Inter_Presentation
Download
Report
Transcript Inter_Presentation
Mobile IP Security
Konidala M. Divyan
International Research Center for Information Security
Network Security (ICE 615)
Term Project – 2002 Autumn
Mobile Devices
8th October 2002
Mobile IP Security
Konidala M. Divyan
2
Demand for Mobility
1800
1600
1400
[million]
1200
Mobile Internet
Subscriber
Mobile Subscriber
1000
800
600
400
200
20
00
20
01
20
02
20
03
20
04
20
05
20
06
20
07
20
08
20
09
20
10
0
year
8th October 2002
Mobile IP Security
Konidala M. Divyan
3
Mobile IP solves the following
problems:
• If node moves from one link to another without
changing its IP address, it will be unable to receive
packets at the new link
• If a node changes its IP address when it moves, it
will have to terminate and restart any ongoing
communications each time it moves
• Mobil IP solves these problems in secure, robust,
and medium-independent manner whose scaling
properties make it applicable throughout the entire
Internet
8th October 2002
Mobile IP Security
Konidala M. Divyan
4
Example
Network B
R
Home
network A
R
Internet
Home Agent
Network C
R
R
Corresp.
Node C
Router
8th October 2002
Mobile IP Security
Konidala M. Divyan
5
Triangle Routing (Mobile IPv4)
Network B
R
Network A
R
Internet
Mobile Node
Home Agent
Network C
R
Corresp. Node C initiates communication with Mobile
Node and sends packets to MN‘s home address
Home Agent intercepts packets and forward them to
Corresp.
Node C
the Mobile Node (proxy functionality)
Mobile Node replies directly to Corresp. Node C
8th October 2002
Mobile IP Security
Konidala M. Divyan
6
Mobile Node registers at its Home Agent
Network B
R
Network A
R
Internet
Mobile Node
Home Agent
R
Mobile Node sends Binding Update
Home Agent replies with Binding Acknowledgement
8th October 2002
Mobile IP Security
Konidala M. Divyan
Network C
Corresp.
Node C
7
Mobile IPv6 Roaming
Network B
R
Network D
Network A
R
R
Internet
Network C
Home Agent
R
Mobile Node sends Binding Updates to Home Agent and
all Corresp. Nodes, which already received a previous
Binding Update from this Mobile Node
8th October 2002
Mobile IP Security
Konidala M. Divyan
Corresp.
Node C
8
Binding Updates
• Mobile IPv6 creates a new class of messages
called binding updates that confirm the
identity of a device as it moves to a new
location
• Binding updates are a shortcut designed to
speed wireless communications that use IPv6
• Once the binding update is authenticated,
communications go straight to the new
location without passing through the home
address
8th October 2002
Mobile IP Security
Konidala M. Divyan
9
Security Requirements for
Binding Updates
• Authentication is a must.
• Minimize number of messages and bytes
exchanged.
• Not too computationally intensive for
mobile nodes.
• Resist denial-of-service attacks.
• No weaker than Mobile IPv4.
8th October 2002
Mobile IP Security
Konidala M. Divyan
10
Reasons for choosing this topic
(1/2)
• Mobile IP working group planned to use the
existing protocol IP Security (IPSec) to secure
binding update messages
• But the IETF's security experts recently
announced that IPSec will not work for these
messages for two reasons
– IPSec depends on a public-key infrastructure that has
not yet been deployed.
– The key management component of IPSec requires
heavy processing by end devices.
8th October 2002
Mobile IP Security
Konidala M. Divyan
11
Reasons for choosing this topic
(2/2)
• Using IPsec to Protect Mobile IPv6 Signaling
between Mobile Nodes and Home Agents
– draft-ietf-mobileip-mipv6-ha-ipsec-00.txt
– 20 September 2002
• Mobility Support in IPv6
– draft-ietf-mobileip-ipv6-18.txt
– 1 June 2002
• A great deal of attention is being focused on
making Mobile IP coexist with the security
features coming into use within the Internet
8th October 2002
Mobile IP Security
Konidala M. Divyan
12
Goal of this project
• Study Mobile IP
• Study security issues with respect to
– Mobile IPv4
– Mobile IPv6
• Study current drafts relating to Mobile
IP Security
• Propose new ideas to improve the
Mobile IP Security
8th October 2002
Mobile IP Security
Konidala M. Divyan
13
Security issues
• The sender of the BU is easily authenticated
• Protection of Binding Updates both to home
agents and correspondent nodes, and the
protection of tunnels, home address information,
and routing instructions in data packets
• Signaling between the mobile node and the
home agent requires message integrity,
correct ordering and replay protection
8th October 2002
Mobile IP Security
Konidala M. Divyan
14
One of the open issue
• Authorization for the MR to manage
mobility of the entire network
• But same problem with respect to MNs:
– a MN needs to be authorized to send a BU for a
home address
– a MR needs to be authorized to send a BU for a
network prefix
– this is presently discussed at the IETF
8th October 2002
Mobile IP Security
Konidala M. Divyan
15