First the 802.16e standard is an extension of an existing standard, IEEE 802.16a. IEEE 802.20 is an entirely new standard optimized for mobility. 802.16e uses extensions to the MAC and PHY layers from 802.16a, while 802.20 uses new MAC and PHY layer designs. The result of this is that 802.16e-based product will be available well before any 802.20 products are on the market.

Although there is an obvious parallel between the technologies used by both standards and the type of user they are aiming to serve, there is a primary difference between the two. IEEE 802.20 is designed for users traveling at speeds of up to 250Kmh (155 mph), whereas 802.16e is aimed at users traveling at vehicular speed. So someone who is walking and needs broadband access via their PDA or laptop could do so using 802.16e-based technology. On the other hand, a user traveling on a high-speed train would require an 802.20-based product to gain wireless broadband access.

Another key difference is that the 802.16e standard is a last-mile solution. It is aimed at PDA and laptop users and is seen as an extension to existing fixed wireless infrastructure, whereas 802.20 will use adaptive antennas and IP to provide a fully mobile broadband alternative to planned cellular services such as 3G.

A final crucial difference between the two is that 802.16e will operate in the 2 GHz to 6 GHz licensed bands, whereas 802.20 works in licensed bands below 3.5 GHz.

How the standards are being implemented
Prior to ratification of both standards, there are ongoing attempts to implement devices based on them. Siemens has announced that it will develop Flash-OFDM equipment based on a prestandard version of IEEE 802.20. This can be used by wireless operators when they are implementing IEEE 802.20 wireless broadband technology. Using Flash-OFDM equipment enables carriers that don’t have the spectrum to install 3G cellular data services but still control spectrum in the 450 MHz range and utilize 802.20 products. The 450 MHz range was formerly used for analog services.

The first product based on a prestandard version of IEEE 802.16e is called Mobilis. By using Wi-LAN’s patented W-OFDM technology it offers throughput of up to 32Mbps and speeds approaching 110Kmh.

As a Summary of Comparing IEEE 802.16e and IEEE 802.20
Although there appear to be many similarities between IEEE 802.16e and 802.20 – mainly in terms of the architecture they employ and what they are trying to achieve – further examination of the standards shows significant differences between the two. Both standards aim to provide wireless broadband connectivity and both can be used by mobile users. However, 802.20 is aimed at users moving at high speed, whereas 802.16e can be used only by those traveling on foot. There are also additional differences with how each standard is deployed and implemented.

Siemens is developing Flash-OFDM equipment that is based on prestandard 802.20 technologies. The first product to utilize the IEEE 802.16e standard, Mobilis, already exists.

Developing the roadmap
Before a roadmap can be defined, you need to decide what issues it needs to address. This can be determined by examining the policies that senior management have approved and brought into practice. These can include organizational policies such as:

• personnel and physical security
• protection of corporate assets and information
• how employees are hired and their employment terminated
• the responsibilities of employees

You should also consider the security principles behind the system’s design, and how to comply with them. This is generally referred to as the system architecture.

Other areas that should be examined for your roadmap’s requirements include:

• the system life cycle development (SDLC) process
• system acquisition process
• best practices employed for system security
• details on the means for policy and standards approval
• rules for security behavior

You should also examine those documents detailing how policies are written. Additionally, the process for approving these policies needs to be considered to understand how to integrate any future policies securely into a system.

If any of these policies are unclear or nonexistent, you record the approach that you would like implemented instead. This approach is subject to the appropriate approval by the authorizing party.

The information provided by the data you’ve gathered is used to create a layered defense for your system. These policies are implemented, and governed by, utilizing technical, administrative, or physical controls.

Defining specific requirements
The list of internal policies that you have created are gathered and documented as a requirement statement. This is supplemented by using industry practices, government guidelines, and other trustworthy sources to help you break your system into its composite parts. These parts are the requirements of your system that, when implemented, create a layered defense, providing rings of security for your system.

Using the roadmap
The roadmap is tailored to your organization. You can only implement it with the approval of senior management because the roadmap may necessitate organizational change. Therefore, the roadmap needs to be flexible, allowing it to adapt if changes are required.

Besides outlining how to make your system more secure, the roadmap also provides the information required to create a plan of action and milestones (POA&M). The POA&M is used to acquire extra funding, people, or resources to secure the system. It ensures that the system’s schedule proceeds in the correct order.

As a Summaryfor Building a security roadmap
A roadmap outlines your system’s security requirements. It can be created from examining those policies approved by senior management. Policies that are unclear or not yet created need to be outlined and approved by senior management. The policies are gathered and used to create a roadmap’s requirement statement. The requirement statement is used to implement the system and create a layered defense. It must be flexible and approved by senior management.

The FIFO queuing mechanism
FIFO queuing has no classification because all packets belong to the same class. Packets are dropped when the output queue is full – this process is known as tail dropping. The scheduler services packets in the order in which they arrive. The software FIFO queue is basically an extension of the hardware FIFO queue.

Although FIFO queuing might be regarded as the fairest queuing mechanism, it has some significant drawbacks:

• FIFO is extremely unfair when an aggressive flow is contesting with a fragile flow. Aggressive flows send a large number of packets, many of which are dropped. Fragile flows send a modest amount of packets, and most of them are also dropped because the queue is always full due tothe aggressive flow. This type of behavior is called starvation.
• Short or long bursts cause a FIFO queue to fill. Packets entering an almost-full queue have to wait a long time before they can be transmitted. At another time, the queue might be empty,causing packets of the same flow to experience almost no delay. Such variation in delay is called jitter.

In spite of such drawbacks, FIFO is still the most-used queuing mechanism because of the following benefits:

• FIFO is simple and fast. Most high-end routers with fast interfaces are not really affected by problems such as starvation and jitter. Furthermore, routers are not capable of complex classification and scheduling when they have to process a large number of packets per second. FIFO is, therefore, the most suitable queuing mechanism on these router platforms.
• FIFO is supported • on all platforms.
• FIFO queuing is supported in all versions of Cisco IOS.

To enable FIFO, you need to disable WFQ, which is automatically enabled on interfaces with less than 2Mbps of bandwidth.

The WFQ queuing mechanism
WFQ was introduced to address the problems associated with other queuing mechanisms. For example, FIFO queuing causes starvation, delay, and jitter, and the PQ queuing mechanism causes starvation of other lower priority classes and suffers from all the problems associated with FIFO within each of the four queues that it uses for prioritization. CQ causes long delays and also suffers from all of FIFO’s problems within each of the 16 queues that it uses for traffic classification. WFQ was developed to alleviate these problems by

• having a dedicated queue for each flow – this means there is no starvation, delay, or jitter within the queue
• allocating bandwidth fairly and accurately among all flows, which results in minimum scheduling delay and guaranteed service
• using IP precedence as weight when allocating bandwidth

WFQ uses automatic classification, which means that manually defined classes are not supported. WFQ dropping is not a simple tail dropping process. Instead, WFQ drops the packets of the most aggressive flows. The WFQ scheduler is a simulation of a time-division multiplexing (TDM) system. The bandwidth is fairly distributed to all active flows.

WFQ is supported on most Cisco routers, as well as on Versatile Interface Processors (VIPs). The implementation of WFQ on the VIP differs slightly from its implementation on the majority of Cisco platforms. For example, classification identifies a flow and assigns a queue to the flow, and weight is used for scheduling to give proportionately more bandwidth to flows with a higher IP precedence. In addition, the tail-dropping scheme is improved to drop packets of the most aggressive flows.

Advantages and disadvantages of WFQ queuing
WFQ offers a number of advantages over other queuing mechanisms:

• it’s simple to configure, so no manual classification is necessary
• it guarantees throughput to all flows
• it drops the packets of the most aggressive flows
• it’s supported on most platforms
• it’s supported in all IOS versions

Nevertheless, there are also a number of drawbacks associated with WFQ:

• it’s not always possible to have one flow per queue
• it does not allow manual classification
• it cannot provide fixed guarantees
• its classification and scheduling mechanisms are complex

Despite these drawbacks, WFQ is a useful queuing mechanism, and it is automatically enabled on all interfaces that have a default bandwidth of less than 2 Mbps.

As a summary
First-in-first-out (FIFO) and weighted fair queuing (WFQ) are the two main default queuing mechanisms implemented on Cisco routers. Although FIFO is the fairest queuing mechanism, it has some significant drawbacks in that its use can cause the queuing problems known as starvation, delay, and jitter. Despite this, FIFO is the most suitable queuing mechanism for high-end router platforms that aren’t seriously affected by these problems. FIFO is supported on all platforms and all versions of Cisco IOS.

Developed to resolve some of the problems resulting from the use of basic queuing methods such as FIFO, WFQ dynamically divides available bandwidth by a calculation based on the total number of flows and the weight of each given flow. Supported on most platforms and on all versions of Cisco
IOS, WFQ has the advantage of being simple to configure. Other benefits include the ability to drop the packets of the most aggressive flows and to guarantee throughput to all flows. However, WFQ also has a number of drawbacks. It does not allow manual classification and it cannot provide fixed
guarantees. Furthermore, its classification and scheduling mechanisms are complex, and it’s not always possible to have one flow per queue in WFQ.

Four main standards bodies are associated with ATM standards. The international bodies are the Asynchronous Transfer Mode (ATM) Forum and the United Nations agency, the International Telecommunications Union, Telecommunications Standardization Sector (ITU-T). The regional bodies are the American National Standards Institute (ANSI) and the European Telecommunications Standards Institute (ETSI).

The ATM forum leads the way in developing and rolling out ATM standards. A group of manufacturers created this forum to ensure the rapid progress of the ATM standardization process, and it wanted to advertise ATM capability. This group is also active in drawing up solutions for the problems and challenges generated in ATM application.

International bodies

The ATM forum is divided into the

• Technical Committee, This committee comprises principal members of the forum, and it is responsible for the development of technical standards.
• Market Awareness and Education (MA&E) Committee – This committee comprises principal members, and it is responsible for educational material, press releases, and other related presentations that raise awareness of ATM capabilities in the telecommunications market.
• End-User Roundtable (ENR) – This committee comprises user members, and it is responsible for developing an understanding of user requirements for ATM.

You can contact the ATM forum via their official web site at http://www.atmforum.com/.

The ATM forum promotes short-term, practical solutions for equipment manufacturers, the Internet, and private ATM networks. In contrast, the ITU-T promotes long-term, robust standards for public networks.

However, many of the ITU-T standards are similar or identical to those of the ATM forum. The ITU-T often publishes the standards of the ATM forum up to two years after their release.

You can contact the ITU-T via their official web site address http://www.itu.int/home/index.html.

Regional bodies
The influential regional bodies – ANSI and ETSI – don’t focus exclusively on ATM standards, and they tend to base their output on information that the ATM forum publishes. ANSI’s T1 committee contributes to the development of ATM standards, and it adapts ITUT standards to U.S. market environments and to the transmission equipment that dominates North America. ETSI provides telecommunication standards for European countries. Its standards emerge as European Telecommunications Standards (ETS) that define functionality, interfaces, and telecommunications protocols. Or they emerge as normes Europeennes de telecommunications (NETS) standards that are mandatory for the approval of network terminal equipment. ETSI also produces technical reports that provide technical guidelines for network design and maintenance.

The official web site address for the ANSI T1 committee on telecommunications standards is http://www.t1.org/. The official web site address for the ETSI telecommunications standards body is http://www.etsi.org/.

Standards
ATM standards can be confusing because several bodies generate standards, later standards may contradict earlier versions, the standards are littered with acronyms, and the different standards bodies may use different terms to refer to the same thing. A further complication is that ITU-T standards are typically published later than those of the ATM forum.

However, you can categorize the standards according to type or function. For example, in the ITU-T standards the

• I series of standards relates to the architecture and functionality ofIntegrated Services Digital Networks (ISDN) and to the interfaces and protocols relating to these networks
• G series of standards defines transmission systems and media
• Q series defines signaling and the protocols used between devices to manage and control the network

Some useful standards to use when you begin to go through the ATM standards include the ITU-T I.113, I.121, I.150, I.211, I.311, I.361, and I.363.

Other useful standards are listed by category show below:

As a summary,
The four main bodies associated with Asynchronous Transfer Mode (ATM) standards are the ATM forum, the International Telecommunications Union – Telecommunications Standardization Sector (ITU-T), the American National Standards Institute (ANSI), and the European Telecommunications Standards Institute (ETSI).

Because the ATM standards can be complicated and confusing, you should have a good grounding in ATM technologies before going through the standards, and you need to structure your readings of the standards carefully.

Whereas the various designs will be there are actually usually the subsequent ports:

-Power port in which the power lead switches into
-WAN port, more details on that below.
-Ethernet Ports, typically 4 of these working at 10/100 or 1GB.
-USB port for plugging in bulk hard drive device (optional)

The WAN port might vary dependent what unit that you’ve but will possibly be an Ethernet port and even a DSL (Digital Subscriber Line) port. Many individuals make use of cable and therefore provide the model using the DSL port. If you stay in a region that has the other sort of cable using Coaxial then you certainly might need a model making use of Wide Area Network Ethernet (WAN) port.

You are going to want to be the router powered up first after which connect the Wide Area Network port. In case you are on Digital subscriber line then you’ll really need to connect a micro filter in your phone socket and next an RJ11 cable from the micro filter on the DSL port. To set up the router you can either stick to the steps upon the setup CD or apply it manually.

In most cases the setup CD will be able to make suggestions over the action and it’s tips on how to complete the work. However if you don’t need a install tips guide and then manual process straightforward enough. For a start connect an Ethernet line directly into router therefore the other end onto your desktop. Dependent upon the router you would right away issued an IP. Look into the icon in the bottom right to verify that your connected. You probably have limited or no connectivity you will need to set yourself an IP.

The default wide range for Linksys routers is usually 192.168.1.x but check the documentation to verify. Give yourself an IP address of 192.168.1.50 (You could already have to swap that based what the default wide range is). Log on to the Linksys router configuration webpage, this will be the http:// followed by the IP with the router (again, look at the documentation given).

Using the webpage you might be capable to startup the wireless network by having a name and key which you decide. Just try to find the wifi menu. Eventually you may find the ‘WAN’ or ‘Internet’ tab and setup the internet connection. You would like to key in the username and password your Internet Service Provider gives you.

When you’ve complied you must be ready to roll! Take a look at your personal wireless networks on your personal computer and you might find your own detailed there, pop the key in and link up and you should have internet connection! this is how easy way to configure linksys wireless router. Remember, when you require more coverage, you also can place more wifi router, wireless router also an access point.

Telegraphs started to make their appearance in the 1940’s when networks were built in California and in the East Coast of the United States. This was shortly followed by the first transatlantic cable set up in 1858, the propagation of wireless technology by James Clerk Maxwell in 1864 and subsequently a radio-telegraph experiment conducted by Marconi and Popov. As you can see, the technology that we have today all has its basis in the inventions and creations of these scientists a decades ago.

Wireless networks were used to communicate and to disseminate information in those days, just like why we use them these days. In times when people were separated by war, wireless networks became the primary form of communication. It was also a method of receiving and sending out information. The Americans referred to the radio as well, a radio, but the British called it a wireless. Both meant the same thing and works by radiating electromagnetic waves from the transmitting station. One of the first few to use the term ‘wireless’ was the British Broadcasting Company as evident from their program guide called the “The Radio Times” in 1923.

Nowadays, mobile phones are probably the most common form of wireless networks. Everyone owns one these days, some are even children who haven’t even reached teenage age. Phones are used not only as a form of communication these days but also as a method of obtaining updates and information and as a tool of entertainment. Satellites are another form of wireless networks, enabling us to watch cable tv and to receive programmes that are being shown live on another part of the world. Emergency services also utilises wireless networks. Police and rescue departments use wireless networks to receive and send out information quickly. And of course there is the Internet. We are connected to a wide web where everything is made possible, be it shopping, entertaining or banking. Wireless networks have indeed made life a breeze, thanks to the forefathers of technology who have established such great inventions in the yesteryears.

A smart card is similar to a magnetic stripe card but contains a microprocessor chip. The first smart cards were prepaid telephone cards, which operated on stored prepaid values. They have moved on from this to be used for things such as library cards, credit cards, student cards, and electronic purses.

Today, there are three smart card types with different access methodologies.

Contact cards
With a contact smart card, the user inserts it into a reader in order to access the information on it. The data is then transferred once physical contact is made. The reader supplies power to the chip in the card through the contacts. These cards are used in financial applications such as store-value, debit, and credit cards because of their reliability and the high power available to the microchip processor. Contact cards are slower and require more servicing than contactless cards.

Contactless cards
Contactless cards communicate with the card reader using radio frequency technology. They are implanted with a radio antenna. No physical contact is required with the reader. Contactless smart cards are suitable for application in fast paced transactions. Proximity, close-coupled, and vicinity cards are sub-types of contactless cards. Vicinity cards are used in industrial tagging, car-park access, and library book tagging. Contactless cards cannot support encryption techniques and are expensive to manufacture.

Hybrid or combi cards
Hybrid or combi cards combine elements of contact and contactless cards. This is done in three different ways. Firstly, there is a hybrid card that has two chips. Each chip has either a contact or contactless interface. This method offers high security but is expensive to produce. The combi card has one chip, but with a contact and contactless interface. The combi card is cheaper than the hybrid card. There is a third type that uses an RF sleeve with an inbuilt antenna. This enables the card to contact the reader, thus making a contact card into a contactless one. This card type has low security.

Focus on Mondex
Mondex is a contact smart card that holds the equivalent of cash. It is an electronic purse. A Mondex card behaves exactly like cash and unlike other payment cards requires no signature, PIN, or transaction authorization. Cash is stored on an integrated circuit (IC) on the smart card. Cash can be securely transferred from one IC to another. Value is stored in a purse in the IC. The Application Carrier Device (ACD) holds the Mondex purse application. In a Mondex payment, value is transferred from one purse to another. Mondex transactions take place by inserting the card into a card reader.

Mondex cards offer a low cost, secure solution to unattended point of sale transactions, for example in parking meters or reality television voting. It is reliable and secure because no cash needs to be stored, low value transactions are efficient, and the Mondex cards are available to the majority of consumers. Mondex has been applied to different markets. For example, it is used in company cafeterias, where employees pay for meals using value on their Mondex cards. A Mondex card can hold a variety of currencies and be used in the respective countries. In Norway, the national lottery company and post office jointly offer Mondex card holders online gaming with winnings paid directly to customer’s cards.

Electronic Funds Transfer (EFT)

EFT operates on the basis of two systems. Both systems do not always occur at the same time or in the same place.

Clearing house system.

The clearing house system is where transactions between members of a clearing channel are recorded. The Clearing House Interbank Payment System (CHIPS) is an example of a clearing house.

Settlement
Settlement is the transferring of funds from a payer’s account to a payee’s account. This can only occur between banks. The central bank of each country usually acts as the primary settlement agent. Settlement can occur immediately on a gross basis or be delayed on a net basis.
Fedwire, CHIPS, and ACH are examples of EFT methods employed in the US.

Fedwire
Fedwire is a real-time gross settlement (RTGS) system guaranteed by the Federal Reserve of the US. More than 11,000 members are linked by online terminal, host-to-host computers, and other technology. It is the main payment system used for high value US payments.

Fedwire offers same day value, no settlement risk, finality, guaranteed payment, speed, and security. The only drawbacks are the cost, limited linkage, and restriction of transactions to credits.

In a typical Fedwire transaction between company A and company B, company B sends an invoice to company A, which sends a payment instruction to their bank (bank A). Bank A debits company A and sends a payment message to the Federal Reserve. The Federal Reserve debits bank A and credits bank B. Bank B credits company B’s account and sends the credit advice to company B.

CHIPS
CHIPS is an RTGS system. It is a computerized telecommunications network owned by New York Automated Clearing House. It links 56 banks, both domestic and foreign, that have offices in New York City. Payments on this system are generally international US dollar payments between countries. These payments include interbank movements, Eurodollar payments, and the settling of foreign exchange transactions.

The system supports the growing e-commerce needs of the business community through the use of Extensible Markup Language (XML). CHIPS offers same day value, minimal settlement risk, finality, speed, security, and the ability to transmit up to 9000 characters of data. The disadvantages are the high cost, its restriction to credit transactions, and the limitations of direct membership.

ACH
Automated Clearing House (ACH) system was developed as a means for transferring funds, at low cost and in high volume, between US domestic accounts. It is an alternative to checks. The National Automated Clearing House Association (NACHA) was established in 1974. It forms a link between regions for the ACHs and provides a nationwide electronic payment and collection network among US financial institutions. It offers a number of formats for ACH transactions.

The system can be used for debit and credit transactions. ACH credit transactions include payroll, pension, and annuity payments. ACH debit transactions include consumer bill payments, such as utility bills, phone bills, and insurance premiums.

ACH is cost effective, reliable, efficient, deals with both debits and credits, uses batch processing, has accelerated inflows, allows for processing of large amounts of information, and is more secure than paper transactions. The major disadvantages of the system are the delay in settlement, lack of guaranteed finality, start-up and on-going costs, and concerns over debit transactions.

SWIFT
The Society for Worldwide Interbank Financial Telecommunications (SWIFT) is a global telecommunications network. It provides a strict message format for the exchange of financial information between financial institutions. Messages automatically pass through electronic links built between SWIFT and the local electronic clearing systems in different countries.

More recently, SWIFT has been applied to the transferring of the entire letter of credit process onto the Internet and providing Web-based functionality for business-to-business (B2B) transactions with SWIFTNet.

Payment system risks
There are payment system risks involved in the EFT systems. The daylight overdraft (when an account is overdrawn at the Federal Bank) is of concern to the Federal Reserve Bank. They have introduced charges curbing the limit a bank is overdrawn in any one day to address this risk. The second big risk was the delay in settlement in the ACH system. ACH has now introduced “ACH settlement day finality” to lower the risk.

eChecks

An eCheck is an electronic representation of a paper check. An eCheck uses public key cryptographic signatures and secure messaging over the Internet to make payments and perform other financial functions. They function using the same mechanisms as paper checks, but in an electronic format.

eCheck transactions take place in the following way:

• the payer “writes” the eCheck and “gives” the eCheck to the payee electronically
• the payee “deposits” the eCheck, receives credit, and the payee’s bank “clears” the eCheck to the paying bank.
• the paying bank validates the eCheck and then “charges” the check writer’s account for the check

eChecks offer safe bank transactions on the Internet, unlimited information carrying capacity, reduced fraud risk, and automatic verification of content and validity.

The eBill system is powered by eChecks. eBills are a paperless form of bill that are accessed on the Internet rather than delivered by traditional mail. eBills contain the exact same information as paper bills. Customers set up an eBill account with a website from which they can view, pay, and track the history of all bill payments. The system allows customers to set up recurring payments and reminders and guarantees payment direct from the account of their selection.

Mobile payments

A mobile payment is where two parties exchange financial value by means of a mobile device in return for goods or services. Mobile technologies include 2.5 and 3G data networks, and the Bluetooth, infrared, and radio frequency identification (RFID) wireless protocols. All mobile payments should be secure, interoperable, and easy to use.

Examples of where mobile purchases could be used effectively are

• mobile top-ups
• online shopping
• road-tolls
• fast-food drive-through
• service stations
• images or games

Mobile payments can be either Over the Air (OTA) or across wide-area networks (WAN). OTA payments usually operate on a browser-based transfer infrastructure, such as SMS or multimedia messaging (MMS). WAN uses a wireless network and proximity payments that transfer information over short distances. Proximity payments can be made using various technologies including Bluetooth, infrared, RFID, and contactless chips.

The mobile payment life cycle typically involves the following four phases. In phase one, the mobile payment mechanism is configured. This might be the installation of a payment device, such as a mobile wallet, on a mobile device. Phase two is the initiation of the payment by the consumer. Phase three is the authentication of the user, and phase four is the completion of the payment. This life cycle is similar to a typical credit card transaction.
Summary

With the development of large open networks – networks with access to the Internet, and other private and public networks – threats to security have increased and more security vulnerabilities have been discovered. The technical knowledge required to hack a network has become more widely available and hacking tools are more user friendly.

Because of the way Mobile IP operates, the transfer of information is vulnerable in terms of security. The registration process in itself is vulnerable because, typically, mobile computers are connected to the network via wireless links. When mobile nodes on foreign networks register with their home networks via wireless links, they are vulnerable to attacks such as passive eavesdropping and active replay. This means that authentication mechanisms in Mobile IP registration need to be particularly strong. For example, service providers need to authenticate messages sent between foreign agents and home agents to ensure only legitimate customers are provided with service and to enable billing.

Threats to Mobile IP

Specific threats to Mobile IP include the following:

• denial-of-service attack
• passive eavesdropping
• session-stealing attack
• replay attack

Denial-of-service attack

A denial-of-service (DoS) attack is specifically designed to disrupt the normal functioning of a system by destroying or modifying data, or by overloading the system’s servers. The organization (or user) is then deprived of services such as e-mail or perhaps the temporary loss of all network connectivity and services.

One type of DoS is a nuisance packet attack (TCP SYN flooding). This type of attack can be quite difficult to prevent because a sender can spoof the source address. However, the service provider can use ingress filtering in routers to make sure the IP source address of a packet is authenticated before it is forwarded.

Another type of DoS attack precludes packets from flowing between two nodes. For example, an attacker – who must be on the path between the two nodes – creates a bogus registration request, giving a personal IP address as the care-of address for a mobile node. This means the mobile node’s home agent will send all packets to the attacker.

This type of attack can be prevented if there are cryptographically resilient authentication procedures between a mobile node and its home agent. KEYED MD5 is the default algorithm used, drawing on RFC 1321 to provide secret-key authentication and integrity checking. Although all mobile nodes must sustain this algorithm, Mobile IP does enable a mobile node to use different types of authentication.

Passive eavesdropping

Theft of information can occur when an attacker accesses network packets that come across the network to which he is attached (man-in-the-middle attack), typically by using network packet sniffers and routing and transport protocols. Encryption is a common way of preventing a passive eavesdropping (or theft-of-information) attack, protecting the data from being accessed by unauthorized persons. Link-layer encryption is commonly used between a mobile node and its foreign agent of a wireless link where all packets exchanged over the link are encrypted. Because no physical connection is required, it can be easier to snoop on a wireless link.

End-to-end encryption, where the data is encrypted and decrypted at the source and destination, is the most thorough method of protecting the data. Secure Sockets Layer (SSL), Secure Copy (SCP), and Secure Shell (SSH) are examples of Internet-based applications that provide end-to-end protection. Other application programs that do not provide for encryption can use Encapsulating Security Payload RFC (1827) for end-to-end encryption.

Session-stealing attack

A session-stealing attack is when an attacker pretends to be a legitimate node and captures a session. The attacker waits for a valid node to authenticate itself and initiate an application session. The attacker then transmits numerous nuisance packets to prevent the node from recognizing that the session has been captured. Session-stealing attacks can be prevented by end-to-end and link-layer encryption.

Replay attack

A replay attack is when an attacker obtains and stores a copy of a legitimate registration request and replays it later to create a forged care-of address for a mobile node. To prevent this, a mobile node produces a unique value for the Identification field for each successive registration. The Identification field allows the home agent to ascertain what the subsequent value should be. The attacker is therefore hampered because the home agent will be able to identify the Identification field in the stored registration request as outdated.

Mitigating the threats to Mobile IP

The registration process of Mobile IP requires strong authentication procedures as it offers many opportunities for malicious intervention. Any sensitive data that is transferred should be encrypted. If location privacy is required, mobile nodes can connect to their home network via a tunnel. The home agent forwards any packets sent to the mobile node to its care-of address and so the mobile node still appears to be on the home network.

Cryptography

Cryptography is one of the main methods used to maintain confidentiality, that is, to ensure sensitive data is viewed only by users who are authorized. Cryptography involves the use of cryptographic algorithms and the exchange of either public or secret keys to ensure only authorized parties can decrypt information. There are two main categories of cryptographic algorithms: secret-key algorithms – where both the sender and receiver use the same key – and public-key algorithms. With public-key algorithms, a pair of related keys are used, one by the sender and the other by the receiver. One of these keys is published publicly and the other is kept private.

The information is authenticated using either private-key (secret-key) or public-key encryption. There are two categories of private-key encryption, one utilizes a type of cryptographic algorithm called a message digest (a fixed-length piece of data computed from a large piece of data), whereas the other category uses the same algorithms used to execute private-key encryption.

There are also two categories of public-key authentication – one method uses a similar method to secret-key authentication, except it uses public-key encryption. The other type of public-key authentication uses digital signatures. A public-key conversion is performed on a plain-text message, using the private key, and the resulting ciphertext is called a digital signature. Only the sender has the key, which means the sender cannot later deny having sent this information (non-repudiation). If necessary, the message, the time stamp, and a message digest confirming that the message has not been altered in transit (integrity checking) can be re-sent.

Problems with ARP

In Mobile IP registration, a mobility binding is created at the home agent where a mobile node’s home address is associated with its care-of address for a specified lifetime. If registration was not authenticated properly, this tunneling feature could prove to be a significant security vulnerability. It also means Address Resolution Protocol (ARP) was not authenticated, and could potentially be used to steal another host’s traffic. If Gratuitous ARP is used, where an ARP packet sent by a node in order to spontaneously cause other nodes to update an entry in their ARP cache, then all the risks associated with ARP will also need to be factored in. For these reasons, it is imperative that home agents and mobile nodes perform authentication.

Authentication

Mobile nodes and home agents must be able to perform authentication. There are several factors that determine the strength of an authentication mechanism. These include the strength and secrecy of the key used, the strength of the authentication algorithm, and the quality of the implementation. The default algorithm used by home agents and mobile nodes for message authentication is HMAC-MD5 with a key size of 128 bits. The foreign agent must support authentication using HMAC-MD5 with manual key distribution of key sizes of 128 bits or greater. It must also support keys with arbitrary binary values.

When producing and verifying the authentication data supplied with Mobile IP registration messages, new implementations of Mobile IP should use MD5 as one of the additional authentication algorithms. This is because the “prefix + suffix” use of MD5 to protect data is considered vulnerable to attack. However, the use of keyed MD-5 does not mean other authentication algorithms and modes cannot be used. Keyed MD-5 authentication should use a 128-bit key that is both secret and pseudo-random.

Key distribution in a Mobile IP network can often be a difficult task due to the absence of a network key management protocol. Because of this, some messages sent to the foreign agent do not require authentication.

Firewalls

A Firewall is a device that protects the resources of a private network from an untrusted public network such as the Internet. There are several different types of firewall. Firewalls use secure logon procedures and authentication certificates to allow mobile users remote access to the private network.

Common security policies such as ingress filtering – where routers do not forward packets that appear to have a topologically incorrect source address – can prove to be problematic in Mobile IP networks. For example, a router running firewall software could block incoming packets from a mobile node trying to contact a node on its home network. The firewall blocks this node as it is trying to enter the intranet using the address of a machine inside the intranet. However this mobile node is trying to access the home network using its own home address. To counteract this problem, a mobile node can use the foreign agent supplied care-of address as the source address – this is called reverse tunneling. Reverse tunneled packets can pass normally through routers that use ingress filtering, and the ingress filtering rules can still locate the true source of the packet in the same way as packets from non-mobile nodes.

Replay protection

To prevent a replay attack, a mobile node produces a unique value for the Identification field for each successive message. There are two methods used to interpret Identification fields – time stamps and nonces. All mobile nodes and home agents must implement replay protection based on time stamps. Nonce-based replay protection is optional.

With time stamp replay protection, the node generating a message inserts the current time of day. The node receiving the message checks that this time stamp is sufficiently close to its own time of day. The value used to limit the time difference should be greater than three seconds – the default value is seven seconds. These nodes must have adequately synchronized time-of-day clocks.

With nonce replay protection, a node – node A – includes a new random number in every message it sends to another node – node B. Node A then checks that node B returns that same number in its reply. Both messages use an authentication code to protect against alteration by an attacker.

As part of the mobile security association, a mobile node and its home agent have to agree on the method of replay protection that will be used. The low-order 32 bits of the identification has to be copied unchanged from the registration request to the registration reply regardless of which method is used. The foreign agent uses the mobile node’s home address and the low-order 32 bits to match registration requests with corresponding replies. The mobile node has to verify that the low-order 32 bits of any registration reply are identical to the bits it sent in the registration request. The identification used in a new registration request cannot be the same as the preceding request. Re-transmission is allowed, but a request shouldn’t be repeated while the same security context is being used between the mobile node and the home agent.

Mobile IP is an enhancement of the Internet Protocol (IP). It allows for Internet traffic to be forwarded to mobile devices, also called mobile nodes, when they are connecting through networks other than their home network. In wireless computing, Mobile IP is the technology that enables a user to receive information, such as e-mails and files directly to one’s laptop, without the sender’s knowledge of the serving network IP address.

It is predicted that wireless access will soon become the dominant means of connecting to the Internet. As it becomes more common, mobile users will expect similar levels of connectivity and service quality to wireline users, and Internet protocols will need to be further developed to meet the technological challenges ahead. Mobile IP, as it currently stands, presents a problem in terms of performance and scalability.

The problems with Mobile IP

Mobile IP has several weaknesses when it comes to supporting mobile device mobility, which can be categorized under the following headings:

• latency
• address space
• quality of service
• unnecessary overheads
• security

Latency

Mobile IP requires changes to its forwarding function in order to adequately support node mobility. The required changes are based on the care-of address (COA). This is the IP address that marks the mobile node’s current location on the network. The care-of address, in Mobile IP, is used

• to advertise the mobile device’s new point of attachment during registration or it is stored for future use at the mobile node’s home agent
• by the home agent to tunnel data traffic from the home network to the new network indicated by the care-of address

The association between the mobile node and the care-of address it receives as it moves location is known as binding. When a mobile device changes network, it registers with its home agent each time. This can be a slow process, resulting in a latent period, and for mobile devices that continually change networks, this registration process can become totally inefficient. This need for frequent re-registration is one of the main criticisms leveled at the Mobile IP protocol.

Mobile IP registration

Address Space

Mobile IP also requires a pool of valid addresses to serve as COAs inside each domain. As the Internet continues to grow, the Mobile IPv4 address space is now reaching its limit. Mobile IPv6 has been developed to try to resolve this problem by using 128-bit addresses, but it’s rollout is proving to be slow and IPv4 is expected to be around for some time yet.
Quality of service

For mobile device users, the quality of service (QOS) is affected by re-registration – the mobile node continually changes COA, leading to a heavy signaling load and latency issues that are incompatible with the provision of a quality service.
Unnecessary overheads

The Mobile IP protocol tunneling mechanism causes an increase in overhead costs due to delays, packet loss, and signaling problems. Packet loss and delays during handoff can be caused by the creation of new tunnels. Packet loss is likely if the mobile device is far away from its home network. Delays are due to the roundtrip of the registration request (it is sent to the home agent and the response is sent back to the foreign agent). Signaling problems are encountered when the constant registration-requests process places a burden on the core network.

Security

In mobile networking, security is a major concern. For a network operation to be authorized, correct authentication is essential. Mobile IP has some security vulnerabilities, which means that mobile devices are vulnerable to security breaches. One of the most common security breaches is a denial-of-service attack.

Micromobility protocols

Micromobility protocols are the proposed solution to the problems encountered with Mobile IP. By using a micromobility protocol, private addresses can be used – the micromobility protocol is transparent to the network outside a domain. This provides a cheap and effective solution to the address space problem.

By using a micromobility protocol, the mobile node does not need to re-register as it moves within a domain. Registration will occur only when the mobile device changes domain. This improves the quality of service.

Micromobility protocols

Two of the most common micromobility protocols are TeleMIP and Cellular IP. TeleMIP provides lower handoff latency and signaling overhead compared to Mobile IP. TeleMIP is also designed to address the Mobile IP address space limitations. Cellular IP combines the efficiency and scalability of IP with features found in cellular networks, such as seamless handoff support, passive connectivity, and paging.

These protocols remove the latency issues associated with Mobile IP by using a two-layer hierarchical framework to manage mobility. This ensures that every change in connectivity doesn’t have to be communicated back to the home network. This, in turn, facilitates faster handoff.

Mobile IP introduces delays through the need for constant registration when the mobile node changes location on a network. Micromobility protocols circumvent this delay because they don’t interact with the Mobile IP enabled Internet. In the micromobility model, the mobile node receives a local COA when it connects to a domain. While the mobile node is in this domain, the COA remains valid. The mobile node needs to make only one registration when it first connects to the domain. This eliminates the need for registration during handoff, which has two effects:

• it significantly reduces delay and packet loss
• it reduces the signaling load experienced by the core network

This reduction in signaling load is important because as the numbers of wireless users increase, so does the signaling overhead associated with mobility management.

The benefits of micromobility protocols

Faster handoff and a reduction in registration are two of the main aims of micromobility protocols. These enhancements are essential so the Internet can support very large numbers of wireless users. The following issues need to be considered when developing micromobility protocols:

• fast handoff
• paging
• fast security/AAA
• quality of service

Fast handoff

An effective mobility management solution should be able to support fast handoff by redirecting packets to the mobile node’s new point of attachment on the network with very little or no delay. As discussed, a time lag is inherent in Mobile IP due to the roundtrip of the registration request. But by using micromobility protocols, the need for registration is almost eliminated. It is necessary for the smooth functioning of real-time IP applications, such as Voice-over-IP, that latency is eliminated.

One of the key features of micromobility protocols is the support for fast handoff. Fast handoff reduces delay and packet loss. The handover performance can be affected by a number of design choices, such as

• handoff control
• buffering and forwarding techniques
• radio behavior
• movement detection and prediction
• coupling and synchronization between IP and radio layers

Paging

Usually, devices such as desktop PCs and laptops maintain “always on” connections to the Internet, even when they aren’t in use. This allows the users to be contactable around the clock and to have constant access to Internet resources. Mobile-device users will expect a similar service. For mobile devices, there are two issues surrounding “always on” connections – bandwidth use and battery power.

With fixed location desktops and laptops, the location information doesn’t change and the power source is unlimited. To be continuously contactable on a mobile device, this location information needs to be continually updated, which uses up the limited battery power. When the mobile devices are idle, then much needed battery power and bandwidth are unnecessarily consumed because of the need to broadcast each new location. The ideal solution is to have the mobile node transmit nothing unless it’s in an active state. But then the network would be unable to efficiently forward packets to the mobile node because the node location would be unknown for large periods of time.

A solution employed by GSM networks is to divide geographical areas into what are called “paging areas”. Idle devices are required to register only if they change paging area, and not when they move within the same paging area. Paging thereby reduces registration to a minimum, which serves to lower the signaling overhead and conserve battery power.

Paging

Fast security

Security is important when it comes to designing mobile networking protocols and systems. Micromobility protocols aim to support fast handoff control for mobile devices. Location update messages need to be authenticated, although data encryption may not be necessary in each instance. Authentication with encryption can be used to guard the privacy of mobile users who do not want to make known their current location. Micromobility protocols deal with security issues that address network performance, device performance, quality of service, manageability, and the extent of support for AAA.

When fast handoff is sought, the security mechanisms must perform the authentication operation in the short space of time available. In the traditional authentication, authorization and accounting (AAA) model, the security-aware servers are located in distant locations, which is unlikely to facilitate fast handoff. Authenticating items, such as session keys, need to be immediately available to ensure fast handoff. The extent of support the micromobility protocols have for AAA has a big impact on the applicability of the protocol.

Quality of service

The use of micromobility protocols leads to increased quality of service. With Mobile IP, a new registration must be performed each time the mobile device changes its COA. This produces a heavy load of traffic on the network. With micromobility protocols, registrations do not have to be completed each time a mobile device moves within a domain, only when it changes domain. This considerably reduces the amount of network traffic and leads to better service quality for the mobile user.

In analog systems, bandwidth is the difference between the highest-frequency and the lowest-frequency signal components of a transmission channel. Frequency is measured as the number of cycles per second, or Hertz (Hz). In digital systems, bandwidth indicates the data transmission in bits per second (bps), and the standard prefixes are used to indicate values such as a thousand bps (Kbps), a million bps (Mbps) and a billion bps (Gbps).

So bandwidth is a measure of the amount of data that can travel over a communication system in an allotted time frame. It may be referred to as data throughput or line speed. Bandwidth is directly proportional to the rate of communication, meaning that the greater the bandwidth, the faster the communication.

Common communications technologies

There is a wide range of networking technologies in use today. These include cable modems, digital subscriber line (DSL), Integrated Services Digital Network (ISDN), regular telephone lines, satellite connections, and wireless connections.

Cable modem
A cable modem is a modem that allows a PC to access the Internet using a cable television connection. A cable modem is always connected and is an example of a broadband medium. A broadband medium carries multiple types of transmissions. When a PC transmits digital signals, the cable modem converts the digital signals to analog signals, and it converts any incoming analog signals back to digital signals.

Digital subscriber line (DSL)
DSL is a broadband digital technology that uses regular copper phone lines to transmit and receive data. DSL uses different frequencies to those of voice, allowing you to use the same phone line for voice and data transmissions at the same time. DSL is always connected.

Integrated Services Digital Network (ISDN)
ISDN is a broadband technology that uses normal telephone lines or digital telephone lines to send data, video, and voice. Users can access an ISDN via dial-up connections. An ISDN line consists of two channels on a single pair of wires, called B channels, which can separately support speeds up to 64 Kbps. These channels can be combined to give an effective bandwidth of 128 Kbps. An ISDN line also consists of a slower control channel, called the D channel.

Regular telephone lines
Regular telephone lines are a common way to connect to an Internet service provider (ISP), using an internal or external modem that converts digital data to analog data. This modem is necessary as regular telephone lines can only transmit analog data. Typically, such lines offer a maximum possible bandwidth of 56 Kbps, but, on average, the actual value is likely to be half this. This is too slow even for most home users, which is the main reason why technologies such as ISDN are increasingly popular.

Satellite access
Satellite access provides high-speed Internet connections and is useful in remote areas, in which other types of connections aren’t possible. Unlike cable modems and DSL, satellite access is available from almost anywhere. In a typical scenario, a satellite dish – mounted on top of a building – exchanges data with an orbiting satellite, the use of which is offered by an ISP.

Wireless access
Wireless access refers to systems and devices that don’t require cables to communicate with other devices. Wireless access is useful for mobile devices – such as cellular phones – and for Internet access in remote locations, where wired transmission is impossible. Wireless access is not as common as wired data transmission because it can be expensive, and may be prone to environmental factors to which wired communication is immune.

Below are others communication (or networking) technologies, together with the maximum bandwidth available.

Asymmetric digital subscriber line (ADSL)
640 Kbps upstream and up to 6.1 Mbps downstream

Home users who require fast download speeds, but are not so concerned about upload speeds, as most of the bandwidth is from the ISP to the user

Asynchronous transfer mode (ATM) 25, 45, 155 or 622 Mbps
Used inLAN backbones

Cable modem 512 Kbps to 5 Mbps
Most suited for connection between a home or small business and an ISP

Ethernet 10 Mbps to 1 Gbps
Most popular technology for LANs. Original Ethernet specification supported 10 Mbps, later versions are the Fast Ethernet (100 Mbps) and Gigabit Ethernet (1 Gbps). The 10 Gigabit Ethernet (10GbE) is in development

Fiber distributed data interface (FDDI) 100 Mbps
A good choice for a LAN backbone

Fractional T1 The number of channels of the T1 leased times 64 Kbps but less than full T1 (1.544 Mbps)
Enterprises who do not need the bandwidth of a full T1 line

Frame relay 56 Kbps to 45 Mbps
Corporate WANs – for businesses that need to communicate internationally

G.Lite (also known as DSL Lite) From 1.544 to 6 Mbps (upstream) and 128 to 384 Kbps (downstream)
A popular version of DSL for home users because it does not require a visit from the telephone company to configure the connection

GSM mobile telephone service 9.6 to 14.4 Kbps
Wireless technology used for mobile telephones

High-bit-rate DSL (HDSL) Up to 3 Mbps
Symmetric (equal upstream and downstream bandwidths) DSL technology, used to provide dedicated WAN links for businesses

Institute of Electrical and Electronics Engineers (IEEE) 802.11b (wireless) 5.5 Mbps or 11 Mbps
A popular wireless technology, widely used in wireless LANs (WLANs)

IEEE 802.11a (wireless) Up to 54 Mbps
Considered as the successor to 802.11b, but incompatible with it

Integrated services digital network DSL (IDSL) 128 Kbps
Home users who cannot use ADSL or HDSL

Integrated services digital network (ISDN) 64 Kbps to 128 Kbps
Home users and small enterprises

Regular telephone (POTS, plain old telephone service) Up to 56 Kbps
Uses a modem to connect a home to an ISP

Synchronous optical network (SONET) 51, 155, 622, 1244, or 2480 Mbps
Most suited for backbones, different set of SONET signaling rates represented by optical carrier (OC) levels, ranging from OC-1 (52 Mbps) to OC-256 (9.6 Gbps)

T1 1.544 Mbps
Connections between large companies and branch offices or an ISP

T3 45 Mbps
Corporations that transmit large amounts of data, and require the increased bandwidth

Token Ring 4 or 16 Mbps
Most suited for LANs, but eclipsed by Ethernet, considered a legacy technology

Very-high-rate DSL (VDSL) Up to 55 Mbps (upstream) and 2.3 Mbps (downstream) over short distances (less than a mile)
Emerging DSL technology

X.25 Up to 2 Mbps, but typically 64 Kbps
Communication between mainframes and “dumb” client terminals, largely replaced by other technologies, but still used in specialist financial applications