IMS Care-of-Address Authentication

Download Report

Transcript IMS Care-of-Address Authentication 

Secure Mobile IPv6 for B3G Networks
指導教授:黃培壝 老師
學生:藍成浩
Author and Source
Celentano, D.; Fresa, A.; Longo, M.; Postiglione, F.;
Robustelli, A.L.;
Software in Telecommunications and Computer Networks,
2006. SoftCOM 2006. International Conference on
Sept. 2006 Page(s):331 - 335
Outline
 Introduction
 The IMS Scenario
 Security Vulnerabilities Of Mobile IPv6 And Return
Routability Procedure
 Deploying MIPv6 In IMS Networks
 A Solution To MIPv6 Security Threats
 Conclusion
Introduction
 Beyond-3G (B3G).
 B3G <> 3G
B3G是透過(IP ; Internet Protocol)整合(Heterogeneous Multi-access
Network),讓使用者在各種網路間Roaming,隨時隨地享受
Seamless接取服務。
Introduction
 B3G存取技術以OFDM最受矚目。
 OFDM是一種多載波調變技術,將不同頻率載波中的大
量訊號合併成單一訊號,而完成訊號傳送。
適合高速寬頻無線傳輸
抗雜訊及抗衰減能力強
Introduction
 3GPP defined a network infrastructure named the IP
Multimedia Subsystem (IMS)。
 基於SIP(會話初始化協議)的通用平台。
 Providing all real-time multimedia services to mobile users
through the IP technology.
Introduction
 MIPv6 permits an IPv6 user terminal to be reached and to
reach other users while roaming across various subnets.
 不過, MIPv6 在異質無線網路裡存在一些安全性弱點。
 Serious security threats are currently associated to the
delivery of messages sent by a mobile terminal, towards
other corresponding users notifying its new MIPv6 contact
address.
Introduction
 作者提出 在SIP-based IMS networks 裡整合 MIPv6
framework ,而且提供 telephone-class security standards。
 We improve the security level of MIPv6 signalling messages
exchanged in order to allow seamless session continuity.
The IMS Scenario
 IMS 在 B3G all-IP networks 裡 將扮演著重要的角色。
 It offers to telecom operators the opportunity to build a
unified and open service infrastructure.
 Easy deployment of new and rich real-time multimedia
communication services.
The IMS Scenario
 IMS introduced the Call Session Control Function (CSCF)
servers that represent the core elements.
 CSCF的種類
P-CSCF(Proxy-CSCF)
I-CSCF(Interrogating CSCF)
S-CSCF(Serving CSCF)
 本質上它們都是SIP伺服器,處理SIP信令。
The IMS Scenario
The IMS Scenario
 In such a scenario, a top priority for both users and operators
is to achieve secure communications.
 作者提供 robust framework 去保證 user’s identities and 防
止 session hijackings and attacks.
Security Vulnerabilities Of Mobile IPv6
And Return Routability Procedure
HA
HA
(2) Tunneled Packet
(1) Packet
CN
MN
(3) Packets
(Triangle Routing)
CN
(2) Packets
MN
(1) Binding Update
(Route Optimization)
Security Vulnerabilities Of Mobile IPv6
And Return Routability Procedure
 MIPv6 presents some security vulnerabilities when adopted
in heterogeneous wireless networks.
 尤其在 MN 傳送 BU messages 給 CN(s) 將可能有
security threats.
 Since security between MN and HA is guaranteed by
adopting IPSec [8] together with the Encapsulation Security
Payload (ESP) protocol [9].
Security Vulnerabilities Of Mobile IPv6
And Return Routability Procedure
Security Vulnerabilities Of Mobile IPv6
And Return Routability Procedure
 MN 會儲存這些 cookie values 為了保證CN所傳回來的
cookie是相同的。
 CN generates
 MN 使用 這 two tokens 產生 key 之後傳送 BU 到 CN 去
認證.
Security Vulnerabilities Of Mobile IPv6
And Return Routability Procedure
First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BU)))
 If the authentication data of the BU is valid, the
correspondent node adds an entry in its Binding Cache
for the particular MN and sends a BA message. Upon
receipt of the BA message, the MN adds an entry to its
Binding Update List for the CN.
Security Vulnerabilities Of Mobile IPv6
And Return Routability Procedure
Security Vulnerabilities Of Mobile IPv6
And Return Routability Procedure
 A malicious node, aware of a session between MN and CN,
might simulate a handoff of the MN by sending fake HoTI
and CoTI messages.
 In such a way, it can obtain Kbm and send a fake BU to the
CN in order to redirect the MN-CN communication to itself
(Impersonation Attack) or possibly also forward the traffic
to the MN.
Deploying MIPv6 In IMS Networks
 這部份提到使用IMS SIP-based Network來分析作者提出
的機制.
 The architectural implications of the SIP signalling
infrastructure and the advantages of the integration of
MIPv6 within IMS for mobility management and security.
Deploying MIPv6 In IMS Networks
 The IMS defines a security mechanism which verifies that
the IPv6 packet source address of SIP messages originating
from the MN corresponds to the IPv6 address reported in
the SIP headers.
 Hence, this necessarily requires the MN to use the same
address for both the IPv6 packet source address and the
IPv6 address used at SIP level.
Deploying MIPv6 In IMS Networks
 Therefore, several scenarios are possible for address
management [12]:
 (i) 在SIP registration 和 session establishment 時,MN 使用
CoA 當作 source address . 這樣 MN 在每次改變Link
時 , 將需要 re-register the new CoA with the ServingCSCF;
In real-time communications this would cause loss of
RTP packets while the re-INVITE procedure is completed
and does not guarantee TCP-based sessions continuity;
Deploying MIPv6 In IMS Networks
 (ii) 在SIP signalling 裡 , MN provides both the CoA and
HoA . This requires changes to current SIP standards
and therefore it is neither easily feasible nor
recommended;
 (iii) 在 SIP registration 和 session establishment時 MN
provides the HoA 當作 IPv6 source address.
Deploying MIPv6 In IMS Networks
 這樣當 MN changes CoA 時 就不需要 re-register or reinvite other nodes , but it updates the new CoA through
MIPv6 signalling. If we suppose that the SIP proxy (PCSCF), supports the MIPv6 stack, then the SIP application
can be completely unaware of changes of MN’s CoA.
 所以 第(iii) 的方法對於在existing applications, protocols
and node 是 efficiency and low impact.
A Solution To MIPv6 Security Threats
 在先前就提過 security vulnerabilities in an MIPv6-enabled
IMS network.
 As in [13], 作者提出 at call setup (INVITE message) 產生
the authentication key Kbm. and to distribute it to the MN
and CN within the body of the SIP 200 OK and ACK
messages, instead of using the RRP procedure.
A Solution To MIPv6 Security Threats
 The distribution of the keys is secured between any SIP
user (MN and CN) and its own P-CSCF.
IPSec with ESP
 It is important to highlight that this procedure is performed
only at the beginning of a communication session, while the
standard MIPv6 RRP between MN and CN should be
repeated, together with the BU, after every terminal handoff.
 Such improvement can appreciably reduce end-to-end
delays during real-time communications.
A Solution To MIPv6 Security Threats
A Solution To MIPv6 Security Threats
A Solution To MIPv6 Security Threats
 Using only the Kbm key 免受第三者的攻擊.
 Our proposal against this kind of threats is based on the use
of the AAA server that must generate an additional key,
named Ka.
 在 INVITE phase 將 Ka 傳送給 P-CSCF1 and CN, but not
to the MN.
A Solution To MIPv6 Security Threats
 The MN, after roaming to a new subnet and acquiring a
new CoA, performs a BU towards its P-CSCF;
 In the subsequent BA answer message the MN is provided
with a value CoA-Auth generated by the P-CSCF as a hash
function of Ka and the new CoA.
A Solution To MIPv6 Security Threats
 The subsequent BU to the CN will then include the value
CoA-Auth which will be used by the CN (together with the
Ka key) to authenticate the new MN’s CoA.
 However, in order to include the CoA-Auth value in the BA
and BU messages, a new “IMS Care-of-Address
Authentication” MIPv6 Mobility Option must be adopted.
Conclusion
 這篇 paper 作者提出在 MIPv6-enabled IMS network 裡能
夠達到 seamless session mobility.
 The IMS centralised AAA Server will generate, manage and
distribute the MIPv6 authentication keys, thus increasing
security.
 Furthermore, the handoff latency consequently minimised,
as already shown in [13].