Compatibility Between TCP and IPSec in Wireless Networks

Source: Internet
Author: User
Abstract:The Transmission Control Protocol (TCP) designed for wired networks has many incompatibility issues when applied to wireless environments and must be modified. At present, we have proposed several improvement solutions for TCP protocol in the wireless network environment, but these improvement solutions conflict with the IP Security Protocol (IPSec. This article analyzes the conflict between the IPsec and TCP improvement solutions and provides four solutions: Transport Layer Security Protocol/Secure Sockets Layer Protocol (TLS/SSL) replace IPSec, extend the security load (ESP) protocol, segment the TCP path, and modify the end-to-end protection mode of IPSec, and analyze the advantages and disadvantages of each solution.
Keywords:Wireless Network; Transmission Control Protocol; IP Security Protocol
Abstract:Transmission Control Protocol (TCP) was designed for wired networks. there exist extends compatibility problems when it is applied to wireless environments, so it needs modification. there are currently several TCP Performance Enhancement mechanic ISMs for TCP application in wireless environments, but they all conflict with IPSec. this paper not only analyzes these conflicts, but also proposes 4 solutions: replacing IPSec with Transport Layer Security/Secure Socket Layer (TLS/SSL) protocol, adopting the extended Encapsulating Security Payload (ESP) protocol, segmenting the TCP route, and modifying the end-to-end protection mode of IPSec. it also examines their strengths and weaknesses.
Key words:Wireless Network; Transmission Control Protocol; IPSec
 

The Transmission Control Protocol (TCP) provides reliable and ordered data transmission and is currently the most widely used transport layer protocol. The TCP protocol is designed for a fixed network. All packet loss is caused by network congestion. When TCP is applied to a wireless network, many packet loss caused by non-network congestion in the wireless channel, long latency and high latency jitter will greatly affect TCP performance. In order to improve the performance of TCP in wireless environments, we have put forward several methods to improve the TCP protocol, which has been widely used, for example, the Snoop Scheme [1] and the ELN-ACK Scheme [2]. However, these improvement schemes conflict with the IP Security Protocol (IPSec) [3]. If you use the IPSec protocol to ensure communication security, these improvement schemes cannot work, the performance of TCP over wireless channels cannot be improved.

1 IPSec protocol
IPSec is an IP-layer-based security framework proposed by IETF. It provides end-to-end security protection for users on the IP layer. IPSec is divided into two parts: Key Management and Security Protocol. The header authentication (AH) [4] and encapsulation security load (ESP) [5] protocols can provide data integrity protection and data source identity authentication, in addition, the ESP protocol provides data confidentiality protection. Both AH and ESP work in transmission or tunnel mode. The transmission mode is used between two hosts, and the IPsec packet header is placed between the IP header and the upper-layer protocol header to protect the upper-layer protocol. The tunnel mode works between two security gateways or between the security gateway and the host, in tunneling mode, the entire IP packet is encapsulated into another IP packet. The IPSec packet header is placed between two IP addresses, and the entire IP packet is protected. In both modes, the upper-layer protocol header, such as the TCP Header, is within the protected range, encrypted or fully protected.
The security services provided by IPSec require the use of shared keys for data verification and data confidentiality tasks. Key management is implemented through Internet Key Exchange (IKE) [6]. The required security parameters are determined for the security protocol through two-phase message exchange, these parameters are also refreshed securely as needed.

2. TCP in Wireless Networks
As a transport layer protocol designed for fixed networks, TCP is widely used in the Internet and provides reliable and orderly data transmission. TCP considers that all data packet loss is caused by network congestion. Therefore, TCP starts the corresponding congestion avoidance mechanism to reduce the size of the sending window every time packet loss is detected, reduce the data transmission rate to relieve network congestion.

However, in a wireless environment, a large amount of data packets are lost due to the high error rate of wireless channels and frequent switching of mobile hosts, TCP congestion is enabled to avoid the mechanism to reduce the transmission rate, which will cause a waste of channel resources and affect TCP performance. At the same time, the delay in the wireless network is relatively large, making the increasing speed of the congestion window slow, reducing the TCP throughput.

At present, many research work has been carried out to solve the problems that occur in the wireless network of TCP. The Snoop solution proposed in document [1] adds a software module: Snoop proxy to the base station. The proxy monitors TCP packets transmitted over TCP connections between the mobile host and the fixed host, and caches all unresponded TCP packets. The Snoop agent detects that a packet segment is lost on the wireless link when it receives multiple duplicate ack requests. Snoop immediately retransmits the TCP packet segment in the cache and discards the duplicate ack caused by the loss of the packet segment. The Snoop scheme re-transmits packets on the local base station, which can recover lost packets on the wireless link, and avoids the initiator TCP from enabling the fast retransmission mechanism because it receives multiple ACK packets, this improves the TCP performance from a fixed host to a mobile host.

An important factor affecting TCP Performance in wireless networks is that the transport layer cannot determine whether packet loss is caused by network congestion. Therefore, an Explicit Congestion Notification solution (ECN) is proposed) [7]. In the ECN scheme, a ECN-ECHO flag is defined in the TCP Header, which notifies the sender of the congestion in the network. The sender can enable the congestion avoidance mechanism to reduce the transmission rate only after receiving a notification of congestion in the network.

Based on Snoop and Explicit Congestion Notification Scheme, a ELN-ACK scheme is proposed in the paper [2. This solution adds a response packet called ackeln to TCP. ackeln defines an ELN flag to indicate the cause of packet loss. "0" indicates that packet loss is caused by wireless networks, "1" indicates that network congestion is caused.

The ELN-ACK scheme adds an ELN proxy to each base station, which caches messages sent from a fixed host to a mobile host, determines the cause of packet loss, and then sets the value of the ELN flag in ackeln. After a fixed host receives ackeln, if the value of the ELN flag is 1, it confirms that network congestion causes packet loss and immediately starts the normal congestion avoidance mechanism to reduce the transmission rate; if the ELN flag value is 0, the packet loss is caused by the wireless network. The fixed host immediately re-transmits the lost packet, but does not reduce the sliding window. This solution improves the throughput and latency of TCP from a fixed host to a mobile host.

3. Compatibility Analysis between IPsec and TCP
There is a conflict between the IPsec and TCP improvement schemes in the wireless network, mainly manifested in the following two aspects:

(1) The improvement scheme of TCP in wireless networks depends on some data in the TCP Header, such as the source port, destination port, message serial number, and validation serial number. The intermediate node in the network retransmits data packets or generates ack operations based on the data to improve TCP performance, such as the Snoop proxy in the Snoop scheme. If the intermediate node of the network does not obtain the data, the improvement solution will not work. However, when you use ESP in IPSec to protect IP packets, the entire TCP packet is encrypted. Except for the two ends of the TCP connection, all the intermediate nodes cannot obtain the plaintext data of the TCP header, so that the TCP improvement scheme cannot work.

(2) When you use ah to protect IP data packets, Ah protects the integrity of both the TCP header and the data part, and all the intermediate nodes in the network cannot modify the TCP header. In the improvement scheme of TCP, some intermediate nodes need to modify the data of the TCP Header, for example, the ELN proxy in the ELN-ACK scheme needs to modify the ELN flag in the ackeln packet. Therefore, the ah Protocol cannot work together with the TCP improvement solution.

In short, in a wireless network, the end-to-end protection mode provided by IPsec on the IP layer is not compatible with the TCP improvement scheme, so that the performance of TCP in the wireless channel cannot be improved.

4 solutions
Currently, the data transmission service in wireless networks is growing. Due to the fact that IPsec can provide better security protection, the application scope is constantly expanding, therefore, the problem of compatibility between TCP and IPSec in wireless networks must be solved to ensure the security of data communication while improving TCP performance.

4.1 replace IPSec with TLS/SSL
Transport Layer Security Protocol and Secure Sockets Layer Protocol (TLS/SSL) are transport layer-based security protocols that work on the TCP layer. Because TLS and SSL only encrypt and protect the data of TCP packets, and the TCP header is transmitted in plain text, you can use TLS or SSL instead of IPSec, this allows intermediate nodes in the network to operate on the TCP Header, so that TLS and SSL work together with the TCP improvement solution. The disadvantage of this scheme is that both the TCP header and the IP header are transmitted in plain text form in the network, which may expose the identities of both parties and cause many potential attacks.

4.2 extended ESP Protocol
Extended the ESP Protocol [8], added data domains such as the TCP source port, destination port, message serial number, and validation serial number to the ESP header, and only performed Integrity protection without encryption on the data, in this way, the intermediate node of the network can obtain the data, and the TCP improvement scheme in the wireless network can work normally, such as the Snoop scheme.

However, this scheme does not allow intermediate nodes to modify the TCP Header, so some TCP improvement schemes cannot work, such as ELN-ack. In addition, data such as the TCP source port, destination port, message serial number, and validation serial number are transmitted in plain text on the network, which may cause security vulnerabilities.

4.3 TCP path Segmentation
The path of a TCP session in a communication network can be divided into two parts (1): the wireless network between the mobile host and the base station, the wired network between the base station and the remote fixed host. If you fully trust the wireless network and confirm that it can provide secure data protection, you can replace IPSec with the link layer security protocol on the wireless link, the IPSec protocol is used only on the wired link between the base station and the remote host. Because the TCP improvement scheme only runs on the wireless network between the mobile host and the base station, the conflict between the IPsec and the TCP improvement scheme can be avoided, it also ensures communication security and TCP performance. This solution relies on full trust in wireless networks.

4.4 modify the end-to-end protection mode of IPSec
Modify the end-to-end protection model of the IPSec protocol and divide IP packets into several protection domains. different domains use different protection mechanisms for segment protection. Each domain has its own security association and key, and has its own access control rules to determine which intermediate nodes in the network can operate on the domain. Segment-protected IP data packets are sent from the source, which allows authorized intermediate nodes to decrypt and modify a domain in the IP data packet. Other fields are invisible. After the IP packet arrives at the end, the entire packet is completely decrypted and restored.

Modifying the IPsec end-to-end protection mode provides more fine-grained protection for IP packets than the IPSec protocol. The TCP header and TCP data of IP data are divided into two different domains. Provides end-to-end protection for TCP data. Only the sender and receiver have keys. The TCP Header adopts another protection mode. In addition to the sender and acceptor, some authorized intermediate nodes also have keys, such as the ELN proxy in the ELN-ACK scheme. These authorized intermediate nodes can perform read and write operations on the TCP header to solve the conflict between the IPsec and TCP improvement solutions.

In the end-to-end protection mode of IPSec, the authorized intermediate node must be authenticated. Public Key Infrastructure (PKI) can be used for authentication to prevent various man-in-the-middle attacks. After authentication is passed, shared secrets such as keys can be sent to intermediate nodes. The disadvantage of the solution is that currently, key distribution can only be completed manually. You need to expand Ike to achieve dynamic key distribution.

5 conclusion
In a wireless communication network, to ensure communication security and TCP Performance, conflicts between them must be resolved. The preceding four solutions have limitations and cannot completely resolve conflicts. Further research is required. An excellent solution must take into account the difficulty of deployment and implementation, and the changes to the existing network structure and communication protocol should be minimized, so as not to weaken the security performance of IPSec and lead to new security problems.

6 References
[1] balakrishhan H, seshan S, Katz r h. Improving reliable transport and Handoff Performance in cellular wireless networks [J]. ACM wireless networks, 469 (4): 481.
[2] Ding W, jamalipour A. A new explicit it loss notification and acknowledgement for wireless TCP [C]. pimrc 2001, San Diego ca, 2001.
[3] IETF rfc2401. security architecture of the Internet Protocol [s].
[4] IETF rfc2402. IP Authentication Header [s].
[5] IETF rfc2406. IP encapsulation security payload (ESP) [s].
[6] IETF rfc2409. the Internet Key Exchange (IKE) [s].
[7] Perkins c e. Mobile IP-design, principles and practice [M]. Addison Wesley Longman, 1998.
[8] bellovin S. transport-friendly ESP (or layer violations for fun and profit) [C]. network Distributed System Security Symp. (NDSS '99), San Diego ca, 1999.

Receipt date:

 

Author profile:

Zhao Haiyang, PhD student at the Information Security Center of Beijing University of Posts and Telecommunications. The research direction is mobile network and computer network security technology. Yang Yixian, Director, professor, and Director of the Information Security Center of Beijing University of Posts and Telecommunications. Professor of the Yangtze River scholar Awards Program and member of the CPPCC National Committee. He has undertaken more than 40 national scientific research projects and won the third National Invention Prize and the first provincial/ministerial Scientific and Technological Progress Prize in terms of network information security, modern cryptography, and error correction code.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.