Network security and mobility have become increasingly critical issues as computers move out of protected office environments. The widespread use of both Wi-Fi and wide area wireless broadband, along with employee home access, has led to increased use of VPNs. But the problem of maintaining live connections while network nodes move across network boundaries has been difficult to solve.
Enter Secure Mobile Architecture
Work on the Secure Mobile Architecture (SMA) began in the Open Group in 2001. Subsequently, an IETF working group was chartered to continue development, and it is still refining specifications.
SMA was developed to address three requirements:
- Cross network boundaries without dropping connections
- Guarantee the identity of network endpoints
- Protect the contents of communication
An early implementation is currently in use at Boeing. The FAA requires an aircraft manufacturer to maintain detailed records showing which employee carried out each step in building an airplane. Employees use laptops to record each assembly step.
Aircraft assembly facilities are too large for a single 802.11 subnet. Secure Mobile Architecture enables employees to log in at the beginning of a shift and move around the facility crossing subnet boundaries, maintaining secure connections while doing so. Employees may also connect to a wired network or move to an area supported by a wide area wireless network.
Cross network boundaries
The key to SMA's ability to cross network boundaries is the development of a new namespace. IP addresses were an appropriate way to identify systems when those systems didn't move. An IP address identifies a system by describing the location at which that system is attached to the network. That approach worked well when network attach points remained constant.
An additional problem with IP addresses is that systems with multiple network interfaces have multiple IP addresses. A system can be addressed using any of them, with the choice of address influencing the path through the network.
SMA defines a value called a Host Identifier that identifies a system independently of how the system is attached to the network and independently of the number of network interfaces. Unlike an IP address, a system's Host Identifier remains constant no matter where it moves, how it connects to the network, and what network technology is currently in use.
Guarantee endpoint identity
SMA uses Public Key Encryption to guarantee endpoint identity. In the Boeing installation, employees log in at the beginning of a shift. Information on the employee's badge is used to generate public and private keys that have validity only for the duration of the shift.
A system's public key becomes its Host Identifier. Use of the full public key in packet exchanges would be inefficient, so a 128-bit Host Identifier Tag (HIT) is created using a cryptographic hash of the Host Identifier. A 32-bit Local Scope Identifier can be generated from the HIT and used to simplify interfacing with applications designed for IPv4 addresses.
Secure Mobile Architecture adds another layer to the network stack. The Host Identity Protocol (HIP) is located above the internetworking layer and below transport. That is, it resides between TCP or UDP and IP.
To create a connection, HIP uses the Host Identifiers of the initiating system and the target system. The Host Identifiers are the systems' public keys. HIP then uses a Diffie-Hellman key exchange to establish a private key for use for the duration of the connection.
As end nodes move, IP addresses may change, but Host Identifiers do not change. HIP deals with network changes, making them invisible to the transport layer and application. In addition to the ability to move from one IPv4 network to another, a system can move from an IPv4 network to an IPv6 network and back to IPv4 without dropping a connection.
Protect communication contents
IPsec is used to protect the contents of communication against interception by unauthorized entities and also to ensure that contents are not modified in transit. The ESP option of IPsec is used to provide authentication of the sender and encryption of packet contents. The HIT takes the place of the Security Parameter Index in the IPsec packet.
A Location Enabled Network Service (LENS) adds security by maintaining information on the current location of each network node. It may utilize 802.11 or GPS location technology or any other appropriate mechanism. Location information can be used to restrict access to specific information to nodes located in secure areas and to prevent wireless access from beyond facility boundaries.
Information such as current IP addresses, security information and system location information is centralized in a directory. The directory provides a unified method for accessing all information relevant to supporting the network. Any directory technology may be used, and the directory may actually consist of multiple directories accessed through a common interface.
The future
Updated HIP specifications are available from the IETF Working Group. Open source implementations can be downloaded from the OpenHIP project. As developers gain experience with live implementations, the specifications will be updated to reflect what has been learned.
While Boeing's requirements appear to be specific to aircraft construction, other industries have similar requirements. Additional industries will be driven to consider Secure Mobile Architecture as measures such as Sarbanes-Oxley and HIPAA tighten requirements on identity and confidentiality.
About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies, as well as software startups.
