Security Issues In Mobile IP

Similar documents
11. IP Mobility 최 양 희 서울대학교 컴퓨터공학부

T Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.

Outline. CS5984 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Host Mobility Problem Solutions. Network Layer Solutions Model

Mobile IPv6. Washington University in St. Louis

Outline. CS6504 Mobile Computing. Host Mobility Problem 1/2. Host Mobility Problem 2/2. Dr. Ayman Abdel-Hamid. Mobile IPv4.

CSE 123A Computer Netwrking

Mobile IPv6. Raj Jain. Washington University in St. Louis

Module 28 Mobile IP: Discovery, Registration and Tunneling

CSE 123b Communications Software

Quick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004

Fixed Internetworking Protocols and Networks. IP mobility. Rune Hylsberg Jacobsen Aarhus School of Engineering

Mohammad Hossein Manshaei 1393

Communications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage

Quick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003

Internet Engineering Task Force (IETF) Ericsson July 2011

MOBILITY AGENTS: AVOIDING THE SIGNALING OF ROUTE OPTIMIZATION ON LARGE SERVERS

SJTU 2018 Fall Computer Networking. Wireless Communication

generated, it must be associated with a new nonce index, e.g., j. CN keeps both the current value of N j and a small set of previous nonce values, N j

LECTURE 8. Mobile IP

How Mobile IP Works? Presenter: Ajoy Singh

A new protocol for location management in Mobile IPv6

Mobile Communications Chapter 9: Network Protocols/Mobile IP

Extended Correspondent Registration Scheme for Reducing Handover Delay in Mobile IPv6

Credit-Based Authorization

An Analysis of the Flow-Based Fast Handover Method for Mobile IPv6 Network. Jani Puttonen, Ari Viinikainen, Miska Sulander and Timo Hämäläinen

Mobile IP. Mobile IP 1

Mobile IP. Mobile Computing. Mobility versus Portability

Introduction to IPv6. IPv6 addresses

What is mobility? Mobile IP. Mobility Impact on Protocol Stack (cont.) Advanced Topics in Computer Networks

Bi-directional Route Optimization in Mobile IP Over Wireless LAN

Mobile IP. rek. Petr Grygárek Petr Grygarek, Advanced Computer Networks Technologies 1

Mobility Management - Basics

Mobile & Wireless Networking. Lecture 9: Mobile IP. [Schiller, Section 8.1]

Fast Handover in Mobile IPv4 and IPv6

An Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network

Network Security. Security of Mobile Internet Communications. Chapter 17. Network Security (WS 2002): 17 Mobile Internet Security 1 Dr.-Ing G.

Introduction to IPv6. IPv6 addresses

Introduction Mobility Support Handover Management Conclutions. Mobility in IPv6. Thomas Liske. Dresden University of Technology

Deploying Mobile IP. Session ACC Copyright 2003, Cisco Systems, Inc. All rights reserved. Printed in USA. 8018_05_2003_c1.

Mobile IPv6 performance in networks: handover optimizations on the link and network layer

MOBILE IP. Under the guidance of Mr. N. Srinivasu

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

CMPE 257: Wireless and Mobile Networking

Registration and Session-Key Distribution in AAA for Mobile IP

SECURITY IMPROVEMENT FOR MOBILE IP COMMUNICATION

Experimenting with early opportunistic key agreement

Overview of the Cisco Mobile Wireless Home Agent

to-end Mobility Support: Combining Security and Efficiency Christian Vogt,

Advanced Computer Networks. IP Mobility

Mobility Management Basics

SSL/TLS. How to send your credit card number securely over the internet

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Student ID: CS457: Computer Networking Date: 5/8/2007 Name:

IEEE Assisted Network Layer Mobility Support

ECS-087: Mobile Computing

Mobile IP version 6 (MIPv6) Route Optimization Security Design

Request for Comments: T. Aura Microsoft Research G. Montenegro Microsoft Corporation E. Nordmark Sun Microsystems December 2005

A New Authentication Scheme of Binding Update Protocol on Handover in Mobile IPv6 Networks

Request for Comments: Wichorus G. Tsirtsis Qualcomm T. Ernst INRIA K. Nagami INTEC NetCore October 2009

CSE 4215/5431: Mobile Communications Winter Suprakash Datta

Securing Route Optimisation in NEMO

Network Security: Security of Internet Mobility. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

FA Service Configuration Mode Commands

PMIPv6 PROXY MOBILE IPV6 OVERVIEW OF PMIPV6, A PROXY-BASED MOBILITY PROTOCOL FOR IPV6 HOSTS. Proxy Mobile IPv6. Peter R. Egli INDIGOO.COM. indigoo.

Defending Against Redirect Attacks in Mobile IP

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

Mobile IP and its trends for changing from IPv4 to IPv6

CMPE 257: Wireless and Mobile Networking

Mobile IPv4 Secure Access to Home Networks. Jin Tang

Internet Mobility 4x4. Stuart Cheshire and Mary Baker

OPTIMIZING MOBILITY MANAGEMENT IN FUTURE IPv6 MOBILE NETWORKS

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

CMPE 257: Wireless and Mobile Networking

Mobility Management. Advanced Mobile Communication Networks. Integrated Communication Systems Group Ilmenau University of Technology

MIX Network for Location Privacy First Draft

Use of IPSec in Mobile IP

Mobile Communications Chapter 8: Network Protocols/Mobile IP

NETLMM Security Threats on the MN-AR Interface draft-kempf-netlmm-threats-00.txt

Operational Issues, Standards and Privacy

Overview of the Cisco Mobile Wireless Home Agent

Modification to Ipv6 Neighbor Discovery and Mobile Node Operation

Smooth Handoff in Mobile IP Master s Thesis by Babak Ayani

Mobile IPv6 Overview

Request for Comments: Category: Best Current Practice June 2008

Mobile IPv6 Operations Explored

Binding information contains the entries in the mobility binding table.

An Analysis of Fast Handover Key Distribution Using SEND in Mobile IPv6

Mobility in IPv6 Standards and Upcoming Trends. Thomas C. Schmidt HAW Hamburg & link-lab

Overview of the MIPv6 Implementation

Experience with SPM in IPv6

Mobility Support in IPv6

CS5984 Mobile Computing

Network Working Group. Category: Standards Track Universitaet Karlsruhe (TH) W. Haddad Ericsson Research May 2007

Network Security and Cryptography. December Sample Exam Marking Scheme

Credit-Based Authorization for HIP Mobility

Mobility Management Protocols for Wireless Networks. By Sanaa Taha

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Shim6: Reference Implementation and Optimization

Transcription:

Security Issues In Mobile IP Zhang Chao Tsinghua University Electronic Engineering 1

OUTLINE 1.Introduction 2.Typical threats 3. Mobile IPv6 and new threats 4.Open issues 2

OUTLINE 1.Introduction 2.Typical threats 3. Mobile IPv6 and new threats 4.Open issues 3

What is Mobile IP? Mobile IP is a protocol developed by IETF, aimed to solve the mobility problem of network node. Mobile IP enables a wireless network node to move freely from one point of connection to the Internet to another, without disrupting the TCP end-to-end connectivity. 4

How Mobile IP works? When an MN moves from home link to a foreign link, it acquires an IP address from the FA, namely CoA. It also keeps its own Home address. Registration, MN tells HA its new CoA,. All the packets aimed to MN from CN will be sent to MN s HA with the original home address, and HA will forward them according to CoA of MN with tunneling. 5

OUTLINE 1.Introduction 2.Typical threats 3. Mobile IPv6 and new threats 4.Open issues 6

DoS attack When a bad guy send fake registration request to HA, using its own address as CoA, 1.the attacker will receive all the packets belongs to MN 2.all the connection to the MN will fail 7

Solution to DoS Mobile IP requires all the registration message between MN and HA should be under strict authentication. Keyed MD5 as the default authentication algorithm, symmetrical key algorithm. MN and HA negotiate the same secret key before registration, and use it to produce a 16 bit message digest. The HA will check whether the digest received equals to the digest calculated by itself. 8

Replay Attack Bad guy saves the old valid registration message of MN, and re-send it to HA. Then the HA will forward packets to the old CoA, rather than the new allocated CoA of MN. Solution:Identification Domain in registration messages Time Stamp Nonces 9

DoS attack from MN A malicious MN could lie about its CoA and in this way mount a DoS attack against another node in the Internet. The cheated HA will wrongly direct the traffic to the victim node. However, such an attack is easy to traced since the MN must use its own Security Association information. 10

TCP-Syn Flooding Bad guy uses fake IP addresses to send TCP-syn packets, occupies the resources of the systems that open TCP service. TCP-Syn flooding cannot be totally solved unless the TCP protocol be re-designed. Mobile IP usually uses Ingress Filtering to control the access to relieve the Flooding. However, it means that the assumption of Mobile IP Routing is independent on Source Address fails. Some adaptations: Use care-of address as source address ( Mobile IPv6) Tunnel reverse 11

OUTLINE 1.Introduction 2.Typical threats 3. Mobile IPv6 and new threats 4.Open issues 12

Mobile IPv6 MN select CoA itself, no need for FA Binding Update Binging Acknowledge Corresponding Node want to communicate with MN, request sent to HA then forward to MN MN reply with the new CoA information CN binding the CoA to HA MN can directly communicate with CN, without a triangular routing. 13

Security of Mobile IPv6 Using extension header No FA The process that CN receive the Binding Update information is vital :possible to be attacked Some generic security problems, but not specific for Mobile IPv6. 14

Threats against Mobile IPv6(1) If the attacker know the Home Address of the MN, it can send a fake Binding Update to CN, directing the connection to itself. 15

Threats against Mobile IPv6 (2) Attacker using BU message to direct flooding packets to the victim node. 16

Threats against Mobile IPv6(3) When attacker is on the route between MN and CN, it can modify the BU messages to mount inter-person attacks. 17

Threats against Mobile IPv6(4) Attacker sends millions of fake BU message to CN and HA, to occupy the storage and CPU. 18

Solutions These threats all lead from the fact that CN cannot authenticate or understand Binding Update messages, and can be solved by Authentication mechanism. When the MN and CN share the same Security Authority, IPSEC can be deployed to authenticate. In practical situation, MN and CN usually do not have the same SA, Return Routability Procedure 19

RRP mechanism Return Routability Procedure: authenticate the CoA and HA belongs to the same MN. 20

Mobile IPv4 versus Mobile IPv6 Mobile IPv4 Mobile IPv6 Triangular routing, CN cannot understand the BU message When use Ingress Filtering to defeat DoS attack, Reverse Tunneling should be deployed to make sure the packets sent by CN can reach the MN Address Resolution Protocol, easily to be attacked. Routing Optimization, RRP provide protection for BU messages between MN and CN even not share the same Security Authority When use Ingress Filtering to defeat DoS attack, no need for Reverse Tunneling Better coexistence with the Ingress Filtering policy Using Neighbor Discovery Protocol,better robustness and security. Foreign Agent, a potential threat No FA 21

OUTLINE 1.Introduction 2.Typical threats 3. Mobile IPv6 and new threats 4.Open issues 22

Open issues Location Privacy of MN --no mechanism existed in Mobile IP specifications to fix it, usually solved by Bi-directional tunneling. Protection of the MN-CN signaling --IPSEC, costly and relies on a public key infrastructure --Purpose-Built Keys (PBK), still under research --Cryptographically Generated Address (CGA), complementary to RRP, but costly 23

24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback