Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT AND METHODS OF MOBILE IP SECURITY

Published byEzra Baker Modified over 6 years ago

Similar presentations

Presentation on theme: "MANAGEMENT AND METHODS OF MOBILE IP SECURITY"— Presentation transcript:

1 MANAGEMENT AND METHODS OF MOBILE IP SECURITY
Presented by Rami Elnaw Yashashwini Panchalingaiah Shiva Kumar Nadicherra

2 Introduction: In this paper we are going to tackle two of the overwhelmed issues related to Mobile IP security. These issues tend to impact Mobility and cause tremendous effect throughout the network. Despite the great flexibility and certain level of reliability, mobility exposes mobile nodes and the entire networks to various security threats. Maintaining appropriate services and protocols are required to limit or defeat the effect of such threats. While some of these problems can be overcome today, others might require additional research to actually lead to practical and feasible solutions.

3 Security tools: There are two methods of cryptosystems: symmetric and asymmetric. In symmetric cryptosystems, one key (public key) is used to encrypt the data. . In asymmetric cryptosystems two key are used, one key is used to encrypt the data (public key) and another one to decrypt the data (private key). The two methods can be combined to provide cryptographic operation. We are going to introduce some tools that have been developed to protect mobile node from various types of attacks. These tools include Authentication is the process of making sure that the message is coming from an authentic source and going to an authentic destination.

4 In the following section we will tackle two of the Mobile IP security issues showing how it happens and provide the possible existing solutions to solve these issues. 1/ Denial of Service 2/Session Hijacking 1/Denial of Service (DoS): In order for reader not to be confused there is two similar terms have to be clearly identified, these terms are (DoS) and (DDoS). The difference is that while The DoS attack typically uses one computer and one Internet connection to flood a targeted system or resource, The DDoS attack uses multiple computers and Internet connections to flood the targeted resource.

5 DoS Definition: Denial of Service or (DoS) attack can be identified as when preventing a user from getting useful work done. Denial of service attack can have two forms from a computer network standpoint: when a host filled out with packets (as a result, preventing that host from processing useful packets) or the when somehow interferes with the flow of useful packets to a node. DoS, how it works? DoS, how it works? In the case of a mobile IP network a denial of service attack occurs when an attacker manages to do a bogus registration of a new care-of address for a particular mobile node. Such a bogus registration gives rise to two problems: · The mobile node is no longer connected; · The attacker gets to see all traffic directed to the original mobile node.

6 DoS Diagram

7 In this kind of attack, the attacker generally needs to be in the middle between the two corresponding hosts in order to cut off their traffic. With a Mobile IP network, the attacker can attack the network from anywhere, if a mobile device is connected on the foreign network, it is mandatory to use the registration method to inform its home agent of its current care-of address to which home agent will intercept and tunnel all the traffic destined to the mobile device’s home address. So the attacker can generate a manipulated register request message declaring with its own IP address as the care-of address for a mobile device to the home agent. So all traffic transmitted to the Mobile device goes to the attacker instead.

8 DDoS or Distributed Denial of Service
Is a type of DoS attack where multiple compromised systems, which are often infected with a Trojan. Are used to target a single system causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker in the distributed attack.

9 How DDoS Attacks Work?? In a DDoS attack, the incoming traffic flooding the victim originates from many different sources – potentially hundreds of thousands or more. This effectively makes it impossible to stop the attack simply by blocking a single IP address. In addition, it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin.

10 Proposed solutions for DoS:
There is no proper technique to eradicate the effect of DoS but, there are few techniques to mitigate the effects. The techniques are as follows • Mitigating DoS using Access Control Lists(ACL) • Mitigation using Rate limiting • Automatic command insertion using SSH

11 Mitigating DoS using Access Control Lists(ACL)
Access Control List (ACL) is the set of rules applied on a machine in order to control permissions. This list controls the traffic moving in and out of the point and thus provides protection to a network. When an ACL is applied on a router the incoming IP packets are being checked to ensure that packets satisfy the ACL table before entering. Following are the ACL commands: Conf t Access list Interface f0/1 ip access-group 1 in

12 Mitigation using Rate limiting
The Rate Limit places a cap or sets up a threshold limit of traffic that the server would be able to withstand. This method saves the network from permanent Dos and is very effective. The best part here is the network administrator decides how much traffic will be allowed inside the network. By using the commands in ACL the following commands are implemented here: Conf t int f0/1 rate-limit input conform-action transmit exceed-action drops.

13 Automatic command insertion using SSH
This is an automatic command insertion technique and it makes router to be stronger and secured. Every incoming and the outgoing traffic rate should be monitored and register each and every anomaly. The code is developed using shell scripting. When traffic crosses certain threshold limit, the code automatically insert commands in a router. Expect – A command line tool for interactive applications.

14 Proposed Solutions for DDoS
The most feasible way to handle this type of situation is using the Turing Test mechanism as in Kill-bots. The graphical representation of captcha are most widely used today which consists of pictures with distorted image, takes up a lot of valuable bandwidth especially in the case of the attack. In case of DDoS attack, when images are sent from server to client for authentication an actual amount of bandwidth will be consumed. The Problems are as follows: Speech Segmentation Text Segmentation Word Sense Disambiguation Syntactic Ambiguity Imperfect or Irregular input Speech acts and plans

15 Redirect Attacks: Mostly redirect attacks occur at binding cache due to unauthenticated binding update message send by the intruders/attackers. The re-direct attack we discuss here is based upon the Mobile IPv6 packet routing. Session Hijacking: This attack results in Information leakage Impersonation of mobile node MN1 or flooding of MN2

16 Assumptions made for security purposes:
Pre-establishing a security association between a mobile node and its home agent. As the mobile nodes and home agents know each other, we can easily pre-establish a strong security association while they exchange packets between. IPsec’s Encapsulating Security Payload (ESP) is used to set up a secured tunnel between them. Securing binding update message between them is a straightforward task. There will be no pre-established security association between a mobile node and a random correspondent node. As Mobile IPv6 is used on a global basis, building a global authentication infrastructure to authenticate mobile nodes and random CN’s would be a very hard task. Also, making a traditional authentication infrastructure to keep track of correct IP addresses for all hosts is impossible or at least very hard due to dynamic association between IP addresses and hosts. From the above assumptions made, we will concentrate more on the second assumption i.e., working on securing binding updates from mobile nodes to correspondent nodes. IETF’S BINDING UPDATE PROTOCOLS FOR SECURITY PURPOSE: There are two protocols provided for securing the binding update messages 1. Return Routability (RR) protocol. 2. Cryptographic Generated Address (CGA) protocol

17 Return Routability (RR) protocol.
Session hijacking taking place even with RR protocol: Consider the session hijacking figure above MN1 and CN has an on-going communication session and intruder wants to redirect Cn’s traffic to its MN2. The intruder monitors CN-HA path and obtain HoT, extracts home cookies CH and sends it to MN2. Upon receiving CH, MN2 sends a CoTI to CN and CN will reply with a care-of cookie Cc. MN2 simply hashes two cookies to obtain a valid session key and uses key to send a BUM to CN on behalf of MN1. The binding update will be accepted by CN which will in turn direct its traffic to MN2.

18 2. Cryptographic Generated Address (CGA) protocol:
In this protocol a 128-bit IP address is divided into a subnet prefix and an interface identifier. The home address of all mobile nodes associated with home link share same home link subnet prefix and they are differentiated by unique interface identifiers. Possibility of Session Hijacking even through CGA protocol: Hash function here acts as a “one-to-one” mapping from a public key value to an interface identifier, it binds a public key value with an interface identifier. The only assurance the correspondent node gets from BU is a match of h(P’MN) with II in HoA as well as positive verification of signature on BU is the only prove that it is generated by MN whose identifier portion is II and it’s hard to find about private key S’MN. Protection from Session hijacking is provided only if number of bits in II, (128-n) , is large enough. If it is small, an intruder can generate random pairs of public and private keys and look for a match to target node’s II. Once it is found, intruder cheats the target node and fake binding updates.

19 Proposed Secure Binding Update Protocol:
This protocol is proposed and designed with following features by observing the RR and CGA protocols: Consists of public key cryptosystems which makes it secure against powerful passive and active attacks. Issues public key certificates containing home link subnet prefixes as subject names for home links. Performs one way authenticated key-exchange between MN and CN session key exchanging is used to secure BUM from MN to CN. Testifying the legitimacy of MN’s home addresses, facilitate authentication of mobile nodes to correspondent nodes, and establish shared secret session keys for them. Fig: exchange of messages in proposed protocol

20 Analysis of Session Hijacking in proposed protocol:
When we have a first glance at this protocol anyone would think that it performs a strong one-way authentication of MN-CN and provides CN with confidence that it shares a secret session key with MN. If we make an in-depth analysis, we can point out that EXCH0 plays a vital role in this protocol. From the above operation, we can observe that after receiving EXCH0, CN checks on equality of HL subnet prefix contained in both Cert’H and HoA. This check is critical to detect man-in-the-middle attack. The signature SIG’H = S’H(HoA|CN|g^x|n1|n2|TS) serves two purposes here. 1. It certifies that Diffie-Hellman value g^x was originated by MN’s home agent HA on behalf of MN. 2. It testifies that HoA is under HA’s control and is a real home address for its mobile node MN. This authenticates MN’s HoA to CN. As the protocol allows CN to authenticate MN’s HoA as well as allows the two nodes to set up a secret session key for securing binding updates, this protocols prevents the session hijacking attack.

21 Any Queries?

22 THANK YOU…!!!

Download ppt "MANAGEMENT AND METHODS OF MOBILE IP SECURITY"

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.

Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
Mobile IP.

Mobile IP.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a mobile node (MN) to change its point.

Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a "mobile node" (MN) to change its point.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
2002 년 2 학기이동인터넷프로토콜 1 Mobile IP:Overview. 2002 년 2 학기이동인터넷프로토콜 2 Mobile IP overview Is Mobile IP an official standard? What problems does Mobile IP solve?

2002 년 2 학기이동인터넷프로토콜 1 Mobile IP:Overview 년 2 학기이동인터넷프로토콜 2 Mobile IP overview Is Mobile IP an official standard? What problems does Mobile IP solve?
Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.
Security in MobileIP Fahd Ahmad Saeed. Wireless Domain Problem Wireless domain insecure Data gets broadcasted to everyone, and anyone hearing this can.

Security in MobileIP Fahd Ahmad Saeed. Wireless Domain Problem Wireless domain insecure Data gets broadcasted to everyone, and anyone hearing this can.

Similar presentations

Ads by Google