mobileIP_ security

Download Report

Transcript mobileIP_ security

Mobile IPv4 & Mobile IPv6
Mohamed M Khalil
1
Mobile IPv4IP- Why
Why
? ?
Sub-network A
IP based Network
Sub-network B
Mobile workforce carry their laptops and wants to communicate
with different hosts on the IP based network.
Mohamed M Khalil
2
Mobile IP- The Problem
Foreign Subnetwork
IP based Network
Home Subnetwork
host
Foreign Subnetwork
IP based Network
Home Subnetwork
host
When Mobile Node (MN) moves across subnetwork it changes its
point of attachment.
Mohamed M Khalil
3
Mobile IP- Mobility Model
Location Directory
F-1: Forwarding Agent.
An Address Translation Agent (ATA).
LD
F-1
Interne Routing
Distention Node
F
Source Node
Solution should maintain all existing communications between MN
and other hosts while MN is changing its point of attachment.
Mohamed M Khalil
4
Mobile IPv4 - Design Requirements
No modification for host operating system
Application transparency
Network-wide mobility scalability
128.5.64.46
No modification for IP based routing
Compatibility with IP based Addressing
Compatibility with existing IP based network computers and
applications.
Mohamed M Khalil
5
Mobile IPv4IPv4-IETF
IETF Architecture
Mobile Node At
Foreign Link
Mobile node
At Home link
Foreign Network
Home Network
Foreign Agent
Home Agent
FA
Foreign Link
ATA & LD
IP Based Network
Home Link
Mobile IP entities and relationships
Host
• Home Agent is doing the functionality of LD and ATA.
• Foreign Agent is doing the functionality of Forwarding Agent.
Mohamed M Khalil
6
Mobile IPv4-Agent Advertisements
Agent Advertisement
Mobile Node
Mobile Agent
Host
Host
• Mobile Agents advertise their presence.
• MN determines if it is in a home or foreign link.
• MN acquire a care-of address and default router.
Mohamed M Khalil
7
Mobile IPv4-Registration
Gratuitous ARP
Router
1
Host
2
4
IP based network
Foreign Link
Home Link
Foreign Agent
Home Agent
3
1- MN send a request for service.
2- FA relays a request to HA.
3- HA accepts or denies.
4- FA relays status to MN
Mohamed M Khalil
8
Mobile IPv4-Data Transfer
Foreign Agent
Foreign Link
Home Agent
IP based network
Home Link
Host
. Host data packets are tunneled by HA to MN.
. MN sends information directly to host.
Mohamed M Khalil
9
Mobile IPv4- Broadcast packet from MN
Foreign Link
Host
Host
Foreign Agent
Home Agent
IP based network
Home Link
Host
Host
Broadcast packets from MN MUST be tunneled to HA
Mohamed M Khalil
10
Mobile IPv4- IP-in-IP Tunneling
IPsrc = Original Sender
IPdst = Ultimate Destination
original IP packet
Header
payload
IPsrc = Tunnel Entry-Point (Home Agent)
IPdst= Tunnel Exit-Point (care of address)
Header
Outer Header
payload
Encapsulating IP Packet
Mobile
Node
Foreign Agent
Home Agent
A tunnel from a
home agent to a
foreign agent
Mohamed M Khalil
11
Mobile IPv4- Broadcast Packet to MN
Foreign Agent
Foreign Link
Home Agent
IP based network
Home Link
The HA MUST tunnel broadcast packets destined for MN.
Mohamed M Khalil
12
Mobile IPv4- Nested Tunneling
Src Addr
Home
Agent
Home Agent
IP
255.255.255.255
network prefix.111….
Data
Mobile
Node IP
COA
The MN should set the B bit to 1 request that the HA provide it (via
a tunnel) a copy of broadcast packets that occur on a home link
Mohamed M Khalil
13
Mobile IPv4- Registration Message Format
IP header fields
UDP header
Mobile IP message header
Extension
After the IP and UDP header, the registration message header is
found, then any necessary always including an authentication
extension.
Mohamed M Khalil
14
Mobile IPv4- Registration Request
IHL
Type of Service
identification
Time to Live= 1
Total Length
Flags
Protocol= UDP
Fragment offset
Header check sum
IP Header
(RFC791)
Source Address
Destination address
Source Port
Destination Port = 434
Length
Type=1
Check sum
S B D M G Y res
Lifetime
Mobile Node’s Home Address
Home Agent Address
UDP Header
(RFC768
Fixed length portion
of Registration
Required
(RFC2002)
Care of Address
Optional Extension
Type = 32
Length
Security Parameter
Index (SPI)
Mobile Home
Authentication
Extension
(RFC2002)
Mandatory
Authentication (Default equal keyed MD5)
Mohamed M Khalil
15
Mobile IPv4-Registration Reply
Type = 3
Code
Lifetime
Mobile Node’s Home Address
Home Agent Address
Fixed length
portion of
Registration
Reply (RFC2002)
Identification
Registration Reply
Mohamed M Khalil
16
Mobile IPv4-Route Optimization
1- Binding Update
2- Binding Acknowledgment
3- Binding Warning
Mohamed M Khalil
17
Mobile IPv4-Route Optimization
1
Host
2
3
5
2
Foreign Link
Home Link
NFA
OFA
4
Home Agent
5
1- FA relays a request to HA.
2- Send BU to OFA and RR to HA
3- Send Binding Update as a result of receiving Binding Warning Ext
4- Binding Acknowledgment back 5- Registration Reply back
Mohamed M Khalil
18
Mobile IPv4-Route Optimization (continue)
Host
4
1
3
4
Foreign Link
NFA
2
Home Link
Home Agent
1- data is sent from Host to the NFA through HA.
2- HA tunnels data to MN
3- Binding Update is sent from HA to host
4- data is tunneled from host to NFA
Mohamed M Khalil
19
Mobile IPv4-Route Optimization (continue)
Host
4
3
1
4
2
Foreign Link
Home Link
NFA
OFA
Home Agent
2
1- data is tunneled to the old FA.
2- Warning Update message is sent to the HA,
3-HA will send Binding Update to Host
4- data is tunneled to the new FA
Mohamed M Khalil
20
Mobile IPv6-IETF Architecture
Mobile Node At
Foreign Link
Mobile node
At Home link
Foreign Network
Home Network
Foreign Agent
Home Agent
ATA & LD
Foreign Link
IP Based Network
Home Link
Mobile IP entities and relationships
• Home Agent is doing the functionality of LD and ATA.
Host
• Correspondent node may forward packets directly to the MN using
source base routing.
Mohamed M Khalil
21
Mobile IPv6-Registration
1
Gratuitous
Neighbor
Advertisement
2
Router
Host
3
4
Foreign Link
Foreign Agent
IP based network
Home Link
Home Agent
1- MN-DHCPv6 Request for collocated IP address
2- HM-DHCPv6 Reply.
3- MN sends a Binding Update message.
4- MN receives Binding Acknowledgement
Mohamed M Khalil
22
Mobile IPv6-Data Transfer
1
Foreign Agent
Home Agent
IP based network
Foreign Link
Home Link
3
2
Host
1.
MN Host data packets are tunneled by HA to MN.
2.
sends a Binding Update to MN
3.
Send data directly to MN using source header routing.
Mohamed M Khalil
23
Mobile IPv6-Update MN Location
Foreign Agent
Home Agent
IP based network
Foreign Link
Home Link
2
1
Host
1.
When Binding Cache entry expires send Binding Request to
MN
2.
Continue sending data directly to MN using source header
routing.
Mohamed M Khalil
24
IP Security
Mohamed M Khalil
25
Loss Of Privacy
telnet foo.bar.org
username: dan
password:
m-y-p-a-s-s-w-o-r-d
A perpetrator may observe confidential data, as it traverses the
internet, such as password. The perpetrator may use this data to
login to the system and pretend that he is the real person.
Mohamed M Khalil
26
Loss Of Data Integrity
Deposit $1000
Deposit $100
$$$$
$$$
You may not care if someone sees your business transaction but
care if somebody modified your business transaction .
Mohamed M Khalil
27
Man In The Middle Attack
BAD GUY
Withdraw $1000
Withdraw $1000
Withdraw $1000
Withdraw $1000
Bad Guy replay the same business transaction message.
Mohamed M Khalil
28
Denial-Of-Service
virus
Bad Guy floods the system with messages or viruses which crash
the system
Mohamed M Khalil
29
Where Should We Implement Security ?
Application Layer
Network Layer
link-layer
Encryption
link-layer
Encryption
Security May Be implemented in:
1- Application Layer (Secure Sockets Layer).
2- Network Layer (IPSec).
3- Data Link Layer.
Mohamed M Khalil
30
IPSec : Security Protocol
IPSec implements an end-to-end security solution at the network
layer. Thus end systems and applications do not need to
change to have the advantage of strong security.
Mohamed M Khalil
31
IPSec : Session Establishment
1- IPSec provides the data level
processing. It assumes that the SA is
established between two nodes. It does
not have a mechanism to establish
security association.
2-The negotiation and establishment of
security association is done by the
Internet Key Exchange protocol IKE
build around the framework of
ISAKMP (Internet Security
association and Key Management
Protocol.
Mohamed M Khalil
32
IPSec : Connection
Each IPSec Connection can provide
the following:
1- Encryption.
2- Integrity and Authenticity.
3- Or both.
Mohamed M Khalil
33
IPSec : Security Association
IPSec uses Security Associations to
establish secure connections between
nodes. Security Association defines
1- algorithms to use for
encryption/decryption
2- algorithms to use for integrity check
and authentication.
3- shared session keys
Each security association is identified by
an SPI.
Mohamed M Khalil
34
IPSec : Authentication Header
Next Header
Payload Length
RSV
SPI
Sequence Number
Authentication Data
The Authentication Header provides support for data integrity
and authentication of IP packet.
Mohamed M Khalil
35
IPSec : Encrypting Security Payload
Next Header
Payload Length
RSV
Sequence Number
Payload Data (variable)
Next Header
Authentication Data (variable)
The Encryption Security Payload provides confidentiality. As an
optional featire it provides the same authentication services as
AH
Mohamed M Khalil
36
IPSec : Operation Modes
Transport Mode: only the IP payload is
encrypted, and the original IP headers are
left intact. This mode allow attacker to
perform traffic analysis, but it enable special
processing such as QOS base on the
information provided by the IP header.
Tunnel Mode: The entire original IP datagram is
encrypted, and it becomes the payload in a
new IP packet. This mode allows routers to
act as IPsec proxy. The major advantage is
that the end system does not need to be
modified to enjoy IP Security. Also it protects
against traffic analysis.
Mohamed M Khalil
37
IPSec : Transport Mode
IP HDR
IP HDR
DATA
IPSEC HDR
DATA
In transport mode the data is encrypted only.
Mohamed M Khalil
38
IPSec : Tunnel Mode
DATA
IP HDR
New IP HDR
IPSEC HDR
DATA + HDR
In tunnel mode the the entire packet is encrypted, including the
header.
Mohamed M Khalil
39
IKE : Phase I and II
Two phases in IKE are necessary to
establish SA:
1- Phase I : to establish a secure channel
to negotiate SA.
2- Phase II : SA is negotiated between two
nodes using the previously secured
established channel.
Mohamed M Khalil
40
IKE : SA Establishment Using IKE
Two phases in IKE are necessary to
establish SA:
1- Phase1 : to establish a secure channel
to negotiate SA.
2- Phase2 : SA is negotiated between two
nodes using the previously secured
established channel.
Mohamed M Khalil
41
IKE : Authentication Methods For Phase I
Three types of authentication methods
are used to authenticate phase I.
1- Pre-Shared Secret Key.
2- Public key cryptography.
3- Digital Signature.
Mohamed M Khalil
42
IKE : Phase II
Once the secure channel is established
between two nodes as a result of phase
I, one node (the initiator) will propose
a set of set of algorithms of
authentication and encryption and the
other node (the responder) will accept
one offer or reject all.
Mohamed M Khalil
43
IKE : Example
2 Outbound packet
from Alic to Bob.
No IPSec SA.
4 Packets from
Alice to Bob
protected by IPSec
IPSec Bob
IPSec Alice
ISAKMP
ISAKMP
ISAKMP Tunnel
Bob
Alice
1 Alice’s ISAKMP
begins negotiation
with Bpb
3 Negotiation
complete Alice and
Bob now have
complete IPSec
SAs in place
Mohamed M Khalil
44
Mobile IPv4 Security
Mobile Node At
Foreign Link
Mobile node
At Home link
SA(mandatory)
Home Network
SA(optional) Foreign Network
Foreign Agent
Home Agent
FA
SA(optional)
HA
Home Link
Foreign Link
Mobile IP entities and relationships
Host
1- MN-HA (mandatory)
2- MN-FA (optional)
3- FA-HA (optional)
Mohamed M Khalil
45
Mobile IPv6 Security
IPSec Tunnel
Foreign Link
Foreign Agent
Home Link
Home Agent
IPSec tunnel between MN and HA is used to secure and authenticate
the control messages between MN and HA.
Mohamed M Khalil
46
BACKUP
Mohamed M Khalil
47
Mobile IP - Introduction
• General increase in usage of laptop/notebook computers
• More access to Intranet
• Acceptance of Telecommuting
• Increase in mobility based workforce (sales, delivery etc.)
There is a need for mobile computers to communicate
with other computers - fixed or mobile.
Mohamed M Khalil
48
Mobile IP - Design Requirements
• Communicate with other nodes while changing its Link-layer
point of attachment
• Use its home (permanent) IP address to communicate with other
computers
• Communicate with non-Mobile IP based computers
• Provide as much security as the fixed computers
Provide end-to-end mobility as
well as basic quality of service
Mohamed M Khalil
49