Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005."— Presentation transcript:

1 Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005

2 Outline What needs to be dynamically configured? –Mobile IP WG calls dynamic configuration “bootstrapping” What are the security problems and measures? How is EAP being proposed as a solution? Analysis of EAP Solution Summary

3 What Needs to be Dynamically Configured?

4 Bootstrapping in the Mobile IPv6 Standard Bootstrapping based on RFC 3775: –Topology-dependent dynamic home agent discovery –Authorized, dynamically autoconfigured home address with above –Preconfigured IKE preshared key to avoid host certificate provisioning  Pre-provisioned information required on Mobile Node (best case):  Home subnet prefix  Home Agent/Mobile Node preshared key indexed by NAI on Home Agent for IKEv1 Phase 1

5 What’s Missing? Topology-free dynamic Home Agent Address discovery Authorized, dynamically configured home address with above Credentials for IKE authorization of mobility service are AAA-like user/password credentials –Avoids host certificate provisioning and preconfigured preshared key  Pre-provisioned information required on the Mobile Node:  Topology-free host identifier (e.g. NAI)  Some credentials for authorizing mobility service through EAPoIKEv2

6 What Needs to Be Configured? Home Agent address? –Yes, required Home Address? –Possibly, but that can be configured via IKEv2 too IPsec SA? –No, that should be set up using IKE Security credentials for IKE session? –Depends on the deployment scenario –Could be configured out of band or as part of the bootstrapping process –When EAP is used, security credentials for IKE (e.g. preshared key) are bootstrapped too

7 What are the Security Problems and Measures?

8 Home Agent/Mobile Node SA Establishment Server to host data origin and integrity/replay protection –To protect a legitimate Mobile Node against rogue Home Agents Host to server data origin and integrity/replay protection, and host mobility service authorization –To protect Home Agent from theft or disruption of mobility service by an attacker Stateless Home Agent initial transaction –To avoid DoS state depletion attacks This is covered by IKEv2

9 Home Address Discovery Server to host data origin and integrity/replay protection –To protect a legitimate Mobile Node against rogue Home Agents handing out bogus addresses Host to server data origin and integrity/replay protection –To protect Home Agents against unauthorized Mobile Nodes obtaining home addresses This is covered by IKEv2 too

10 IKE Security Credentials Bidirectional data origin and integrity/replay protection –To avoid someone spoofing the credential Bidirectional confidentiality protection –To avoid someone stealing the credential This can’t be provided by IKE because it is used to secure IKE

11 NonThreats “Unauthorized” discovery of the Home Agent address –Even if the address is only sent to authorized users, there is no guarantee that an authorized user will not misuse it Bogus Home Agent discovery –If the Mobile Node is given a bogus Home Agent address, it will not authenticate during IKEv2 transaction Eavesdropping to find the Home Agent address while discovered –Home Agent address must be the destination address on Binding Update and so is always public Attacks on the Mobile Node’s home address –The home address is typically published in the DNS anyway and therefore is public

12 How is EAP being Proposed as a Solution? ref: draft-giaretta-mip6-authorization-eap-02.txt

13 EAP Configuration Protocol Flow Border Router AR AP/NAS Access Network Mobile Node Internet AAA-H AAA-L Terminal sends credentials to NAS NAS sends credentials to local AAA Master Key pushed to AP Local AAA relays decision to NAS NAS authorizes Internet access Internet Access! Authorization Decision! Home Network Home Agent Address, Credentials for Mobility ServiceAuthorization, and optional Home Address Included! Home AAA replies with authentication and authorization decision and Master Key Local AAA sends credentials to home AAA Mobile Node now has Home Agent Address and preshared key (but not IPsec SAs)!.

14 Home Network IKEv2/MIP6 Protocol Flow Border Router AR AP/NAS Access Network Mobile Node Internet Home Agent AAA-H Mobile Node now has IPsec SAs and Home Address. EAPoIKEv2 (Home Address returned in IKE CONFIG if required) Authorization Decision! ESP + BU/BAck for Binding Update See draft-ietf-mipv6-ikev2-ipsec-00.txt for IKEv2/MIP6 interaction EAPoAAA

15 Analysis of EAP Solution

16 Problems Solved by EAP* Secure configuration of Home Agent address and home address via EAP method –Data origin and integrity/replay protection server to host –Also confidentiality and host to server authentication Secure configuration of IKE credentials (e.g. preshared key) –Bidirectional confidentiality and data origin, integrity/replay protection –Mobility service authentication and authorization credentials are the same as for network access Optimization of signaling to reduce protocol needed for Home Agent discovery and confine it to a time when configuration is being done anyway –Secondary effect *Assumes a secure, extensible EAP method!

17 Problems Not Solved by EAP Bootstrapping Home Agent address when the Home Network Service Provider and Mobility Service Provider are not the same –EAP bootstrapping depends on AAA-H to provide a Home Agent address Bootstrapping mobility service authorization when the Access Service Authorizer and Mobility Service Authorizer are not the same –EAP bootstrapping uses network access credentials for mobility service authorization and Home Agent address discovery Bootstrapping when EAP is not used for network access authentication and authorization

18 Problems Created by EAP for Configuration Management of Home Agent address, IKE session credentials, and potentially home address information in AAA-H –See draft-giaretta-mip6-aaa-ha-goals-00.txt for discussion of requirements/issues Opens a “hole” in original design goal tightly confining EAP for configuration to network access keys only –Now, IP address information is configured also –What else will drive through that hole?

19 Summary

20 MIP6 bootstrapping requires configuration of Home Agent address from nontopological identity –Home address can be configured by IKEv2 –Optional configuration of credentials for IKE session if not preconfigured EAP provides a mechanism for configuring all of the above –Only method that can securely provision IKE session credentials Other methods provide mechanisms for configuring some of the above or in cases where EAP can’t be used The Question on Debate: Does EAP configuration provide enough benefit to expand the current deliberately narrow scope of applicability?

21 Questions/Comments?

Download ppt "Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005."

Similar presentations

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003

A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
AAA-Mobile IPv6 Frameworks Alper Yegin IETF 62. 2 Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.
ICOS BOF Securing Internet Configuration Bernard Aboba Microsoft IETF 62, Minneapolis, MN.

ICOS BOF Securing Internet Configuration Bernard Aboba Microsoft IETF 62, Minneapolis, MN.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Lecture 3a Mobile IP 1. Outline How to support Internet mobility? – by Mobile IP. Our discussion will be based on IPv4 (the current version). 2.

Similar presentations

Ads by Google