1 Julien Laganier MEXT WG, IETF-79, Nov. 2010 Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

Slides:



Advertisements
Similar presentations
Security Issues In Mobile IP
Advertisements

SeND Hash Threat Analysis CSI WG Ana Kukec, Suresh Krishnan, Sheng Jiang.
Secure Mobile IP Communication
MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 DSMIP6 Support QUALCOMM Inc. Jun Wang, George Cherian, Masa Shirota Notice.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Chapter 5 Network Security Protocols in Practice Part I
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.
NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Protocol for Hiding Movement of Mobile Nodes in Mobile IPv6 draft-qiu-mip6-hiding-movement-00.txt F. BAO, R. DENG, J. Kempf, Y. QIU and J.Y ZHOU.
1 Utilizing Multiple Home Links on Mobile IPv6 Waseda University Hongbo Shi Shigeki Goto
Mobile IPv6 Binding Update: Return Routability Procedure Andre Encarnacao and Greg Bayer Stanford University CS 259 Winter 2008 Andre Encarnacao, Greg.
SSL and IPSec CS461/ECE422 Spring Reading Chapter 22 of text Look at relevant IETF standards.
DHCP - Prefix Delegation for NEMO Ralph Droms (Cisco) Pascal Thubert (Cisco) 59th IETF, NEMO WG.
Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.
49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier.
Network Security David Lazăr.
IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.
1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.
1 A VPN based approach to secure WLAN access John Floroiu
CGA Extension Header for IPv6 draft-dong-savi-cga-header-03.txt Margaret Wasserman IETF 78, Maastricht July 2010.
PMIPv6 Route Optimization Protocol draft-qin-mipshop-pmipro-00.txt Alice Qin Andy Huang Wenson Wu Behcet Sarikaya.
Spring 2004 Mobile IP School of Electronics and Information Kyung Hee University Choong Seon HONG
07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61
Overview of draft–16 for MIPv6 MIPv6 Design Team March 19 th, 2002.
Mobile IPv6 for Windows XP (.NET Server) and Windows CE 4.0 Greg O’Shea, MSRC Joint with Lancaster University And Ericsson Research.
1 Alternative (Future) Proposals for MIPv6 Security MIP6 BOF/WG IETF-57 Jari Arkko, Ericsson Research NomadicLab Charlie Perkins, Nokia Research Center.
MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).
Revising RFC 3775 MEXT WG, IETF 70 Vijay Devarapalli
Currently Open Issues in the MIPv6 Base RFC MIPv6 security design team.
Cryptography and Network Security (CS435) Part Thirteen (IP Security)
An Introduction to Mobile IPv4
Network Mobility (NEMO) Advanced Internet 2004 Fall
2003/3/1856th IETF NEMO WG1 Basic Network Mobility Support draft-wakikawa-nemo-basic-00.txt Ryuji Wakikawa Keisuke Uehara
Integrating Identity based Cryptosystem (IBC) with CGA in Mobile IPv6 draft-cao-mipshop-ibc-cga-00.txt Zhen Cao Hui Deng IETF #67.
Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.
Fall 2006CS 395: Computer Security1 Key Management.
Network Layer Security Network Systems Security Mort Anvari.
Multiple Care-of Address Registration draft-ietf-monami6-multiplecoa-02.txt.
Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.
Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,
1 Behcet Sarikaya Frank Xia November 2010 NAT64 for DSMIPv6 IETF 79
SECURITY THREATS ANALYSIS OF ROUTE OPTIMIZATION MECHANSIM IN MOBILE IPV6 BY Wafaa Al-Salihy.
V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.
Chapter 5 Network Security Protocols in Practice Part I
Introduction Wireless devices offering IP connectivity
RFC 3775 IPv6 Mobility Support
MOBILE IPv6 SECURITY ISSUES
Booting up on the Home Link
Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00
Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks
An IPv6 Distributed Client Mobility Management approach using existing mechanisms draft-bernardos-mext-dmm-cmip-00 Carlos J. Bernardos – Universidad Carlos.
Mobility Support in IPv6 (MIPv6)
2002 IPv6 技術巡迴研討會 IPv6 Mobility
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Network-based and Client-based DMM solutions using Mobile IP mechanisms draft-bernardos-dmm-cmip-07 draft-bernardos-dmm-pmip-08 draft-bernardos-dmm-distributed-anchoring-09.
Presentation transcript:

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

2 Overview RFC 3775 secures Binding Updates to Home Agent with IPsec RFC 4866 allows to secure Binding Updates to Correspondent Nodes with a public key signature when the HoA is a CGA MEXT WG rechartered to experiment with security mechanisms alternatives to IPsec  Secure Binding Updates to Home Agent based on CGA as well

3 Solution MN: generates public-private key pair generates from public key an HoA that is a CGA signs Binding Update with private key HA: verifies HoA ownership by verifying signature Optimization: HA sends to MN a symmetric secret key to MN to protect further Binding Updates, ciphered with public key Secret key used to compute MAC over BU

4 Choices to be made Is MN authorized for HA service? CGA validates address ownership Does not prevent any MN to create state with arbitrary HA Solutions: Provision MN with Authorization Certificates HA has repository of authorized MN public keys Restrict service to MN that attached to home link Is MN trusted by HA: Does HA verifies CoA reachability with RR test? Avoid third party flooding attack

5 Choices to be made, Cont’d How to provide Anti-replay protection? Initial Binding Creation currently protected with timestamp in BU Alternative: 3-way handshake with Nonce Further Binding Updates (Lifetime Extension, Handoffs, Deletion) protected with Sequence Number and symmetric secret key MAC

6 IPv4 support IPv4-only visited network  m6t On-demand creation of UDP tunnel For each new IPv4 CoA Assigns new unique local IPv6 address Tunnel exists as long as it’s used Same security level as RFC 5555 Does not protect against active attacks Protects again passive attacks IPv4-only application  Configure IPv4 Home address as in RFC 5555

7 Pros and Cons No dependency on IPsec No impact on IPsec IPsec can still be used independently Does not re-invent ESP and ESP tunneling in UDP Ala mip6-altsechttp://tools.ietf.org/html/draft-korhonen-mext- mip6-altsec Allows fully decentralized HA operation Possibly useful for Distributed/Dynamic Mobility Management?

8 Next Steps Is there interest in the WG? Makes some choices MN trusted? MN authenticated? Implement and experiment...

9 Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.