NETLMM Security Threats on the MN-AR Interface draft-kempf-netlmm-threats-00.txt

Similar documents
Chapter 5. Security Components and Considerations.

IPv6 migration challenges and Security

Network Working Group. Category: Informational DoCoMo USA Labs April 2007

The Study on Security Vulnerabilities in IPv6 Autoconfiguration

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Secure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe

CIS 5373 Systems Security

CIS 6930/4930 Computer and Network Security. Topic 8.1 IPsec

to-end Mobility Support: Combining Security and Efficiency Christian Vogt,

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

Internet Engineering Task Force (IETF) Request for Comments: 6612 Category: Informational May 2012 ISSN:

IPv6 Security Course Preview RIPE 76

Fixed Internetworking Protocols and Networks. IP mobility. Rune Hylsberg Jacobsen Aarhus School of Engineering

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

LECTURE 8. Mobile IP

PMIPv6 PROXY MOBILE IPV6 OVERVIEW OF PMIPV6, A PROXY-BASED MOBILITY PROTOCOL FOR IPV6 HOSTS. Proxy Mobile IPv6. Peter R. Egli INDIGOO.COM. indigoo.

generated, it must be associated with a new nonce index, e.g., j. CN keeps both the current value of N j and a small set of previous nonce values, N j

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

IPv6- IPv4 Threat Comparison v1.0. Darrin Miller Sean Convery

Security Issues In Mobile IP

Recent advances in IPv6 insecurities reloaded Marc van Hauser Heuse GOVCERT NL Marc Heuse

MANET Autoconfiguration using DHCP.

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

Credit-Based Authorization for HIP Mobility

IPv6 Security Fundamentals

A Framework for Optimizing IP over Ethernet Naming System

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

Contents. Configuring urpf 1

Wireless Network Security Spring 2016

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

DELVING INTO SECURITY

SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Information and network security Network security. IPv6 technical security guidelines

Multiple Care-of Address Registration draft-ietf-monami6-multiplecoa-04.txt

Configuring IPv6 First-Hop Security

Wireless Network Security Spring 2015

Network Security: Security of Internet Mobility. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

Session Overview. ! Introduction! Layer 2 and 3 attack scenarios! CDP, STP & IEEE 802.1q! ARP attacks & ICMP abuse! Discovering & attacking IGPs

IP over ETH over IEEE draft-riegel-16ng-ip-over-eth-over Max Riegel

Virtual Private Networks.

T Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.

An Analysis of Fast Handover Key Distribution Using SEND in Mobile IPv6

Security in an IPv6 World Myth & Reality

Expiration Date: August 2003 February Access Control Prefix Router Advertisement Option for IPv6 draft-bellovin-ipv6-accessprefix-01.

Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network

Request for Comments: 4016 Category: Informational March 2005

Mobile IPv6. Washington University in St. Louis

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

MIX Network for Location Privacy First Draft

Module 28 Mobile IP: Discovery, Registration and Tunneling

An On-demand Secure Routing Protocol Resilient to Byzantine Failures

Lecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015

Detecting the Auto-configuration Attacks on IPv4 and IPv6 Networks

Mobile Ad-hoc Network. WIDE project/keio University

TD#RNG#2# B.Stévant#

IPv6 Protocol. Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer Cisco Systems, Inc.

Credit-Based Authorization

Route Optimization based on ND-Proxy for Mobile Nodes in IPv6 Mobile Networks

Ad-hoc and Infrastructured Networks Interconnection

Improvement of Address Resolution Security in IPv6 Local Network using Trust-ND

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

SJTU 2018 Fall Computer Networking. Wireless Communication

Mobile IPv6. Raj Jain. Washington University in St. Louis

Network Working Group. Category: Standards Track Universitaet Karlsruhe (TH) W. Haddad Ericsson Research May 2007

Outline. Goals of work Work since Atlanta Extensions Updates Made Open Issues Ad-hoc meeting & Next Teleconference Links

Request for Comments: 4433 Category: Standards Track Cisco Systems Inc. March 2006

Mobile IP Overview. Based on IP so any media that can support IP can also support Mobile IP

IPv6 NEMO. Finding Feature Information. Restrictions for IPv6 NEMO

CSCE 715: Network Systems Security

A Survey of BGP Security Review

MOBILITY AGENTS: AVOIDING THE SIGNALING OF ROUTE OPTIMIZATION ON LARGE SERVERS

HP 3600 v2 Switch Series

Wireless Network Security Spring 2015

Border Router Discovery Protocol (BRDP) Based Routing

11. IP Mobility 최 양 희 서울대학교 컴퓨터공학부

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

HPE FlexFabric 5940 Switch Series

Configuring Wireless Multicast

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

ECE 697J Advanced Topics in Computer Networks

Keying & Authentication for Routing Protocols (KARP) draft-lebovitz-kmart-roadmap-03

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS

Network Security. Security of Mobile Internet Communications. Chapter 17. Network Security (WS 2002): 17 Mobile Internet Security 1 Dr.-Ing G.

ARP Inspection and the MAC Address Table for Transparent Firewall Mode

Request for Comments: INRIA K. El Malki Ericsson L. Bellier INRIA August Hierarchical Mobile IPv6 Mobility Management (HMIPv6)

Control Plane Protection

An On-demand Secure Routing Protocol Resilient to Byzantine Failures. Routing: objective. Communication Vulnerabilities

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

OSPF Protocol Overview on page 187. OSPF Standards on page 188. OSPF Area Terminology on page 188. OSPF Routing Algorithm on page 190

DNS Security. * pers/dnssec/dnssec.html. IT352 Network Security Najwa AlGhamdi

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

Request for Comments: T. Aura Microsoft Research G. Montenegro Microsoft Corporation E. Nordmark Sun Microsystems December 2005

The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

The Layer-2 Security Issues and the Mitigation

Outline NET 412 NETWORK SECURITY PROTOCOLS. Reference: Lecture 7: DNS Security 3/28/2016

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

Transcription:

Draft summary Reviewers' comments Mailing-list discussion NETLMM Security Threats on the MN-AR Interface draft-kempf-netlmm-threats-00.txt

New Terminology 1 MN authentication: Initial authentication of MN for network-access authorization MN identifier: String based on which MN authentication can be accomplished Data-origin verification: Sender verification for IP packets sent by a MN for network-access and accounting purposes Data-origin identifier (formerly called a "per-packet identifier"): String/property based on which MN can be identified for data-origin verification of its IP packets Locator: Destination address of an IPv6 data packet (This is not a definition specific to NETLMM.) Thanks to Julien for raising the need for a better terminology

Roaming at a Victim's Costs 2 Problem: Spoofed data-origin ID Attacker sends packets on behalf of victim Attacker roams at a victim's costs After initial MN authentication Data-origin verification can prevent this May have to be bound to initial MN authentication Only in MN-2-CN direction External protection against bogus packets from malicious CN

Off-Path Eavesdropping Problem: Impersonation during DNA Impersonator mimics victim during DNA NETLMM redirects victim's packets to impersonator eavesdropping from off the path Limitation: Impersonator cannot forward packets to MN if MN is on different link because impersonator uses same IP address as MN Different than in Mobile IPv6, where impersonator's "c/o address" differs from victim's "home address" 3

Denial of Service Problem: Impersonation during DNA Similar to off-path eavesdropping, Misuse of DNA Redirection of victim's packets but intended to cause DoS to victim Limitation: Attacker must redirect packets to itself because NETLMM delivers packets to where a MN is believed to be seen Again different than in Mobile IPv6 4

Threats to AR Functions Problem: Rouge AR acts as man in the middle May eavesdrop on packets, modify packets, forward packets via a path outside NETLMM Limitation: Return packets go through NETLMM Rouge AR may see return packets, but may not be able to modify them But: Rouge AR may act as NAT box 5

Threats to IPv6 Neighbor Discovery Problem: Vulnerabilities of ND6/DNA Apply to NETLMM because NETLMM uses ND6/DNA SeND can prevent some attacks 6

Location Privacy Problem: MN identifier associated w/ IP address MN identifier leaks during MN authentication Attacker associates identifier w/ IP address Attacker then tracks victim's IP address Threat 1: Attacker on access link Sends NS for victim Address resolution or DAD Do ARs forward ND6 signaling to other links? DAD requires this given that links have common prefix(es) NA indicates that victim is inside NETLMM or on the same link 7

Location Privacy (2) Threat 2: Attacker btw. ARs and MAP Attacker eavesdrops on NETLMM signaling Most effective close to MAP Encryption can prevent this Threat 3: IP address tells victim is inside NETLMM Limitation: NETLMM prefix not very precise Traceroute, too, may not produce meaningful information due to the MAP-AR tunnel 8

Some comments related to AR- MAP interface. This summary focuses on MN-AR interface. Reviewers' Comments Mailing List Discussion 9

Implicit Data-Origin Identifier Data-origin ID may not show up in packets Can be port of switch, frequency slot, time slot, etc. Identified by Julien 10 Data-origin ID can be MN-MAP security context MN perceives all ARs as a single, "virtual" MAP Identified by Gerardo

Flooding Mobile Nodes 11 Draft does not mention flooding of MN's IP address Mentions only flooding of ARs or MAPs More dangerous for existing IP addresses Bandwidth of MAP's Internet attachment Routing-table look-up at MAP Encapsulation at MAP (special in NETLMM) Bandwidth w/in NETLMM domain Decapsulation at AR (special in NETLMM) Neighbor Cache look-up at AR New Neighbor Cache entry at AR ND6 signaling w/in access network Less dangerous for non-existing IP addresses MAP discards packet after routing-table look-up Identified by Julien See also RFC 3756, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", section 4.3.2

IGP Security vs. NETLMM Security IGP security vs. NETLMM security unclear Draft relates IGP security to NETLMM security, but routing protocol is hop-by-hop NETLMM protocol is end-to-end (i.e., AR-to-MAP) Clarify that in the draft Identified by Vidya 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback