Mobile IPv6 Binding Update: Return Routability Procedure

1
Mobile IPv6 Binding Update Return Routability
Procedure
Andre Encarnacao and Greg Bayer Stanford
University CS 259 Winter 2008
Andre Encarnacao, Greg Bayer
2
Outline

• Overview of Return Routability Procedure (RRP)
• Security Properties
• Attacks
• Murphi Invariants
• Rational Reconstruction in Murphi
• Five incremental versions
• Notable attacks within each version
• Attacks Found against the final version of RRP
• Description of attacks
• Consequences of attacks
• Possible solutions to attacks
• Security Tradeoffs

Andre Encarnacao, Greg Bayer
3
Mobile IPv6 Binding Update
Indirect/Triangular Routing
Direct Routing (Route Optimization)

• Mobile IPv4 didnt specify the direct routing
  optimization
• Direct routing requires a binding update over a
  non-secure channel
• Need a method to protect the authenticity and
  integrity of the binding update sent from Mobile
  node to Correspondent node
• Return Routability procedure/protocol

Andre Encarnacao, Greg Bayer
4
Return Routability Procedure
CN ? Mobile via Home 1a Home Test Init 2a Home
Test (token1) CN ? Mobile 1b Care-of Test
Init 2b Care-of Test (token2) Kbm
SHA(token1token2) 3 Binding Update (MACKbm) 4
Binding ACK (MACKbm)
Correspondent Node (CN)
Home
Mobile
Source Ahmed, et al, 2007

• Authentication without Public Key infrastructure
  or pre-shared keys
• Two tokens, two paths must have both to complete
  update
• Difficult for attacker to intercept both tokens
  generate valid MAC
• MAC also protects integrity of plaintext message
• Goal Should be as secure as regular IPv4
  (without mobility)
• Unusual / limited intruder model

Andre Encarnacao, Greg Bayer
5
RRP Security Properties

• Return Routability Procedure (RRP) - Overview
• Ensure authenticity and integrity of Binding
  Update
• Authentication without PKI or pre-shared keys
• Two tokens, two paths must have both to complete
  update
• Difficult for attacker to intercept both tokens
  gen valid MAC
• Goal Should be as secure as regular IPv4
• Unusual / limited intruder model
• What if we dont authenticate binding update? (no
  RRP)
• Could be worse than IPv4
• Attacks
• Redirection/hijack
• Bombing
• Amplification and Reflection
• Security properties of RRP are based on
  preventing these attacks and ensuring the
  authenticity and integrity of BU

Andre Encarnacao, Greg Bayer
6
Redirection/hijack attack

• Attacker C redirects traffic B was sending to A
• Ex. care-of address Attacker (B), home address
  Target (A)
• Attacker and Target could be anywhere

Source Aura 2002
Andre Encarnacao, Greg Bayer
7
Bombing Attack

• Bomb an innocent node with unwanted traffic (DoS
  / DDoS)
• Attacker requests traffic from B and then
  redirects it to A
• Home address is valid. CoA not validated could
  be anywhere

Source Aura 2002
Andre Encarnacao, Greg Bayer
8
Additional Attacks

• Amplification
• Amplify packet flood attack to Mobile Node by
  factor of two
• Reflection
• Packet source now correspondent and not attacker
• State Exhaustion
• DoS attack against the Correspondent
• Replay Attack
• Replay of Binding Update

Source Aura 2002
Andre Encarnacao, Greg Bayer
9
Our Approach

• We are using Murphi as our analysis tool
• Scenarios Considered
• 1. All nodes are honest - there is an outside
  attacker
• 2. Mobile node is dishonest - MN is the attacker
• Scenarios Excluded to limit scope
• 3. Home agent is dishonest
• 4. Correspondent node is dishonest
• Attacker model
• Remember Full control of network does not apply
  due to assumptions of protocol - ideally,
  successful attacker must intercept on two paths
• Can attacker succeed without intercepting
  anything?
• Can attacker succeed by intercepting on one path?
• Correspondent Node lt--gt Mobile Node
• Correspondent Node lt--gt Home Agent
• Home Agent lt--gt Mobile Node (assumed to be
  secure)

Andre Encarnacao, Greg Bayer
10
Security Property 1
Once a binding update has completed, the home
address and care-of address in the final binding
known to the correspondent node must refer to the
same node.

• Ensures the legitimacy of the final binding
• This check is only performed when the
  correspondent node is in a COMMIT state, meaning
  that it has accepted the binding (verified the
  HMAC).

• invariant Legitimacy of the final binding known
  to the CN
• forall i CorrespondentId do
• cni.state C_COMMIT
• -gt
• cni.home cni.coa -- hoa and coa both
  refer to same node
• end

Andre Encarnacao, Greg Bayer
11
Security Property 2
An intruder may never obtain access to both the
care-of and home keygen tokens unless the
intruder is acting as an honest mobile node.

• If the intruder does so, then the intruder has
  enough information to figure out the key of the
  HMAC used in the binding update message.
• Key of HMAC Kbm SHA1 (home token care-of
  token)

invariant "Intruder does not have access to both
keygen tokens, and hence the key of HMAC"
forall i CorrespondentId do !(
ismember(cni.coa,IntruderId)
ismember(cni.home,IntruderId) ) -gt forall
j IntruderId do intj.tokens0i false
intj.tokens1i false end end
Andre Encarnacao, Greg Bayer
12
Additional Security Properties

• Authenticity of MN from CNs point of view
• Whenever a CN i completes a session (apparently
  with some MN j), then it must be that j has
  completed a session with i
• 2 invariants home address and care-of address of
  MN
• Authenticity of CN from MNs point of view
• Whenever a MN i completes a session (apparently
  with some CN j), then it must be that j has
  completed a session with i
• Authenticity of home agent (HA) - not checked
• We assume the HA is honest relative to the MN
• HA and MN are abstracted as one entity
• Other security properties based on possible
  attacks
• Amplification and reflection attacks
• State exhaustion attack
• Replay attack

Andre Encarnacao, Greg Bayer
13
Rational Reconstruction - Version 1

• Three messages
• Care-of init (with home address)
• Home test
• Binding update
• Only one keygen token is conveyed to the mobile
  node (the home token)

• Attack bombing attack without access to any path
• Found in Murphi violates legitimacy of binding
  update, and authenticity of mobile nodes care-of
  address invariants
• Idea need to verify that the mobile node is
  reachable at the specified care-of address

Andre Encarnacao, Greg Bayer
14
Rational Reconstruction - Version 2

• Addition care-of test message containing the
  care-of keygen token
• Now we have 2 tokens
• Added to prevent the notable attack in version 1

• Attacks bombing or redirection with access to
  one path
• Refer to next 2 slides
• Attacks will still be possible even in the final
  version!
• Attack reflection and amplification against the
  mobile node
• Idea use an additional message to prevent
  reflection/amplification

Andre Encarnacao, Greg Bayer
15
Bombing Attack Found

• Care-of init uses address of target node and
  conveys home address of intruder
• Home test contains home token
• Care-of test contains care-of token

• Violates 3 invariants legitimacy of binding
  update, secrecy and authenticity of mobile nodes
  care-of address.
• Assumption intruder can sniff packets in the
  route between the Correspondent and Target nodes.
• Key of HMAC Kbm SHA1 (home token care-of
  token)

Andre Encarnacao, Greg Bayer
16
Redirection Attack Found

• Care-of init uses address of intruder and conveys
  home address of target node
• Home test contains home token
• Care-of test contains care-of token

• Violates 3 invariants legitimacy of binding
  update, secrecy and authenticity of mobile nodes
  home address.
• Assumption intruder can sniff packets in the
  route between the Correspondent node and Home
  agent.
• Key of HMAC Kbm SHA1 (home token care-of
  token)

Andre Encarnacao, Greg Bayer
17
Rational Reconstruction - Version 3

• Addition home init message
• Now the MN sends 2 messages to the CN
• Added to prevent the amplification and reflection
  attacks in version 2

• Attacks bombing or redirection with access to
  one path
• Same attack as in version 2!
• Attack state exhaustion of correspondent node
• State relation between keygen token and address
  
• Idea correspondent needs to be able generate
  (and not save) state

Andre Encarnacao, Greg Bayer
18
Rational Reconstruction - Version 4

• Addition Keygen tokens are a function of the
  corresponding address and an additional nonce
  used by the CN
• CN no longer has to save any token-related state
  and can use the nonce and address to re-generate
  token
• Added to prevent the state exhaustion attack in
  version 3
• Attacks bombing or redirection with access to
  one path
• Same attack as in version 2!
• Attack replay of final binding update message
• Attack binding update prevention
• Done by spoofing care-of test and/or home test
  reply messages (without access to any path)
• Found in Murphi violates authenticity of
  correspondent node invariant
• Idea need to uniquely identify messages to
  prevent spoofing

Andre Encarnacao, Greg Bayer
19
Rational Reconstruction - Final Version

• Addition 1 Sequence numbers in final binding
  update message
• Added to prevent binding update replay attack
• Addition 2 Mobile node uses cookies
  (essentially nonces) to uniquely relate its own
  init messages to received test messages
• Added to prevent the binding update prevention
  DOS attack in version 4
• The attacks that still exist
• Bombing or redirection with access to one path
• Same attack from version 2
• Other binding update prevention attacks still
  possible
• Need access to one or more paths
• Intercept init message (with cookie) and
  generated valid test reply
• Modify nonce in test messages
• Prevent final binding update message from going
  through

Andre Encarnacao, Greg Bayer
20
Assessment of Attacks 1

• Bombing attack
• Assumes CN-Target access, which is not noted by
  protocol (RFC)
• Easier to perform (choice of CN)

• Damage
• Packet flood
• DoS
• DDos
• Duration
• 5 minutes

Greg Bayer, Andre Encarnacao
21
Assessment of Attacks 2

• Redirection / hijack attack
• Assumes CN-HA access, which the protocol notes is
  not safe
• Harder to perform
• Must know of existing MN-CN connection
• No choice of CN

• Other Attacks
• Preventing binding update
• Fallback to indirect routing (via HA)

Greg Bayer, Andre Encarnacao
22
Possible Solution 1

• Solution to Bombing Attack
• Verification message (with a nonce) to detect DoS
  attacks
• Network congestion blocks message
• Intruder cannot intercept

Greg Bayer, Andre Encarnacao
23
Possible Solution 2

• Use CGAs signatures to make spoofing harder
• CGA contains hash of public key
• Message includes public key (verified by
  comparing with CGA)
• Message signed with private key
• Benefits of public-key signatures without
  infrastructure
• Makes redirection/hijack attack more difficult
• IPv6 Cryptographically Generated Address (CGA)

Hash(public key)
Subnet Prefix
Interface Id
Source Tuomas Aura, 2003
Greg Bayer, Andre Encarnacao
24
Security vs. Efficiency

• Additional fields and/or messages increase
  complexity
• Earlier solution idea Prof. Mitchell Arnab
  Roy 2005
• Fix bombing attack by having HA verify CoA
• Response from primary RRP designer
• HA is a router - Extra processing
• Would always have to check for mobility header
• Is reduced efficiency acceptable?
• Our proposed solutions
• First idea Additional messages after existing
  RRP
• Second idea Additional fields and processing
• Public Key Infrastructure
• Limits applicability to where PKI exists

Greg Bayer, Andre Encarnacao
25
Conclusions

• Rational reconstruction
• Helped us to understand protocol
• Found two major attacks other minor attacks
• Major Attacks in final protocol
• Bombing
• Redirection / hijack
• Fix ideas
• Binding update verification message to minimize
  DoS damage
• CGA to help prevent message spoofing
• Security tradeoffs
• Efficiency concerns / implementation costs
• Relying on infrastructure too restrictive

Greg Bayer, Andre Encarnacao