Presentation is loading. Please wait.

Presentation is loading. Please wait.

SECURITY THREATS ANALYSIS OF ROUTE OPTIMIZATION MECHANSIM IN MOBILE IPV6 BY Wafaa Al-Salihy.

Published bySpencer Wilkins Modified over 8 years ago

Similar presentations

Presentation on theme: "SECURITY THREATS ANALYSIS OF ROUTE OPTIMIZATION MECHANSIM IN MOBILE IPV6 BY Wafaa Al-Salihy."— Presentation transcript:

1 SECURITY THREATS ANALYSIS OF ROUTE OPTIMIZATION MECHANSIM IN MOBILE IPV6 BY Wafaa Al-Salihy

2 OUTLINE BACKGROUND CURRENT PROBLEMS IN MOBILE IPV6 SECURITY. ATTACKS THAT EXPLOIT MIPv6 PROPOSED AUTHENTICATION METHODS CURRENT RESEARCH CONCLUSION LIMITATION ACKNOWLEDGMENT REFERENCES

3 BACKGROUND Mobile IPv6 How Mobile IPv6 work?

4 Mobile IPv6 It is IPv6 Protocol when supporting Mobility. Mobile IPv6 requires the exchange of additional information: (BU, BA, BR, home address option) and using Extension Header-Destination Option Header.

5 How Mobile IPv6 Work? 1. Home Agent Registration Mobile node has its static address at home subnet = home of address (HoA) Mobile node usually move from subnet to subnet. When mobile node move to new subnet, it will discover the default router, perform (stateful or stateless) address autoconfiguration, and use its new address as care of address (CoA).

6 Mobile node perform Home Agent registration by sending BU. BU: is triplet message, which contains home address (HoA), current care of address (CoA), and the lifetime. Home agent accept BU and add this binding to its Binding Cash ( table contain bindings of the nods managed by every IPv6 node), and send BA.

7 Home Agent (HA) Link A Mobile node (Mn) Link B 1. Home Agent Registration Mobile node after moved to another link get CoA and send BU to a HA on its home link Binding Update(BU) Binding Ack.(BA) Home Agent accepts the BU,add binding to binding cash and return a BA

8 Home Agent (HA) intercept any packets addressed to the mobile node’s home address. Intercepted packets sent to CoA of mobile node using IPv6 encapsulation. Mobile node sends packets directly to any other destination node. 2. Triangle routing

9 Home Agent (HA) Mobile node (Mn) Correspondent node (Cn) 2. Triangle Routing Home Agent intercept packets then tunnels them to the current CoA of Mn. Cn in this step can't send packets to Mn directly Mobile node far away from its home link with Ip address = care of address(CoA) packet Tunneled packet packet

10 3. Route Optimization Dislike Mobile Ip, Mobile IPv6 offer route optimization mechanism. Route optimization provide better bandwidth and faster transmission. Route optimization: mobile node send BU to correspondent node (Cn) ( any mobile or stationary node). Cn cash the current CoA then direct packets to Mn after send BA.

11 Mobile node (Mn) Correspondent node (Cn) 3. Route Optimization The Mobile Node sends a Binding Updates to Cn The Correspondent Node cash the binding and send BA, then it is ready to send directly packets to Mn Binding Updates packet Binding Ack. (BA)

12 CURRENT PROBLEMS IN MOBILE IPV6SECURITY CURRENT PROBLEMS IN MOBILE IPV6 SECURITY MIPv6 is internet draft, still no RFC MIPv6 provide route optimization mechanism comparing with MIPv4. Route optimization needs Binding Update (BU) signals to be exchange between Mn- Cn.

13 MIPV6 propose IPSec for securing BU. IPSec mechanism require pre-shared keys base on PKI concept. No way for two nodes with no pre- relation to have pre-shared key. It is necessary to look for alternative solution.

14 Return Routability MIPv6 internet draft proposed RR as a basics technique for securing BU signals of Route Optimization, which is between Mn-Cn. RR: Mn initiates RR using (HoTI, CoTI) and then Cn sends challenging packets (HoT, CoT). Cn accepts BU only from the Mn that are able to receive them. BU then secured by using Kbm, which is produced by RR. Kbm = SHA1( home keygen token | care of keygen token)

15 Home Agent (HA) Mobile node (Mn) Correspondent node (Cn) CoTI CoT H o T I H o T I Return Routability Mechanism HoT

16 Attack against RR Return Routability not strong enough. The attacker can get both keys (home keygen, care of keygen) and produce Kbm. The attacker eavesdrops two communicating nodes A and B( any type of nodes i.e. Mn, or Cn) and learn their IP addresses. Attacker initiates RR by sending to B (HoTI, CoTI) using its own address as CoA and A’s address as HoA. B sends CoT and HoT as response. And attacker get the keys.

17 ATTACKS THAT EXPLOIT MIPV6 Attacks that exploit MIPv6 can be classified into three cases: Attacks when BU not authenticated or secured. Attacks when BU authenticated or secured by one mechanism. Attacks when BU secured by more than one mechanism.

18 Attacks when BU not authenticated or secured If BU not authenticated, attacker can send spoofed BU. There are four ways: Bomb any mobile node with unwanted data. Basic Denial of Service attack. Using HoA to bomb any host with unwanted data. Attack against secrecy and integrity.

19  Bomb any mobile node with unwanted data By sending spoofed BUs, the attacker can redirect traffic to an arbitrary IP address. The attacker needs to find Cn that is willing to send data streams to unauthenticated node (many popular web sites provide such streams ). If the target is single host, need to know its Ip address If entire network, choose random address with prefix of the network.

20  Basic Denial of Service attack By sending spoofed BU, the attacker can redirect all packets between two IP hosts to a random or non existence address. The nodes support route optimization. The attacker must know their IP addresses.

21 Random host or non - exist Attacker MnCn Data Flow before attack Attacker redirect packets to random host  Basic denial of service attack

22  Using HoA to bomb any host with unwanted data The attacker claims to be a mobile node with the HoA equal to the target address. Then attacker send BU cancellation, or wait for entry expire. The attacker can keep stream life by spoofing acknowledgments.

23 The attacker is mobile with HoA equal to target address Target host Attacker MnCn First step Cn trust attacker After cash entry expire or cancel BU  Using HoA to bomb any host with unwanted data.

24  Attack against secrecy and integrity By spoofing BU, attacker can redirect packets between two IP hosts to itself. Attacker need to know their IP addresses, and the hosts support route optimizations. Strong encryption and integrity protection can prevent this attack, and result in denial of service attack.

25 Data Flow before attack Attacker redirect packets to itself Da a m o d f e d b y t i i a t t a c k e r Attacker MnCn  Attack Against Secrecy and Integrity

26 Attacks when BU authenticated and secured by one mechanism Reply Attack

27 Replay Attack The attacker capture the BU of Mn. And replay back after Mn move away. The attacker need to be in the same network of Mn. The Mn move so frequently that it send the next BU before the expiry of the previous BU. Any protocol for authenticating BU will have to consider this attack.

28 Attacker Mn Mobile node previous location Data Flow before attack Cn Attacker redirect packets to mobile node Previous location  Replay Attack

29 Attacks when BU can be secured by more than one mechanism Bidding Down Attack

30 This attack applied when there is optional authentication mechanisms exist and RR as default mechanism for authentication. The nodes apply route optimization. The attacker force two hosts or bidding them down from using strong security to use weak security like RR.

31 Attacker Mn Cn Weak security (RR as default) Attacker bidding down from strong security to weak security Strong security  Bidding Down Attack

32 Amplification and Reflection Attack This attack can exploit Mipv6 in any case Packets sent into a looping path to the target (Amplification). The attacker hide the source of a packet by reflecting the traffic from other node (Reflection). The nodes can be tricked into sending many more packets than they receive from the attacker.

33 Attacker Mn Many packets Cn Attacker send Cn packet ask Cn to send many packets to Mn i g l p a k e S n e c t  Amplification and Reflection Attack

34 PROPOSED AUTHENITICATION METHODS Cryptographically Generated Address(CGA): is to form the last 64 bits of the IP address(the interface identifier) by hashing the node’s public signature key. BU can then be signed with this key. –Limitations: 64 bits, enable the attacker to mount the brute force attack and find a matching signature key. –Computationally intensive and therefore expose the nodes to DoS attack.

35 Assuming a Safe Route: make the assumption that the communication between two specific nodes is safe from attackers even though it is not cryptographically protected. Two Independent Route : send two pieces of the authenticated data through two independent routes and hoping that attackers not able to capture both of them. Limitations: single attacker, between Cn and HA can spoof BU, pretend to be both Mn and HA then spoof packets from Mn and HA and send to Cn, then can receive messages sent by Cn to both HA and Mn.

36 Leap of Faith: Mn sends a session key insecurely to the Cn, at the beginning of the connection, then the key can be used to authenticate subsequent BU. The Role of Ingress Filtering (IF): for limiting the attacker of the local network who spoofed source IP addresses, in the target network IF makes no difference.

37 CURRENT RESEARCH We are exploring several issues in current research to improve the security of MIPv6 protocol: neighbor discovery security security of IPv6 routing header and home address options. Beside that we study the possibility of adding more cash tables in Cn and Mn and logical comparisons between these cash tables for the purpose of security. The security of Mipv6 will not base on Infrastructure solution. The work in progress.

38 CONCLUSION The security is the most crucial part of the protocol. With out a proper security solution the protocol has no possibility to be accepted and usable at all. Our current research will explore different issues to propose new acceptable mechanism which not base on intensive computation and not base on PKI concept, in the same time consider all the possible attacks, and ensure that our proposed method will not introduce any new threats for the IPv6.

39 LIMITATIONS LIMITATIONS Writing of this paper has been a challenging task because the Mobile IPv6 specification is under development at the moment and a lot of changes and new propositions are introduced all the time. Finding the most important ones of them required a lot of reading of different research papers, Internet drafts and mailing list messages, which is made available by IETF.

40 ACKNOWLEDGMENTS Thanks to IETF and IP working group

41 REFERENCES Johnson, D., Perkins, C. Arkko, J. Mobility Support in IPv6, draft-ietf- mobileip-ipv6-18, IETF, June 2002. Perkins, C., ed. IP Mobility Support. IETF, RFC 2002, October 1996. Thomson, S. and Narten, T. IPv6 Stateless Address Autoconfiguration. IETF, RFC 1971, August 1996. Narten, T., Nordmark, E., and Simpon, W. Neighbor Discovery for IP Version 6 (IPv6), IETF, RFC 1970, August 1996.

42 Kent, S. and Atiknson, R. IP Encapsulation Security Payload (ESP), IETF, RFC 2406 November 1998. Kent, S. and Atiknson, R. IP Authentication Header (AH), IETF, RFC 2402 November 1998. Aura, T., Arkko, J. MIPv6 BU attacks and Defenses, draft-aura-mipv6-bu-attacks-01.txt, IETF, February 2002. Greg, O., Mobile Ipv6 for Windows XP (.NET Server) and Windows CE4.0, MSRC Joint with Lancaster University And Ericsson Research.

43 Montenegro, G. and Nikander, P. Protecting against Bidding Down Attacks. Draft- Montenegro-mipv6sec-bit-method-00.txt, IETF, April 2002. Greg, O. and Michael, R. Childproof Authentication for MIPv6 (CAM). ACM Computer Communication Review, 31 (2), April 2001. Nikandar, P. and Perkins, C. Binding authentication key establishment protocol for Mobile Ipv6, draft-Perkins-bake-01.txt, IETF Mobile IP Working Group, July 2001.

44 Thank you

Download ppt "SECURITY THREATS ANALYSIS OF ROUTE OPTIMIZATION MECHANSIM IN MOBILE IPV6 BY Wafaa Al-Salihy."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.
IPv6 Mobility Support Henrik Petander

IPv6 Mobility Support Henrik Petander
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
Mobility Support in IPv6 Advanced Internet, 2004 Fall 8 November 2004 Sangheon Pack.

Mobility Support in IPv6 Advanced Internet, 2004 Fall 8 November 2004 Sangheon Pack.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.

Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
Mobile IP.

Mobile IP.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Similar presentations

Ads by Google