Credit-Based Authorization for HIP Mobility

Transcription

1 Credit-Based Authorization for HIP Mobility draft-vogt-hip-credit-based-authorization Christian Vogt, HIP Working Group Meeting, IETF 62 Minneapolis, MN, March 9, 2005 Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 1

2 HIP Mobility Management Mobile Detach Attach Update [ Loc ] Update [ Echo Resp ] Update [ Echo Req ] New Loc known but unverified New Loc known and verified draft-ietf-hip-mm Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 2

3 Why Do We Need Reachability Verification? Because of redirection-based flooding attacks Here, the attacker initiates download from CN redirects packets to a victim spoofs acknowledgments Attacker Reachability verification precludes this Victim Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 3

4 Some Observations What makes redirection-based flooding attractive? High potential for amplification (CN generates packets; attacker just spoofed Acks, if at all) Any IP node can be the victim Presumably plenty available CN's (that can be tricked into assisting in the attack) Easy set-up, no viral code distribution (in contrast to many conventional DoS attacks) Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 4

5 Some Observations HIP provides authentication, but Authentication does not imply security against flooding (Attacker can authenticate, because it redirects its own packets) Security against flooding not necessarily requires authentication Authentication alone may not be a discouragement Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 5

6 Other Protection Mechanisms Trusting MN's Administrative relationship may imply trust (Home Agent in MIPv6, CN in MIPv6 with pre-computed binding keys) Ingress filtering Does not protect a network from a flooding attack, but prevents initiation of a flooding attack from a certain network Depends on wide, preferably universal deployment Currently questionable whether this is the case today Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 6

7 How HIP Mobility Management Performs Mobile Detach Attach Last packet 2 RTT First packet draft-ietf-hip-mm Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 7

8 How Can This Be Optimized? Idea: CN uses address while unverified and protects period of vulnerability Option 1: Lifetime restriction Disable unverified address after X seconds Easy to implement, but little secure (Attacker could re-register unverified address, or toggle btw. verified/unverified addresses) Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 8

9 How Can This Be Optimized? Option 2: Heuristics must be rigid enough to recognize attacks early on, but must not cause immature sanctions on upright MN's Upright MN's may look like attackers from remote (E.g., new address may become stale before getting verified) Appropriate heuristics may not be easy to find Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 9

10 How Can This Be Optimized? Option 3: Credit-Based Authorization Recall: amplification makes redirection-based flooding attractive CBA prevents amplification, not misdirection per se Rationale: No amplification redirection-based flooding unattractive because other attack strategies are simpler do not require authentication may even have some amplification Examples are direct flooding, TCP-SYN spoofing Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 10

11 Credit-Based Authorization Mobile Acquires credit by sending pkts. Consumes credit for being sent pkts. to unverified addr. Maintains credit account Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 11

12 Credit-Based Authorization Mobile Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 12

13 Credit-Based Authorization Mobile Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 13

14 Credit-Based Authorization Mobile Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 14

15 Credit-Based Authorization Mobile Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 15

16 Credit-Based Authorization Mobile Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 16

17 Credit-Based Authorization Mobile Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 17

18 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 18

19 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 19

20 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 20

21 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 21

22 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 22

23 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown! Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 23

24 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 24

25 Credit-Based Authorization Mobile Detach Attach Loc unverified Signaling not shown Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 25

26 How About Time-Shifting Attacks? How can an attacker prevented from accumulating credit over a long time at a slow rate, and using this credit all at once Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 26

27 How About Time-Shifting Attacks? Solution: Age existing credit ("negative interests") Credit Aging prevents time-shifting CN learns new Loc New Loc unverified New Loc becomes verified Time Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 27

28 How About Asymmetric Traffic? Issue: Applications with asymmetric traffic patterns MN may not be able to collect sufficient credit Option 1: Aging allows for asymmetry May limit supported applications Option 2: Credit for packet reception and processing Requires feedback mechanism for CN IP-address spot checks (in-band reachability verification) Optional, not presented here Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 28

29 How Much Do We Benefit? draft-ietf-hip-mm Credit-Based Authorization Mobile Mobile Last packet Last packet 2 RTT 1 RTT First packet First packet Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 29

30 Conclusions Credit-Based Authorization prevents amplified, redirection-based flooding attacks allows CN to use unverified locators reduces handover-signaling delays by 1 RTT is transparent to MN Implementation exists for Mobile IPv6 Binding Cache holds per-mn variables Modifications only minor Similar integration possibilities in HIP Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 30

31 Conclusions Interest to the WG? Possibly after base specification published? As part of the MM document? (Might make sense to optimize MM right away rather than through an optional extension ) Christian Vogt, Research Institute of Telematics, University of Karlsruhe, Germany 31