Mobile IP Security
Team : “WARRIORS”
Anand Modh
Chaitanya Chelamkuri
Kinshuk Bansal
Kshitij Shah
Pramod Ramesh
CMPE 209 SPRING 2008
AGENDA
Mobile IP & Concepts.
Mobil IP Packet Flow.
Threats.
Security.
Mobile IP & Concepts
Mobile IP is a protocol, developed by the Mobile IP Internet Engineering Task Force (IETF) working group.
Mobile IP inform the network about the change in network attachment such that the Internet data packets will be delivered in a seamless way to the new point of attachment.
The basic Mobile IP protocol permits mobile internetworking to be done on the network layer.
Care-of Address is an address of a Foreign Agent with which the Mobile Node is registered.
Need of Mobile IP
Terminology– A home link is the link on which a specific node
should be located; that is the link, which has been assigned the same network-prefix as the node’s IP address
– A foreign link is any link other than a node’s home link – that is, any link whose network-prefix differs from that of the node’s IP address
Introduction
There are 3 functional entities where it is implemented:– Mobile Node – a node which can change its point-of-attachment
to the Internet from one link to another while maintaining any ongoing communications and using its (permanent) IP home address
– Home Agent – router with an interface on the mobile node’s home link, which:
• Is informed by the mobile node about its current location, represented by its care-of-address
• In some cases, advertises reachability to the network-prefix of the mobile node’s home address, thereby attracting IP packets that are destined to the mobile node’s home address
• Intercepts packets destined to the mobile nodes home address and tunnels them to the mobile node’s current location, i.e. to the care-of-address
Introduction
Foreign Agent – a router on a mobile node’s foreign link which:– Assists the mobile node in informing its home agent of
its current care-of address– In some cases, provides a care-of address and de-
tunnels packets for the mobile node that have been tunneled by its home agent
– Serves as default router for packets generated by the mobile node while connected to this foreign link
HA
HA
FA
FA
FA
MN
INTERNET
FAForeign Agent
HAHome Agent
MNMobile Node
HA
HA
FA
FA
FA
MN
FA relays request to HA
HA accepts or denies
MN requests service
FA relay status to MN
MN requests service
MNMNMN
HA
HA
FA
FA
FA
MN
Now if packets come addressed for MN will move through the tunnel shown.
HA encapsulates and send it to MN
“TUNNELING”
CN
HA encapsulates and send it to MN
“TUNNELING”
Mobile IP Packet Flow
HAFA
MNHACNA4 or 55FAAHAA
Src Dest Prot Src Dest
Tunneled Packet
2
…MNHACNA
Src Dest
Src Dest
…CNAMNHA
3
4
CN
MNOriginal IP Packet:
…MNHACNA
Src Dest
1
HAAHA address
MNHA MN Home Address
CNA CN Address
FAA FA Address
What is Tunneling
A tunnel is a path followed by a fist packet while it is encapsulated within the payload portion of a second packet:
Figure from J. D. Solomon. Mobile IP - The Internet Unplugged. Prentice-Hall, 1997
Threat 1 INSIDER ATTACKS
This threat is due to the individuals who are suppose to be trustworthy.
This attack is due to the disgruntled employee gaining access to the sensitive data and then forwarding it to a competitor.
A survey suggests that twice as many attacks are due to insiders on corporate world.
Security form Threat 1
By enforcing strict controls on who can access what data.
Use of strong authentication of users and computers, eliminate plaintext username/password based etc .
Encrypting all data transfer on an end to end basis between the source and the destination using various encryption algorithms.
HAFA
ATTACKER
MN
Original Care of address
Sayx.x.x.x
Attacker’s address
Sayy.y.y.y
Registration request:
“The mobile node’s new care of address” is y.y.y.y
Threat 2 Denial-of-service
This threat prevents someone from getting useful work done by:– An attacker sends the tremendous number of packets to a host that
brings the host’s CPU to its knees attempting to process all the packets.
– An attacker interfaces with the packets that are flowing between two nodes.
– In the case of mobile node, if an attacker send a request message to HA as his IP address as the care of address for a mobile node then:
• Attacker will get a copy of packets.
• Mobile will not get any packets.
Security from Threat 2
The security to this threat is implemented by cryptographically strong authentication in all registration messages exchanged between mobile node and its home agent.
Mobile IP allows the use of any authentication algorithm, bit all should support default “Keyed MD5”(Message-Digest) algorithm.
Fun(MD5)
Message Digest
Message Digest
Fun(MD5)
EQUAL ?
HAMN
Registration Request
Threat 3 Passive Eavesdropping
This threat occurs when an attacks on someone else’s packets in order to learn the confidential information.
Wireless networks are more vulnerable because in this the attacker need not physically be connected to the network.
Security from Threat 3
Link- Layer Encryption.
End-to-End Encryption.
Link- Layer Encryption.
In this the mobile node and the foreign agent encrypt all packets they exchange over the link.
This technique is important when wireless LAN is in use.
MN
CN
HA FA Link Encryption
Areas of vulnerability
Plaintext
End-toEnd Encryption.
In this encryption and decryption is done at the ultimate source and destination.
Data is protected irrespective of the medium used.
CN
HA FA
MN
End-to-End Encryption
Threat 4 Session-Stealing
In this an attacker waits for the legitimate node to authenticate itself and then takes over the session without realizing the mobile node about this.
The attacker steals the session by sourcing packets that appear to come from the mobile node and intercepting packets destined for mobile node.
Link- Layer Encryption.
End-to-End Encryption.
Security from Threat 3
Threat 5 Other Active Threats
In this the attacker tries to connect to the network jack, find out the IP address and break into the other hosts on the network.
1. Attacker figures out the network prefixes assigned to the link- by listening the mob IP agent advertisements,by listening the packets and examine the source and destination IP address.
2. Then guessing the host number, which along with the network prefix, give him the IP address to use.
3. Then tries to break into the hosts on the network.
HOW?
Security from Threat 5
All network jacks must connect to a foreign agent that has been configured to enforce the policy with the R bit in its agent authentication.
There must not be nay nodes whose sessions can be captured.– Remove non mobile nodes.
– All nodes should use link encryption.
?
?
?
?
?