Get documents about "03
Document Sample
SECUIRTY THREATS ANALYSIS OF ROUTE
OPTIMIZATION MECHANSIM IN MOBILE IPV6
W. Al-Salihy R. Sures
Network Research Group Network Research Group
School of Computer Sciences School of Computer Sciences
University Science Malaysia University Science Malaysia
Penang, Malaysia Penang, Malaysia.
H/P (006) 0125581776 H/P (006) 0124083334
wafaa@nrg.cs.usm.my sures@usm.my
ABSTRACT 1.1 How Mobile IPv6 work
In current mobile Ipv6, each mobile node is identified by its home MIPv6 describes mechanisms similar to mobile IP whereby a
address, regardless of its current point of attachment to the mobile node can freely roam between network links and yet
Internet. While situated away from its home, a mobile node is constantly remain accessible through a home address (HoA)
also associated with a care-of address, which provides statically allocated on its “home” network. While away from its
information about the mobile node's current location. IPv6 home network a mobile node (Mn) makes use of a care-of address
packets addressed to a mobile node's home address are (CoA) dynamically allocated on the network to which it is
transparently routed to its care-of address. The protocol enables currently attached, while a proxy known as a home agent is
IPv6 nodes to apply route optimization thereby cache the binding responsible for forwarding (tunneling) packets arriving at the
of a mobile node's home address with its care-of address, and to home network on to the mobile node’s care-of address. A mobile
then send any packets destined for the mobile node directly to it at node makes its whereabouts known to its home agent by sending
this care-of address. it a binding update (BU) message, the triplet message, which
To support route optimization, current Mobile IPv6 [4] facing contains home address, its current care-of address and the
many security threats, this paper focusing on analyzing all the lifetime. Every home agent maintains a binding cache recording
security threats of route optimization mechanism and explaining the binding updates it has received. Any node that communicates
why the need for redesign the current mobile ipv6. This paper with a mobile node is a correspondent node (Cn), and in fact
doesn’t show the MIPv6 protocol after redesign rather it shows every IPv6 node is a potential correspondent node. A mobile node
the need for redesign it. also sends a binding update (BU) to any correspondent node from
which a (tunneled) packet has been received via its home agent.
Dislike mobile IP, mobile IPv6 offer route optimization
Keywords mechanism in which each correspondent node maintains a binding
Mobile IPv6, Route Optimization, Security Threats cache which its transmit function uses to redirect packets directly
to the mobile node’s care-of address, thus saving at least one
1. BACKGROUND network hop relative to the route through the home agent. Home
Mobile computing and networking should not be confused with agents and correspondent nodes may refresh a binding cache entry
the portable computing and networking we have today. In mobile by sending a binding request to a mobile node, requesting the
networking, computing activities are not disrupted when the user transmission of a fresh binding update. MIPv6 minimizes the state
changes the computer’s point of attachment to the Internet. that a correspondent node must maintain by including a home
Instead, all the needed reconnection occurs automatically [10], a address option field, encoding a mobile node’s home address, in
standard proposed by a working group within the Internet every packet sent by a mobile node while it is away from its home
Engineering Task Force, was designed to provide this way of network. The receive side of the IP stack on the
communication (mobility) by allowing the mobile node to use two correspondent node informs higher level software that the
IP address: a fixed home address and a care of address that packet was sourced not from the care-of address in the
changes at each new point of attachment. packet’s header, but from the address given in the home
Current mobile IP will change with mobile IPv6, which have address option.
many features for mobility support that are missing in current Because the binding updates sent remotely to the home
version, including, Stateless Address Auto configuration [11], and agent to affect the home agent’s routing table (binding
Neighbor Discovery [8], which allow the node to configure it’s a
cash), and because the communication be direct between
care-of address. Thus, foreign agents are not required to support
mobility in IPv6. and Route Optimization which improve the
the correspondent node (Cn) and the mobile node (Mn)
performance of IPv6 Mobile nodes. when route optimization mechanism applied the nodes must
be certain from the mobile node whether it is the original
one or a malicious node which need for strong
authentication.
2. CURRENT PROBLEMS IN THE be returned quickly, perhaps nearly simultaneously. These four
messages form the Return Routability procedure.
SECURITY OF MIPV6
Initially the plan was to use only IPSec Authentication Header
(AH) for binding message authentication, without defining and
HOME Agent
developing any new authentication protocol. This approach
encountered many problems and that is why several other methods
TI
Ho
have also been developed.
Ho
TI
The current specification defines that IPSec ESP should be used
for authentication between MN and HA, and Return Routability
(RR) should be used for authentication between MN and CN. The
specification makes also possible to use some other, more secure CoTI
methods than RR for authentication between MN and CN. These
methods are discussed in the following sections Mobile node HoT Correspondent
(Mn) node (Cn)
CoT
2.1 IPSec Doesn’t Applicable for Mipv6
IPSec [5, 6] can be used to authenticate and encrypt packets at IP
level. That is why it was naturally the first proposed method for
authentication of the binding messages. The biggest problem with Figure 1. Message Flow for Return Routability procedure
the IPSec method is the key distribution. Key distribution of the
IPSec, which is called Internet Key Exchange (IKE), uses either
preshared secrets or public keys in the key exchange. When Home Test Init (HoTI):
authentication is needed between a Mn and a HA, which must Source Address = home address
have some relationship in advance, because the MN uses services Destination Address = correspondent
of the HA, the needed secrets might be exchanged beforehand or Parameters: home init cookie
some private public key distribution can be utilized. After several
discussions in IETF, IPSec ESP was chosen for binding message Care-of Test Init (CoTI):
authentication between Mn and HA instead of IPSec AH. When Source Address = care-of address
considering authentication of the binding messages between a Mn Destination Address = correspondent
and some unknown Cn, no preshared secret can be used. There Parameters: care-of init cookie
doesn’t either exist global public key infrastructure that could be
utilized. Because of that, actually IPSec as a whole is not usable Home Test(HoT):
for authentication between the MN and the CN. Source Address = correspondent
Destination Address = home address
2.2 Return Routability Parameters: - home init cookie
In MIPv6 draft, Binding Updates to correspondent nodes - home keygen token
supposed to be protected by using a binding management key, - home nonce index
Kbm. Kbm may be established using data exchanged during the
return Routability (RR) procedure. The Return Routability Care-of Test(CoT):
Procedure enables the correspondent node to obtain some Source Address = correspondent
reasonable assurance that the mobile node is in fact addressable at Destination Address = care-of address
its claimed care-of address as well as at its home address. Only Parameters: - care-of init cookie
with this assurance is the correspondent node able to accept - care-of keygen token
Binding Updates from the mobile node, which would then instruct - care-of nonce index
the correspondent node to direct that mobile node's data traffic to care-of keygen token = First (64, HMAC_SHA1 (Kcn, (care-of
its claimed care-of address. This is done by testing whether address | nonce | 1)))
packets addressed to the two claimed addresses are routed to the
mobile node. The mobile node can pass the test only if it is able When the mobile node has received both the Home and Care-of
to supply proof that it received certain data (the "keygen tokens") Test messages, the Return Routability procedure is complete. As
that the correspondent node sends to those addresses. These data a result of the procedure, the mobile node has the data it needs to
are combined by the mobile node into a binding management key, send a Binding Update to the correspondent node. The mobile
The Home and Care-of Test Init messages are sent at the same node hashes the tokens together to form a 20 octet binding key
time. The procedure requires very little processing at the Kbm:
correspondent node, and the Home and Care-of Test messages can
be returned quickly, perhaps nearly simultaneously. These four Kbm = SHA1 (home keygen token | care-of keygen token).
messages form the Return Routability procedure denoted Kbm.
Figure 1 shows the message flow for the Return Routability One of the design principles of Mobile IPv6 from the security
procedures The Home and Care-of Test Init messages are sent at perspective was that it should not introduce any new threats and
the same time. The procedure requires very little processing at the vulnerabilities for the IPv6. The problem is that an attacker in the
correspondent node, and the Home and Care-of Test messages can route between two communicating nodes can use binding
messages, which are authenticated with using the RR method, to
break the connection easily. This is possible, because any node 2.3.1.1 Bomb any Mobile Node with Unwanted Data
between a CN and a HA gets both the keys home keygen and Attack
care-of keygen and can use them to convince the CN to believe
By sending spoofed BUs, the attacker can redirect traffic to an
the impersonated attacker’s binding messages. This happens as
arbitrary IP address. This can be used to bomb an arbitrary
follows: the attacker eavesdrops two communicating nodes A and
Internet address with excessive amounts of data. The attacker can
B that are located in their home networks and learns their IP
also target a network by redirecting data to one or more IP
addresses. They can be any type of nodes, i.e. Cn, Mn. After that
addresses within the network. In the simplest attack, the attacker
attacker initiates the RR method by sending messages HoTI and
knows that there is a heavy data stream from host A to B and
CoTI directly to B with using its own address as CoA and A’s
redirects this to the target address C. A will soon stop sending the
address as HoA. B sends messages HoT and CoT as response to
data because it is not receiving acknowledgments from B. A more
the received messages and attacker gets the keys. After that
sophisticated attacker acts itself as B. It first subscribes to a data
attacker sends a BU to B where it claims that A has moved to its
stream (e.g. a video stream from a news web site) and then
own address and B accepts the message, because it is
redirects this to the target address C. The attacker may even be
authenticated correctly with using the RR method
able to spoof the acknowledgements.
2.3 Attacks that Exploit MIPv6 It does not help if the targets network stops using Route
Route optimization and Binding Updates create a new opportunity Optimization. The damage is the worst if these techniques are
for attackers. By sending false BUs, they can create false entries in used to amplify the effect of a distributed denial of service
the correspondent host's Binding Cache and, thus, reroute IP (DDoS) attack. Ingress filtering in the attacker's local network
packets to wrong destinations. If the data in the packets is not prevents the spoofing of source addresses but the attack is still
protected cryptographically, this can lead to compromise of possible by setting the Alternate CoA sub-option to the target
secrecy and integrity. The attacker may also cause denial-of- address.
service by keeping data from arriving at the right destination and The attacker needs to find a correspondent that is willing to send
by bombing a target host or network with unwanted data. Further data streams to unauthenticated recipients. Many popular web
more the attacker can amplify the number of packets sent to the sites provide such streams. If the target is a single host, the
destination or reflect them. Using Return Routability as default attacker needs to know or guess the target's IP address. On the
authentication can cause the hosts with bidding down attack, other hand, if the target is an entire network, the attacker can
which makes them give up the stronger authentication methods congest the link toward that network by bombing random
and choose RR. addresses within its routing prefix or group of prefixes.
Attacks as known are active and passive In most active attacks,
the attacker can initiate the BU protocol execution at any time 2.3.1.2 Basic Denial of Service Attack
while more passive attacks would require the attacker to wait for By sending spoofed BUs, the attacker can redirect all packets sent
suitable messages to be sent by the targets hosts. In this paper between two IP hosts to a random or nonexistent address. This
we consider the active attacks only way, it may be able to stop or disrupt communication between the
hosts. The requirements are that the target host or its
2.3.1 Spoofing Binding Updates and Reroute IP correspondent must support Route Optimization and the attacker
Packets to Wrong Destination Attacks must know their IP addresses. Figure 2 shows the attack.
If Binding Updates are not authenticated, an attacker can send
spoofed BUs. All Internet hosts are vulnerable to this attack Attacker
because they all must support the correspondent functionality [1].
There is also no way of telling which addresses belong to mobile
hosts that really could send BUs. Consider an IP host A sending
IP packets to another IP host B. The attacker can redirect the Data Flow before attack
packets to an arbitrary address C by sending to A a Binding Mn Cn
Update where the home address (HoA) is B and the care-of
address (CoA) is C. After receiving this BU, A will send all
packets intended for B to the address C.
The attacker may select the CoA to be either its own current Attacker redirect
packets to Random host
address (or another address in its local network) or any other IP
random host or non - exist
address. If the attacker selects a local CoA where it can receive
packets, it will be able to send further packets to a correspondent,
which the correspondent believes to be coming from the mobile.
Ingress filtering at the attacker's local network does not prevent Figure 2: Basic Denial of Service Attack
the spoofing of Binding Updates but forces the attacker either to
choose a CoA from inside its own network or to use the Alternate 2.3.1.3 Using HoA to Bomb any Host with Unwanted
CoA sub-option. This may make it easier for the attack targets to Data Attack
selectively filter the spurious BUs at a firewall. The attacker claims to be a mobile with the HoA equal to the
target address. It starts downloading a data stream. The attacker
then sends a BU cancellation (i.e. a request to delete the binding
from the Binding Cache), or allows the cache entry to expire,
which redirects the data stream to the HoA. The attacker can keep
the stream alive by spoofing acknowledgments. Figure 3 shows 2.3.2 Replaying and Blocking Binding Updates
the attack Attack
The attacker is mobile with HoA equal to target address Any protocol for authenticating BUs will have to consider replay
attacks [2]. That is, an attacker may be able to replay recent
Attacker authenticated BUs to the correspondent and, that way, direct
packets to the mobile host's previous location. Like spoofed BUs,
First step Cn trust
attacker
this can be used both for capturing packets and for DoS. The
attacker can capture the packets and impersonate the mobile node
if it reserves the mobile's previous address after the mobile has
Mn Cn moved away and then replays the previous BU to redirect packets
back to the previous location. The replays are a concern if a
After cash entry expire timestamps are used for checking the freshness of BUs and the
or cancel BU mobile is moving so frequently that it sends the next BU before
the timestamp in the previous BU has expired. Sequence numbers
Target host
in authenticated BUs usually prevent the attack. The
authentication protocol needs to be carefully designed to avoid
more complex replay attacks. Figure 5 shows the attack.
Figure 3: Using HoA to bomb any host with unwanted data
Attack Attacker
Attacker
When BUs is not authenticated, the attacker can choose an Mobile node redirect packets
arbitrary address as the HoA and thus target any Internet node. previous to mobile node
BU authentication usually limits the attacker's choice of target location
previous
address but care must be taken when designing the protocol location
2.3.1.4 Against Secrecy and Integrity Attack Mn Cn
By spoofing Binding Updates, an attacker can redirect packets
Data Flow before attack
between two IP hosts to itself. By sending a spoofed BU to Cn, it
can capture the data intended to Mn. It can pretend to be Mn and
highjack B's connections with Cn, or establish new spoofed Figure 5: Replay Attack
connections. The attacker can also send spoofed BUs to both Cn
and Mn and insert itself to the middle of all connections between
them (man-in-the-middle attack). Consequently, the attacker is
able to see and modify the packets sent between Cn and Mn. The In a related attack, the attacker blocks binding updates from the
attacks are possible if the target host or its correspondent supports mobile at its new location, e.g. by jamming the radio link or by
Route Optimization and the attacker knows their IP addresses. mounting a flooding attack, and takes over its connections at the
Figure 4 shows the attack old location. The attacker will be able to capture the packets sent
to the mobile and to impersonate the mobile until the
correspondent's Binding Cache entry expires.
Attacker Both of the above attacks require the attacker to be on the same
Da
ta atta
local network with the mobile, where it can relatively easily
m ck
Attacker redirect observe packets and block them even if the mobile does not move
od er
packets to itself
ifie
to a new location.
d
by
2.3.3 Amplification or Reflection Attack
Data Flow before attack
Mn Cn In this attack, attackers sometimes try to hide the source of a
packet by reflecting the traffic from other nodes [2].
Attacker send Cn packet ask him to send many packets to Mn
Figure 4: Against Secrecy and Integrity Attack
Attacker
Si
n
Strong encryption and integrity protection can prevent all the
gl
e
attacks against data secrecy and integrity. When the data is
pa
ck
cryptographically protected, spoofed BUs can result in denial of
et
service but not in disclosure or corruption of sensitive data
beyond revealing the existence of the traffic flows. Ingress Mn Many packets Cn
filtering, on the other hand, does not help because the attacker is
using its own address as the CoA and is not spoofing source IP
addresses.
Figure 6: Amplification or Reflection Attack
That is, instead of sending a flood of packets directly to the target, The idea is to form the last 64 bits of the IP address (the interface
the attacker sends data to other nodes and tricks them into sending identifier) by hashing the host's public signature key. Binding
the same number, or more, packets to the target. Figure 6shows Updates can then be signed with this key. A secure one-way hash
the attack. function makes it difficult for the attacker to come up with a key
Reflection can hide the attacker's address even when ingress that matches a given address and to forge signed BUs. The
filtering prevents source address spoofing. Reflection is attraction of this technique is that it provides public-key
particularly dangerous if the packets can be reflected multiple authentication independent of any trusted third parties, PKI, or
times, if they can be sent into a looping path, or if the nodes can other global infrastructure.
be tricked into sending many more packets than they receive from The main weakness of the scheme is that only 62-64 bits of the IP
the attacker. Such features can be used to amplify the amount of address can be used for the hash. Thus, an attacker may be able to
attack traffic by a significant factor. When designing protocols, mount a brute force attack and find a matching signature key by
one should avoid creating services that can be used for reflection trial and error.
and amplification attacks. Another limitation of the cryptographically generated addresses
(CGA) is that although they prevent the theft of another host's
2.3.4 Bidding Down Attack address, they do not stop the attacker from inventing new false
This attack is different from other above attacks [7], whereby the addresses with an arbitrary routing prefix. The attacker can
above attacks can be applied when the BU is not authenticated or generate a public key and a matching IP address in any network
using RR, while this one can be applied when strong and use it to mount bombing. While the public-key protocols
authentication required and Return Routability (RR) exist as (both PKI-based and CGA-based ones) provide a reasonable
default mechanism for authentication, the attacker force the two protection against unauthentic BUs, they are computationally
hosts or bidding them down from using strong security to use intensive and therefore expose the participants to denial-of-service
weak security like RR. Figure 7 shows the attack. attacks.
Attacker bidding down from strong security to weak security
3.2 Assuming a Safe Route
Attacker Some proposed BU authentication protocols make the assumption
that the communication between two specific hosts is safe from
attackers, even though it is not cryptographically protected. For
example, the Return Routability test can replace public-key
authentication of the mobile if one is prepared to assume that the
Strong security route from the correspondent to the mobile's Home Agent is
Mn Cn secure.
Weak security (RR as default)
3.3 Two Independent Routes
Some BU authentication schemes have been proposed [9], where
Figure 7: Bidding Down Attack the security essentially depends on sending two pieces of the
authentication data between the correspondent and the mobile or
its Home Agent through two independent routes and hoping that
most attackers are unable to capture both of them. This may not
3. ROPOSED AUTHENTICATION help as much as has perhaps been hoped. In all these protocols, a
METHODS single attacker on the route between the correspondent and Home
In order to prevent the above attacks, the route optimization must Agent can spoof BUs by pretending to be both the mobile and its
be secure and the Binding Updates signals must be authenticated. Home Agent. If the attacker uses its own address as the false CoA,
As mentioned in section 2, IPSec and RR proposed to be used for it can spoof packets from both the mobile and the Home Agent to
this purpose but as also mentioned, IPSec need Internet Key the correspondent, and it can receive messages sent by the
Exchange (IKE), or public Key Infrastructure (PKI) to cover the correspondent to both HoA and CoA.
entire Internet, which is clearly a formidable goal when even local
infrastructures have failed to emerge at the expected rate. 3.4 Leap of Faith
Therefore, it is necessary to look for alternative solutions that do Another idea that has been proposed is that if the mobile sends a
not rely on such global infrastructures. In other hand RR do not session key insecurely to the correspondent at the beginning of a
need any infrastructure solutions but it still weak authentication connection, the key can be used to authenticate subsequent BUs
method which the attacker can easily break the communication as (so called leap-of-faith authentication). This is a flawed
explained in section 2.2. And this is why we have another proposition. It fails even if we assume that attacker is unlikely to
proposed solutions: capture the keys sent by authentic mobiles. First, the attacker can
send its false key before the authentic mobile sends the authentic
3.1 Cryptographically Generated Addresses key. Second, there must be a recovery mechanism for situations
This technique provides an intermediate level of security below where the mobile or the correspondent loses its state, and the
strong public-key authentication (IPSec) and above Return attacker can exploit this mechanism.
Routability (RR) [3].
The leap-of-faith authentication is suitable for situations where a
human user, or some other factor outside the attacker's control, at
random times initiates the protocol. The party making the leap
must always be the one that initiates the protocol. In such
situations, it may be reasonable to argue that an attacker is 6. LIMITATIONS
unlikely to be present at the time of the unauthenticated key Writing of this paper has been a challenging task because
exchange. In BU authentication, the protocol is usually initiated the Mobile IPv6 specification is under development at the
by the mobile but the leap in faith should be made by the moment and a lot of changes and new propositions are
correspondent. Also, the attacker can trigger the BU protocol at
introduced all the time. Finding the most important ones of
any time by sending a spoofed packet from the correspondent to
the mobile's HoA.
them required a lot of reading of different research papers,
Internet drafts and mailing list messages, which is made
3.5 The Role of Ingress Filtering available by IETF.
Ingress filtering is another way of limiting the number of potential 7. REFERENCES
attackers and their targets. Thereby preventing spoofed source IP
addresses. This can help but, Firsts, ingress filtering must be
[1] Aura, T., Arkko, J. MIPv6 BU attacks and Defenses,
applied on the attacker's local network; on the target network it draft-aura-mipv6-bu-attacks-01.txt, IETF, February
makes no difference. Second, the Home Address Option and the 2002.
Alternate Care-of Address sub-option can be used for similar [2] Greg, O., Mobile Ipv6 for Windows XP (.NET Server)
source spoofing. While it is advisable to apply ingress filtering in and Windows CE4.0, MSRC Joint with Lancaster
as many networks as possible, one cannot rely on this to stop all
University And Ericsson Research. Microsoft Research
attackers.
@ Lancaster UK
4. CURRENT RESEARCH [3] Greg, O. and Michael, R. Childproof Authentication
Writing this paper convey the analysis done which was the first for MIPv6 (CAM). ACM Computer Communication
step in this research. The current research exploring different Review, 31 (2), April 2001.
issues for securing Mobile IPv6 including, neighbor discovery
security and Enhancing Internet location security, and security of [4] Johnson, D., Perkins, C. Arkko, J. Mobility Support in
IPv6 routing header and home address options. The security of IPv6, draft-ietf- mobileip-ipv6-18, IETF, June 2002.
Mipv6 will not base on Infrastructure solution. The work in [5] Kent, S. and Atiknson, R. IP Encapsulation Security
progress.
Payload (ESP), IETF, RFC 2406 November 1998.
5. CONCLUSIONS [6] Kent, S. and Atiknson, R. IP Authentication Header
Mobile IPv6 specification is still unfinished and it needs (AH), IETF, RFC 2402 November 1998.
some research work to get it working and to get it widely [7] Montenegro, G. and Nikander, P. Protecting against
accepted. The basic functionality has been there for some Bidding Down Attacks. Draft-montenegro-mipv6sec-
time already, but the problems have been in the security of bit-method-00.txt, IETF, April 2002.
the protocol. The security has been identified to be the most
crucial part of the protocol, because without a proper [8] Narten, T., Nordmark, E., and Simpon, W. Neighbor
security solution, the protocol has no possibility to be Discovery for IP Version 6 (IPv6), IETF, RFC 1970,
accepted and usable at all. This paper analyzed almost the August 1996.
attacks that exploit the route optimization mechanism and [9] Nikandar, P. and Perkins, C. Binding authentication
BU signals in the current Mobile IPv6 draft and highlighted key establishment protocol for Mobile Ipv6, draft-
the main points that orient the current research. perkins-bake-01.txt, IETF Mobile IP Working Group,
July 2001.
[10] Perkins, C., ed. IP Mobility Support. IETF, RFC 2002,
October 1996.
[11] Thomson, S. and Narten, T. IPv6 Stateless Address
Autoconfiguration. IETF, RFC 1971, August 1996.
