ....................................................................................................................... 70 6.9.7 NAT ........................................................................................................................................... 71 7 TESTBED DESIGN .................................................................................................................................... 72 7.1 AERONAUTICAL SCENARIO TESTBED DESCRIPTION ........................................................................................ 72 7.2 NODE FUNCTIONALITIES AND SOFTWARE ................................................................................................... 74 7.3 AERONAUTICAL SCENARIO TESTBED ADDRESSING SCHEME .............................................................................. 74 7.4 IMPLEMENTATION ISSUES ...................................................................................................................... 81 7.4.1 APC IPsec GW and PEP ............................................................................................................... 81 7.4.2 Bridging ROHC ........................................................................................................................... 83 7.4.3 Policy routing using the original packet ...................................................................................... 84 8 BUILDING THE TESTBED ......................................................................................................................... 87 8.1 VIRTUALISATION ................................................................................................................................. 87 8.2 THE MASTER MACHINE ......................................................................................................................... 87 8.3 SETTING UP AND TESTING THE TESTBED ..................................................................................................... 87 9 CONCLUSIONS........................................................................................................................................ 90 1 SOFTWARE EXPLORATION ..................................................................................................................... 92 1.1 IPTABLES........................................................................................................................................... 92 1.1.1 Introduction ............................................................................................................................... 92 1.1.2 Packet traversal through the Linux kernel ................................................................................... 92 1.1.3 Iptables matches and targets ..................................................................................................... 94 1.1.4 IPv4 testing ................................................................................................................................ 96 1.1.5 IPv6 testing ................................................................................................................................ 97 1.2 IPROUTE2 ......................................................................................................................................... 98 1.3 IP ................................................................................................................................................... 98 1.3.1 Introduction ............................................................................................................................... 98 1.3.2 IP link ......................................................................................................................................... 98 1.3.3 IP addresses ............................................................................................................................... 99 1.3.4 IP route ...................................................................................................................................... 99 1.3.5 IP rule ........................................................................................................................................ 99 1.3.6 IP tunnel .................................................................................................................................. 100 1.3.7 Example ................................................................................................................................... 100 1.3.8 Example with iptables .............................................................................................................. 101 1.4 TC ................................................................................................................................................ 101 1.4.1 Introduction ............................................................................................................................. 101 1.4.2 Packet tagging ......................................................................................................................... 101 1.4.3 PHB definition .......................................................................................................................... 103 1.4.4 Queueing discipline family ........................................................................................................ 103 1.4.5 Creating the queueing disciplines and classes ........................................................................... 105 1.4.6 Packet distribution into the queues........................................................................................... 107 1.4.7 (p or b) fifo ............................................................................................................................... 107 1.4.8 Token Bucket Filter (tbf) ........................................................................................................... 107 1.4.9 Stochastic Fairness Queuing (sfq) ............................................................................................. 108 1.4.10 PRIO .................................................................................................................................... 109 1.4.11 Hierarchical Token Bucket (htb) ............................................................................................ 109 1.4.12 Netem ................................................................................................................................. 110 1.5 IP FRAGMENTATION .......................................................................................................................... 111 1.5.1 Software .................................................................................................................................. 111 1.5.2 PMTUD installation .................................................................................................................. 111 1.5.3 PLPMTUD installation .............................................................................................................. 111 4 1.6 HEADER COMPRESSION (ROHC) .......................................................................................................... 111 1.6.1 Software .................................................................................................................................. 111 1.6.2 Installation ............................................................................................................................... 111 1.6.3 Testing ..................................................................................................................................... 112 1.7 MOBILITY ....................................................................................................................................... 113 1.7.1 Software .................................................................................................................................. 113 1.7.2 Tests ........................................................................................................................................ 113 1.7.3 Mobile IP and DSCP .................................................................................................................. 119 1.7.4 Mobile IP and handovers .......................................................................................................... 119 1.8 IPSEC (STRONGSWAN) ....................................................................................................................... 120 1.8.1 Introduction ............................................................................................................................. 120 1.8.2 Installation ............................................................................................................................... 120 1.8.3 Newsky testbed ........................................................................................................................ 121 1.8.4 Configuration ........................................................................................................................... 121 1.8.5 IPv4-in-IPv6Tunnel test ............................................................................................................. 123 1.8.6 IPv6-in-IPv6 configuration ........................................................................................................ 125 1.8.7 IPv4 in IPv4 configuration ......................................................................................................... 126 1.8.8 Authentication & Encryption .................................................................................................... 127 1.8.9 DSCP / TOS test ........................................................................................................................ 127 1.8.10 IPv6 fragmentation test (IPv4 in IPv6) ................................................................................... 128 1.8.11 IPv6 fragmentation test (IPv6 in IPv6) ................................................................................... 132 1.8.12 IPv6 announced MTU ........................................................................................................... 136 1.9 SANDRA TESTBED.............................................................................................................................. 137 1.10 DON’T FRAGMENT BIT MANIPULATION ................................................................................................... 138 1.10.1 Test1 ................................................................................................................................... 139 1.10.2 Test2 ................................................................................................................................... 139 1.10.3 Test3 ................................................................................................................................... 139 1.10.4 Test4 ................................................................................................................................... 140 1.10.5 Test5 ................................................................................................................................... 140 1.10.6 Test6 ................................................................................................................................... 140 1.10.7 Test7 ................................................................................................................................... 141 1.11 MODIFYING THE TCP STACK OF LINUX .................................................................................................... 141 2 REFERENCES ......................................................................................................................................... 143 5 List of Tables Table 1: TCP header fields ............................................................................................................................... 17 Table 2: IPv4 header fields .............................................................................................................................. 28 Table 3: Differentiated Services classes and values .......................................................................................... 32 Table 4: Security overhead for different VPNs ................................................................................................. 43 Table 5: Node functionalities and software ..................................................................................................... 74 Table 6: Testbed test plan ............................................................................................................................... 89 Table 7: IP commands ..................................................................................................................................... 98 Table 8: IP tunnel types ................................................................................................................................. 100 Table 9: Packet tagging using iptables ........................................................................................................... 102 Table 10: Netfilter DSCP target ...................................................................................................................... 102 Table 11: pfifo / bfifo qdisc parameters ......................................................................................................... 107 Table 12: tbf qdisc parameters ...................................................................................................................... 108 Table 13: sfq qdisc parameters ...................................................................................................................... 108 Table 14: PRIO qdisc parameters ................................................................................................................... 109 Table 15: htb qdisc parameters ..................................................................................................................... 109 Table 16: htb class parameters ...................................................................................................................... 110 Table 17: netem qdisc parameters ................................................................................................................ 110 Table 18: ROHC example (packet sizes) ......................................................................................................... 112 Table 19: ROHC example (packet sizes) ......................................................................................................... 113 Table 20: IP addresses of the packets in mobility test 1 ................................................................................. 119 Table 21: IP addresses of the packets in mobility test 2 ................................................................................. 119 Table 22: Correspondance between TOS field and DSCP value ....................................................................... 127 Table 23: Transmitted data per packet for a 1400 data ping into an IPsec ESP IPv4 in IPv6 tunnel .................. 131 Table 24: Packet size for the IPv6 fragmentation test .................................................................................... 132 Table 25: Packet sequence for test 1 of the fragmentation header after IPv6 fragmentation.......................... 136 Table 26: Packet sequence for test 2 of the fragmentation header after IPv6 fragmentation.......................... 136 Table 27: Addresses of the IP tunnel and ROHC interfaces in the SANDRA testbed tests ................................ 138 Table 28: Window scaling parameters and commands .................................................................................. 142 Table 29: Enable/disable SACK commands .................................................................................................... 142 Table 30: TCP congestion control algorithm commands ................................................................................. 142 6 List of Figures Figure 1: TCP header ....................................................................................................................................... 16 Figure 2: TCP acknowledgment example ......................................................................................................... 18 Figure 3: TCP retransmission example ............................................................................................................. 19 Figure 4: TCP Tahoe congestion avoidance algorithm ...................................................................................... 21 Figure 5: TCP Reno congestion avoidance algorithm ........................................................................................ 22 Figure 6: Standard TCP simulation for different RTT values .............................................................................. 23 Figure 7: TCP Hybla simulation for different RTT values ................................................................................... 23 Figure 8: Sketch of the TCP CUBIC window growth function............................................................................. 24 Figure 9: IPv4 header structure ....................................................................................................................... 27 Figure 10: IPv6 header structure ..................................................................................................................... 29 Figure 11: IPv6 header fields ........................................................................................................................... 30 Figure 12: IPsec transport mode packet........................................................................................................... 33 Figure 13: IPsec tunnel mode packet ............................................................................................................... 33 Figure 14: IPsec AH security header fields ....................................................................................................... 34 Figure 15: IPsec ESP packet structure .............................................................................................................. 34 Figure 16: IPsec anti-reply window .................................................................................................................. 35 Figure 17: TLS packet layer structure ............................................................................................................... 36 Figure 18: PEP implementation outside the VPN channel and use of enhanced protocols (Control case 1) ....... 38 Figure 19: Viability of placing the PEP inside the VPN channel depending on the VPN (Control case 2) ............. 38 Figure 20: PEP placement in control case 3 ...................................................................................................... 38 Figure 25: Public safety scenario network setup [Report] ................................................................................ 47 Figure 26: ISP scenarios network setup [Report] .............................................................................................. 50 Figure 27: Aeroplane scenario ......................................................................................................................... 52 Figure 28: Consumer scenario ......................................................................................................................... 55 Figure 29: ROHC decompressor flow chart ...................................................................................................... 63 Figure 30: Mobile IP data exchange ................................................................................................................. 66 Figure 31: The aeronautical scenario testbed architecture ............................................................................... 72 Figure 32: The two different satellite link paths in the testbed......................................................................... 73 Figure 33: Link layer addressing and bridging of the testbed nodes.................................................................. 76 Figure 34: Internet Protocol addressing of the testbed nodes .......................................................................... 77 Figure 35: Testbed addresses and bridges ....................................................................................................... 80 Figure 36: Ground APC IPsec gateway ............................................................................................................. 82 Figure 37: Satellite terminal internal bridge positions ...................................................................................... 84 Figure 38: Iptables routing chains .................................................................................................................... 93 Figure 39: Fictional network for the iptables example ..................................................................................... 95 Figure 40: iptables test, default priority ........................................................................................................... 96 7 Figure 41: iptables test, Expedited Forwarding priority .................................................................................... 97 Figure 42: iptables test, Assured Forwarding 11 priority .................................................................................. 97 Figure 43: ip6tables test, Expedited Forwarding priority .................................................................................. 98 Figure 44: ip6tables test, Assured Forwarding 11 priority ................................................................................ 98 Figure 45: Queueing discipline family example .............................................................................................. 104 Figure 46: Queueing disciplines and classes numeration ................................................................................ 105 Figure 47: qdisc/class parameters ................................................................................................................. 106 Figure 48: TC bandwidth units syntax ............................................................................................................ 106 Figure 49: TC data size units syntax ............................................................................................................... 106 Figure 50: TC time units syntax...................................................................................................................... 107 Figure 51: Wireshark capture of the ROHC example ping packets. Highlighted is the size of the first ping request plus the two encapsulation bytes (85 + 2 = 87bytes). ..................................................................................... 113 Figure 52: Newsky testbed machine and node configuration ......................................................................... 116 Figure 53: First mobility test .......................................................................................................................... 117 Figure 54: Second mobility test ..................................................................................................................... 118 Figure 55: Mobile IP network ........................................................................................................................ 120 Figure 56: Test configuration for Strongswan ................................................................................................ 121 Figure 57: Ping packet through the netfilter processing at the remote gateway ............................................. 124 Figure 58: QoS test capture in AR1 using IPv4 ................................................................................................ 128 Figure 59: Large echo request from 192.168.3.2 to 192.168.2.2 (capture on AR1 dev eth1) ........................... 129 Figure 60: First fragment of the encapsulated packet from 192.168.3.2 to 192.168.2.2 (capture on main dev eth2)............................................................................................................................................................. 129 Figure 61: Second fragment of the encapsulated packet from 192.168.3.2 to 192.168.2.2 (capture on main dev eth2)............................................................................................................................................................. 130 Figure 62: Reassembled "Echo request" packets in test1 dev eth1 ................................................................. 131 Figure 63: Fragmentation in IPv4-in-IPv6 tunnel when DF bit is SET (capture at AR1 dev eth1). ...................... 131 Figure 64: IPv6 fragmentation behaviour....................................................................................................... 133 Figure 65: IPv6 fragmentation behaviour in Linux .......................................................................................... 135 Figure 66: MTU advertised in the "Datagram Too Big" with ESP null encryption, SHA1 authentication ........... 137 Figure 67: SANDRA testbed as used for IPsec and ROHC testing ..................................................................... 137 8 Abbreviations ACK – Acknowledgement (signal) AH – Authentication Header BDP – Bandwidth Delay Product BER – Bit Error Rate CoA – Care of Address DSCP – Differentiated Services Code Point ESP – Encapsulated Security Payload GW – Gateway HA – Home Agent HTTPS – HyperText Transfer Protocol Secure ICMP – Internet Control Message Protocol IKE – Internet Key Exchange protocol IKEv2– Internet Key Exchange protocol version 2 IPSec – Internet Protocol Security IPv4 – Internet Protocol version Four IPv6 – Internet Protocol version Six MCoA – Multiple Care of Address MR – Mobile Router MTU – Maximum Transmission Unit PEP – Protocol Enhancing Proxy PMTU – Path Maximum Transmission Unit PMTUD – PMTU discovery QoS – Quality of Service RTT – Round Trip Time SSL – Secure Sockets Layer TCP – Transmission Control Protocol TLS – Transport Layer Security ToS – Type of Service UDP – User Datagram Protocol VoIP – Voice over Internet Protocol VPN – Virtual Private Network 9 1 Introduction This thesis report is based on the work I did while working at TriaGnoSys on the ESA project “Security in broadband satellite systems for commercial and institutional scenarios”. The ESA project lasts for 12 months and I joined the project for 6 months, from the 4th to the 9th month of the project (both included). Therefore, while I catch up with the initial work, the results and analysis are not included in this report. The project goal is to analyse the impact of using security in satellite links. While satellite links already have some drawbacks by themselves, the presence of a virtual private network (VPN) worsens some and creates new ones. This thesis will focus on the analysis of the aeronautical scenario but other situations are also explained. This report starts with a revision of some concepts that are required for understanding this topic. Then, the issues of using VPNs over satellite links are identified and studied. The issues are only present in some situations, and so, different scenarios are defined to be used as reference for further study of both the issues and the proposed solutions. Then, solutions to the issues are proposed. With the problem having been studied, the next step would be to simulate, analyse and validate the solutions. For that, a testbed has been built. The testbed design and implementation are described as the last chapter of this thesis. Finally, some conclusions on the work done are presented. Also, found in the annex there is a chapter based on my experiences while learning how to configure the software that would be used for the testbed. It contains the software characteristics as well as some tests and bugs discovered while testing them. 10

Description:
1.1.2 Packet traversal through the Linux kernel . Figure 57: Ping packet through the netfilter processing at the remote gateway . segments are formed using part of the application data and the TCP header. Food safety.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.