Mobile IP Security

1
Mobile IP Security

• Konidala M. Divyan
• International Research Center for Information
  Security
• Network Security (ICE 615)
• Term Project 2002 Autumn

2
Mobile Devices
3
Demand for Mobility
4
Mobile IP solves the following problems

• If node moves from one link to another without
  changing its IP address, it will be unable to
  receive packets at the new link
• If a node changes its IP address when it moves,
  it will have to terminate and restart any ongoing
  communications each time it moves
• Mobil IP solves these problems in secure, robust,
  and medium-independent manner whose scaling
  properties make it applicable throughout the
  entire Internet

5
Example
Network B
R
Home network A
R
Internet
Home Agent
Network C
R
Corresp. Node C
Router
R
6
Triangle Routing (Mobile IPv4)
Network B
R
Network A
R
Internet
Mobile Node
Network C
Home Agent
R

• Corresp. Node C initiates communication with
  Mobile Node and sends packets to MNs home
  address
• Home Agent intercepts packets and forward them to
  the Mobile Node (proxy functionality)
• Mobile Node replies directly to Corresp. Node C

Corresp. Node C
7
Mobile Node registers at its Home Agent
Network B
R
Network A
R
Internet
Mobile Node
Home Agent
Network C
R

• Mobile Node sends Binding Update
• Home Agent replies with Binding Acknowledgement

Corresp. Node C
8
Mobile IPv6 Roaming
Network B
R
Network D
Network A
R
R
Internet
Network C
Home Agent
R

• Mobile Node sends Binding Updates to Home Agent
  and all Corresp. Nodes, which already received a
  previous Binding Update from this Mobile Node

Corresp. Node C
9
Binding Updates

• Mobile IPv6 creates a new class of messages
  called binding updates that confirm the identity
  of a device as it moves to a new location
• Binding updates are a shortcut designed to speed
  wireless communications that use IPv6
• Once the binding update is authenticated,
  communications go straight to the new location
  without passing through the home address

10
Security Requirements for Binding Updates

• Authentication is a must.
• Minimize number of messages and bytes exchanged.
• Not too computationally intensive for mobile
  nodes.
• Resist denial-of-service attacks.
• No weaker than Mobile IPv4.

11
Reasons for choosing this topic (1/2)

• Mobile IP working group planned to use the
  existing protocol IP Security (IPSec) to secure
  binding update messages
• But the IETF's security experts recently
  announced that IPSec will not work for these
  messages for two reasons
• IPSec depends on a public-key infrastructure that
  has not yet been deployed.
• The key management component of IPSec requires
  heavy processing by end devices.

12
Reasons for choosing this topic (2/2)

• Using IPsec to Protect Mobile IPv6 Signaling
  between Mobile Nodes and Home Agents
• draft-ietf-mobileip-mipv6-ha-ipsec-00.txt
• 20 September 2002
• Mobility Support in IPv6
• draft-ietf-mobileip-ipv6-18.txt
• 1 June 2002
• A great deal of attention is being focused on
  making Mobile IP coexist with the security
  features coming into use within the Internet

13
Goal of this project

• Study Mobile IP
• Study security issues with respect to
• Mobile IPv4
• Mobile IPv6
• Study current drafts relating to Mobile IP
  Security
• Propose new ideas to improve the Mobile IP
  Security

14
Security issues

• The sender of the BU is easily authenticated
• Protection of Binding Updates both to home agents
  and correspondent nodes, and the protection of
  tunnels, home address information, and routing
  instructions in data packets
• Signaling between the mobile node and the home
  agent requires message integrity, correct
  ordering and replay protection

15
One of the open issue

• Authorization for the MR to manage mobility of
  the entire network
• But same problem with respect to MNs
• a MN needs to be authorized to send a BU for a
  home address
• a MR needs to be authorized to send a BU for a
  network prefix
• this is presently discussed at the IETF