Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire d’Informatique de Paris 6
Summary • IPv6 • Mobile IPv6 • Security and Mobile IPv6 • Protections by default 2. IPsec
IPv6
Differences With IPv4 Functional changes: • End-to-End communications • ARP replacement uses ICMPv6 Structural changes: • Fixed length header • Fragmentation at the source; no checksum 6. Extensions/options through header chaining
The IPv6 Header
Extensions
Routing Header
IPv6 Addresses • Hierarchical/geogra phical • 64 bits prefix • Interface ID dynamically generated
Auto-configuration • Mechanism based on ICMPv6 • Steps: • Retrieval of the IPv6 prefix advertised by the access router (RS/RA: Router Solicitation/Advertisement) • Generation of an unique interface ID • Generation of the global address: concatenation of the prefix and the unique interface ID
Mobile IPv6 RFC 3775
Why ? • Use the same IPv6 address wherever you are located • Make changes of mediums transparent for transport layers • Keep connections alive while moving ➡ use a laptop/PDA the same way that you do with your cell-phone today
Challenges • The routing is geographical, and the IP address have a double functionality: ✓ Identifier : identify the machine ✓ Locator: geographical position in the network • Architectural constraints: • Compatible with actual end nodes • Not modifying the actual routing system ➡ MIPv6 is only implemented in end points
How ? • The protocol is integrated into the IPv6 stack • Separate identifier and locator functions using two IPv6 addresses: • HoA (Home Address) • CoA (Care of Address) • Three new entities: • Mobile Node , reachable at its HoA, not matter its CoA • Home Agent , binds the HoA and current CoA • Correspondent Node
Behavior ? HoA: permanent address of the MN (identifier ) CoA: address of the MN in the visiting network (locator )
In Details
New Extensions • Allow packets to pass ingress filtering. IPv6 header always contains CoA, never HoA. • Maintain topological correctness • T ype 2 Routing Header • limited version of previously introduced T ype-0 Routing Header (but carries only a single address) • provides real destination address (HoA) of packets to MN • Home Address Option • provides real source address (HoA) of packets from MN
T ype-2 Routing Header
Home Address Option
Triangular routing Provide an optimal routing
Challenging Issues • Optimize MN/CN communications in a secure way • Ensure the relation between identifier and locator using the routing plane ✓ verify the MN is reachable at its HoA and CoA ➡ generate a key to sign the Binding Update sent to the CN
Return Routability Procedure HoT: Home of Test CoT: Care of Test
RRP in a nutshell • Goal: avoid triangular routing • Hypothesis: no trust relationship between MN/CN • Lack: provides no data integrity/confidentiality ➡ Efficiency/Security tradeoff
Security & Mobile IPv6
Possible T argets Protecting network infrastructure • Stateless behavior, Careful design ➡ Protecting communications between MN/HA (signaling and data) • IPsec ➡ Protecting direct communications between MN/CN (signaling and • data) Return Routability Procedure ➡ Signalisation MN <-> HA • 1. Tunnel MN<-> Signalisation MN <-> CN • 2. Trafic de données MN <-> CN Return Routability Procedure ➡
Protecting the infrastructure
Challenges and solutions • Advice: “Do no harm to the existing Internet” • Prevent spoofing • proof of HoA ownership • specific extensions: HAO and T ype-2 Routing Header • Prevent DoS • against infrastructure: “One message received, one sent” 4. against CN: stateless exchanges
MN/CN Communications
Return Routability Procedure • HoT/HoTI, CoT/CoTI and BU/BACK exchanges • CN : verify that the MN is able to receive/emit traffic with both its HoA and its CoA • MN : generate a key to sign BU emitted towards the CN • Possible problems (MiTM, eavesdropping) • attacker on the home network; • attacker on the foreign network; 5. attacker on both networks
MN/HA Communications
IPsec • Rationale for IPsec • Mandatory in IPv6 stacks • End-to-End communications • What must be protected • Signaling messages (i.e. BU et BACK) • Data traffic (i.e. MN/HA tunnel) • Return Routability Procedure (i.e. HoTI/HoT) ➡ Problems related to MIPv6/IPsec/IKE interactions
Signaling traffic
Basics BU BACK SA1 SA2 SA1: BU from HoA to HA@ => ESP in transport mode SA2: BACK from HA@ to HoA=> ESP in transport mode
IPsec/MIPv6 Coordination • Binding Update: • Emission: IPsec protection, switch of CoA and HoA thanks to the HAO option • Reception : addresses switch before IPsec processing • Binding Acknowledgment: same kind of processing applied to T ype-2 Routing Header
Bootstrapping • Setup of SA must be performed before sending BU/BACK • In Static Keying, no problem • In dynamic Keying, someone must direct IKE daemon to use CoA for negotiation of SA associated to the HoA. HoA is not already usable. • PF_KEY SADB_X_EXT_PACKET extension: • includes BU packet that triggered the negotiation • provides the CoA to IKE daemon
Data traffic
T unnel Mode SA Migration • Initially, SP/SA in tunnel mode use the MN’s HoA (CoA is not known at setup time). • An automatic update of SA tunnel’s endpoints is performed on MN/HA • MIPv6 stack emits a PF_KEY MIGRATE message when MN sends the BU, and when HA receives it • Message reception triggers: • SP/SA update by kernel • [ IKE daemon internal structures update ]
IKE IKE Daemon Daemon Mobile Mobile 1. PF_KEY MIGRATE 4. SPD & SAD Update IPv6 IPv6 Userland PF_KEY Socket Kernel 2. SPD Update 3. SAD Update SPD SAD SPD SAD
Conclusion
Conclusion • Separation between identifier and locator is compatible with today’s Internet • End of “ perimetric security” ? • Built-in security mechanisms: IPsec and RRP
Possible deployments Classic RRP Future ?! ?
Future work • Leveraging IPsec protection to MN/MN traffic • New prerequisites: trust relationship between MN/MN (ex: PKI environment) 3. IKEv2 integration
Demonstration
2001:db8:0:1::/64 CN Stream to HoA Soekris 1 2 3 4 5 Stream to HoA MN 2001:db8:0:ccc::/64
2001:db8:0:1::/64 CN Stream to HoA Soekris 1 2 3 4 5 Stream to HoA MN 2001:db8:0:ccc0::/64 IPsec
2001:db8:0:1::/64 2001:db8:0:ccc1::/64 CN Stream MN to HoA Stream to HoA Soekris 1 2 3 4 5 IPsec
Questions ? Coffee ?
NEMO Mobile Router A whole network moves.
Recommend
More recommend
