Secure and efficient binding updates in host-based distributedmobility management

Seyeong Lee1 • Hyoung-Kee Choi1 • Ejin Kim1• Jong-Hyouk Lee2

Published online: 4 December 2017� Springer Science+Business Media, LLC 2017

AbstractRapid evolution in mobile communication is geared toward reliable and responsive network connectivity, thereby

necessitating a network protocol operated in a distributed fashion. Distributed mobility management (DMM) achieves low

latency and high reliability by shifting the main signaling functions from the core center to the edge of the network.

However, there is still room for improvement, especially in the delay response of security operations. This paper proposes

the design of an efficient security protocol for binding updates in a DMM environment. The proposed security protocol is

designed especially for host-based DMM in which a mobile node plays an active role in mobility and authentication

signaling instead of delegating it to the network. The security and performance of the new design are evaluated via

theoretical analysis and empirical evaluation in both a laboratory and a live network setting. Based on these evaluations, we

contend that in terms of security and performance the proposed security protocol is practical for host-based DMM.

Keywords Distributed mobility management (DMM) � Centralized mobility management (CMM) � Binding update (BU) �Quadratic residue (QR)

1 Introduction

Ongoing radical revolution in the 5G standard has

demonstrated that technology requirements are not merely

doubling at the speed of an air interface. Instead, the

demand is for a ubiquitous, reliable, and responsive mobile

broadband network that will carry network traffic with

always-on availability and little-to-no latency. This shift in

the service paradigm and momentum of the technology

revolution will bring us unprecedented network connec-

tivity through the Tactile Internet.

The Tactile Internet [1, 2] brings ultrareliable and

ultraresponsive network connectivity that enables it to

deliver real-time steering and physical tactile experiences

remotely. A low round-trip latency in conjunction with

carrier-grade robustness and availability will make the

Tactile Internet capable of servicing the aspects of our

social life. The very low latency on the order of 1 ms or

less is unattainable if the processing logic is located in the

center of a network. This is because data traffic must travel

for processing from the edge to the center and return.

Mobile edge computing (MEC) overcomes this lag by

transforming mobile base stations into intelligent service

hubs. This transformation exploits the close proximity of

mobile nodes (MN) and forms decentralized entities at the

edge of the Internet. A key challenge of 5G wireless access

and core networks is to cope with a distributed architectural

design to offload centralized services and a protocol opti-

mization for efficient and prompt delivery of data traffic.

Another characteristic represented by 5G wireless

mobile networks is the mobility of nodes. When a mobile

node moves from one network to another its IP address

& Hyoung-Kee Choi

meosery@skku.edu

Seyeong Lee

lsyvist@gmail.com

Ejin Kim

ejin@skku.edu

Jong-Hyouk Lee

jonghyouk@smu.ac.kr

1 Department of Computer Science an Engineering,

Sungkyunkwan University, Suwon, South Korea

2 Department of Software, Sangmyung University, Cheonan,

South Korea

123

Wireless Networks (2019) 25:1443–1459https://doi.org/10.1007/s11276-017-1603-1

changes to reflect the new network address. The change

must be transparent to the other end node for session

continuity. Providing an illusion of location-independent

routing of an IP datagram involves additional signaling

traffic and network delays. Sometimes frequent hopping

between networks by a number of mobile nodes may sig-

nificantly affect the performance of a 5G network.

Numerous proposals for mobility management have

been proposed, and the Internet Engineering Task Force

(IETF) has elected extensions or modifications of the well-

known, yet classic, IP mobility version 6 (MIPv6) [3],

Proxy Mobil IPv6 (PMIPv6) [4], and Dual Stack Mobile

IPv6 (DSMIPv6) [5] as standard mobility management for

the core network in the 5G.

These classic approaches to mobility managements are

all based on a centralized scheme in which mobility

anchors in the center of a core network distribute data

traffic to and from the mobile node. A downside of such a

centralized scheme is the time required for all data traffic

generated from the edge to make the round trip to and from

the center of the core network. The result inevitably may be

to overload the core network as mobile traffic increases

rapidly and significantly. Another problem in deploying

centralized mobility management (CMM) is the lack of

scalability for a single mobility anchor. Distributed

mobility management (DMM) is proposed as a way to

overcome such weaknesses by placing the anchor close to

the edge of the network [6, 7]. The responsibilities of the

single anchor are distributed over the access routers where

the mobile node is currently under control. The change in

role from center to edge and the routing path optimization

for delay enhancement are aligned with a contemporary

design requirement for a mobile network as seen in the

Tactile Internet.

Despite incremental progress in the DMM to shorten the

network delay, works for improving security operations

and correctness for the DMM is lagging because a main

body of security implementation has been shifted to the

network side and the first hop security was not specific to

the DMM anymore. In other words, the current DMM

simply inherits the security operations that have been

developed for CMM, which means no architectural con-

siderations of DMM.

Our goal in this paper is to take significant steps toward

a mobile network security mechanism that reduces the

volume of signaling traffic and at the same time strengthens

security against nefarious attacks. We examined possible

optimization of security by having the MN carry a token to

verify session ownership. The MN shares the secret token

with a mobility anchor (MA) at the instant a session starts.

Later, the MN may change the MA as it moves and atta-

ches to another MA. Data traffic remains deliverable to and

from the other end node by a tunnel established between

the new anchor and the first anchor. We assigned the first

anchor the role of verifying the ownership of the session at

the time the tunnel is established. The MN and the first

anchor mutually verify session ownership be checking the

secret token.

The proposed protocol includes a few distinct ideas

advanced in other studies. We could have designed security

of the mobility management without any involvement of

the MN. This idea has numerous potential advantages such

as mobility localization and easy extension to other tech-

nologies. However, in what might be called network-based

mobility management, the MN must delegate security

operations to the network, thereby playing a passive role in

the verification of changing locations. The success of this

delegation hinges on a trust relationship between the net-

work and the MN, which in most cases cannot be assumed

to be guaranteed. Consequently, we dispensed with a net-

work-based approach. Instead, in the proposed protocol,

the MN actively participates in negotiating the security

parameters with network entities. From this perspective,

the proposed protocol is an extension of a host-based

mobility management scheme. In addition, we wanted the

proposed method to outperform existing protocols and still

introduce lesser imperative amendments to the behavior of

existing devices and protocols. This requirement leads us to

design new functions that can be realized by updating

software in the current system.

The remainder of this paper is as follows. Section 2

presents related works for Internet mobility. Section 3

presents our design goals for securing mobility signaling in

a host-based DMM environment. The proposed security

protocol is then illustrated with detailed operation

descriptions in Sect. 4. Section 5 presents conducted

analysis results of the proposed protocol. Section 6 is also

given to provide the literature survey. Section 7 concludes

this paper.

2 Architectural network model

2.1 Mobility management

Host-based mobility management in the MIPv6 is built on

hierarchically centralized mobile architecture in which a

central MA called a home agent (HA) manages mobility

context and routing information for all registered mobile

nodes. The MA maintains a database to bind an IP address

of the MN to a location of the MN. Data traffic between an

MN and its communication peers (also known as corre-

1444 Wireless Networks (2019) 25:1443–1459

123

sponding nodes, CNs) must transit through the MA. As the

MA tends to be located in the center of a core network for

better accessibility from all mobile nodes all data traffic to

and from the moving MNs usually passes to the central MA

in the core network. That obviously causes a long trans-

mission latency of data traffic.

Mobility management in the MIPv6 are designed to

maintain the continuity of ongoing sessions for an MN so

that the MN can change its point of attachment to the

network without interrupting ongoing sessions with the

CN. A function of mobility management assigns the MN

two addresses. One is a static home of address (HoA) the

CN uses to identify the MN. The other address is a dynamic

care of address (CoA) the MA uses to locate the MN. The

CN associates all conversational context with the MN as

occurring through the HoA. Regardless of the MN’s

dynamic CoA, this association gives the CN an illusion that

it is connected to the MN located at a static HoA. If the MN

changes its CoA by visiting a new foreign network, the MN

must immediately inform the MA and the CN of the new

CoA.

The MIPv6 protocol uses a binding update (BU) to

update the CoA of the MN when the MN changes its point

of attachment. The BU has two purposes. In the first, the

BU registers the MN’s CoA at the MA. To prevent any

attempts to modify BU messages, a secure channel is

established between the MN and the MA by using the IP

security (IPsec). In the second, the BU delivers the new

MN’s CoA to the CN to assure that the CN can still reach

the MN at the new location. The routing path is somewhat

suboptimal because packets from the CN are routed to the

MA and then tunneled to the MN’s location. This routing

path is inefficient because it forms a triangular shape. The

MIPv6 protocol eliminated this inefficient routing through

a new mechanism, called Route Optimization (RO), that

connects the CN directly to the MN, bypassing the MA.

The architectural design of the CMM has at least two

issues: performance and scalability. High traffic volume

through the MA may burden the core network. A subop-

timal routing option tends to augment a delivery path,

degrading the delay response between communicating

parties. All MNs sharing the same home network should

choose the same MA. If the MA fails, all the MNs under its

control become incapable of communicating with any CNs

in the networks. These problems are becoming real and

worsening because of the growing number of devices

attached to networks and by the large volume of traffic

generated by bandwidth-hungry applications.

Distributed mobility management (DMM) suggests an

attractive solution to those issues in the centralized

mobility management. A key concept in its design is that it

shifts the roles and functionalities of the MA from a central

HA to multiple access routers (ARs) located at the edges of

the network. This shift is naturally aligned with a con-

temporary design preference for a flat network architecture

in pursuit of a low-delay latency. An AR is typically

located close to the MN, forming a direct routing path

between the MN and the CN. Unlike CMM that permits

only one-way traffic from the CN to the MN to flow in a

direct path, the DMM allows traffic to flow in a direct path

both ways.

In the DMM not only is the location of the HA moved to

edge networks but its functionality is also distributed to

multiple access routers [8]. Because a multitude of ARs

share the duties of the MA, DMM is scalable and largely

immune to failure. The flat mobile architecture permits

traffic to be dispersed locally close to the edge networks

and the MN. As a result, significant volumes of traffic can

bypass the complex backhaul and core infrastructure.

2.2 Binding update in host-based DMM

A DMM approach inherits many features of CMM. The

BU is one of the CMM features that DMM adopts after

slight modification. The MN in the host-based DMM still

owns two network address, the HoA and the CoA. The MN

is still required to use the BU to update a new CoA at the

MA. However, the BU for the RO is unnecessary because

the shift to the flat architecture has already resulted in

routing path optimization. This means that the CN does not

get updates of changing CoAs and always identifies the

MN with the MN’s HoA.

Figure 1 illustrates the BU procedure in host-based

DMM [6]. In the beginning MN, without any history of

mobility, is in the network boundary of AMA1 and is

assigned an IP address of AMA1::MN1 (� in Fig. 1). MN

initiates its first conversation with CN1 while remaining in

the network. MN associates a serving AMA with AMA1 for

the current session. MN also remembers AMA1 as an

original AMA in order to distinguish the first serving AMA

from the rest of the serving AMAs. While talking to CN1,

MN moves to the second network (` in Fig. 1). At this

point, MN’s new address is changed to AMA2::MN1 and

AMA2 becomes a new access router. Soon afterward, MN

sends the BU message to AMA2 (´ in Fig. 1). This message

includes information of the original AMA and a list of

MN’s past IP addresses since this session started.

AMA2 sends the access binding update (ABU) message

to the original AMA (ˆ in Fig. 1). This message is

intended to deliver a new location of MN and to request to

set up an IPsec tunnel with the original AMA. The original

AMA responds with an access binding acknowledgment

(ABA) message to permit the IPsec setup (˜ in Fig. 1).

AMA2 sends back an acknowledgment of the BA message

to MN (Þ in Fig. 1). MN’s registration at the AMA2’s

network is completed. At the same time, MN changes the

Wireless Networks (2019) 25:1443–1459 1445

123

serving AMA to AMA2. An IPsec tunnel is established (þin Fig. 1) between AMA1 and AMA2.

The CN does not even recognize MN’s movement in the

network. Without knowledge of MN’s movement, CN1

continues to send packets to MN at an address of

AMA1::MN1. Upon receiving these packets AMA1 finds

out from its binding cache that MN has moved to the

second network and forwards these packets to AMA2

through the IPsec tunnel. AMA2 learns from its binding

cache of MN’s existence in its network boundary and

delivers the packets to MN. Packets sent to CN1 from MN

also follow the same path in a reverse order.

An MN records a current IP address and past IP

addresses with a state for ongoing sessions. The current IP

address is set to a state of ‘‘preferred,’’ and past IP address

are relegated to ‘‘deprecated.’’ If MN creates another con-

versation with CN2 in the second network, MN uses an IP

address of AMA2::MN1. The original AMA is assigned to

the current access router, AMA2. If MN moves to a third

network while maintaining two sessions in parallel, the BU

procedure is quite similar, with some exceptions, to the one

shown in Fig. 1. The exceptions are (1) the serving AMA

changes to AMA3; (2) AMA3 creates an IPsec tunnel with

AMA1 for the first session and another IPsec tunnel with

AMA2 for the second session; and (3) AMA1 releases the

IPsec tunnel with AMA2 that was created for the first

session.

3 Design goals

Some security requirements were imposed in the course of

designing the system. These requirements were made after

taking into consideration both practical implementation

issues and performance issues.

3.1 Adversarial model

Unfortunately, unprotected and unauthenticated BU mes-

sages may allow intruders an easy means of access to

maliciously manipulate BU messages to hijack an ongoing

session to a location chosen by the intruder. This security

problem is caused by an IP’s inability to attach a unique

identifier to the multitude of locations in mobility and

multihoming environments. Further, IP does not support an

easy means for the MN to claim ownership of a session. To

overcome such vulnerabilities, the DMM is outfitted with

existing security mechanisms.

In one of these, the IPsec establishes a secure tunnel

between the two ends after these ends authenticate each

other and then share a secure key by using the Internet Key

Exchange version 2 (IKEv2). The IPsec tunnel protects

packets in the routing path between the serving AMA and

the original AMA. Moreover, most of the edge networks

grant foreign devices access their networks only after

proper security is set up on those devices according to the

link-layer protocol. We assume that link-layer security

such as Extensible Authentication Protocol (EAP) protects

the first hop link between the wireless interfaces of the MN

and the serving AMA. In this setup an authentication server

must detect rogue routers. The MN’s movement does not

change the routing path between the original AMA and the

CN. This means that the CN does not participate in

mobility management and that security in the routing path

beyond the original AMA hinges on security of the IP

layer.

This combination of the two mechanisms, the IPsec and

the link-layer security, is still insufficient for the security of

BU between the MN and the original AMA. The serving

AMA does not play a main role in the BU because it

changes over the course of a single session as the MN

1AMA2AMA

A�achment to AMA2

Route Solicita�on

Route Adver�sement (AMA1::/64)

Route Solicita�on

Route Adver�sement (AMA2::/64)

Binding Update

Access Binding Update

Access Binding Acknowledgement Binding Acknowledgement Bi-direc�onal IPsec Tunnel

MN

A�achment to AMA1

AMA1::MN1/64

AMA2::MN1/64

Fig. 1 Procedures of binding

updates in the host based DMM

1446 Wireless Networks (2019) 25:1443–1459

123

moves into new networks. Mobility contexts, including

security parameters, cannot be stored in the serving AMA.

Although one would prefer a single end-to-end security

mechanism applicable to the MN and the original AMA,

the basic security model in DMM is to divide the path

between the main entities into two segments and to apply a

separate independent security mechanism for each seg-

ment. Sometimes, these two separate security mechanisms

do not work as one in the process of verifying the two main

entities as a session owner.

This clear lack of effectiveness of the basic security

model opens the operations of DMM to at least two kinds

of threat models. One is the risk that an ongoing session

will be hijacked. The other is a vulnerability to a form of

denial-of-service (DoS) attack. We will consider each of

them in turn.

3.1.1 Session hijacking by malicious MN

Before the session hijacking attack the MN in the network

of N1 is communicating with the CN as shown in � in

Fig. 2. After the MN has visited several networks, the

serving AMA and the original AMA for an ongoing session

are AMA1 and AMA2, respectively. An attacker in the N3

network who has already acquired the MN’s IP address

sends the BU message toward the CN in N2, pretending to

be the MN. The AMA3 in the N3 network accepts the

message and forwards the ABU message to AMA2. Upon

receiving the ABU from the attacker, AMA2, which is not

capable of authenticating the origin of a message, responds

positively to AMA3 about the ABC message. Next, AMA2

releases the tunnel set up for AMA1 and proceeds to create a

tunnel with AMA3. From this point on, all packets destined

to the MN are detoured to the attacker (see ` in Fig. 2).

The main reason this attack can succeed lies with the

inability of the original AMA to authenticate the MN as an

owner of a session. This attack assumes an attacker has

access to two pieces of information: (1) the IPv6 address of

a victim; and (2) an original AMA for a target session. An

IPv6 address is a combination of the network address and

the MAC address encoded with EUI-64, factors that lend

themselves to guess the correct address. An original AMA

is also easy to acquire by monitoring two ends of the

current IPsec tunnel.

3.1.2 N-jump attack

An MN keeps a history of the IP addresses associated with

each and every ongoing session. This means that the

binding cache of an MN may have N IPv6 addresses if an

MN has visited N different networks and created at least

one session in each one and those N sessions are still

running. In parallel, the MN have N IPsec tunnels bridging

between the serving AMA and N original AMAs for

N different sessions. Figure 3 illustrates N IPsec tunnels

between serving AMA AMAm to N original AMA, AMA1

through AMAn.

An attacker can exploit the large cache size and over-

heads to keep multiple sessions levied on the MN. An

attacker triggers an attack by launching the BU message

toward its access router, AMAa and pretending to be the

MN. This BU message includes the current serving AMA

and information regarding N ongoing sessions and their

original AMAs and their past IPv6 addresses. According to

the DMM, AMAa contacts each original AMA for N ses-

sions and signals a change in the MN’s location to AMAa.

All IPsec tunnels are reestablished between the AMAa and

N original AMAs. At the same time, the IPsec tunnels

centered on the MN’s serving AMA are released.

Overheads levied on the serving AMA and the network

are proportional to the number of networks the MN visits.

The amount of traffic can be quite significant if the number

increases or if the frequency of the false BU increases. This

attack can be categorized as a DoS attack because an

AMA2 AMA3

MN

A�acker

AMA1

N3N2

N1

CNTunneling

Fig. 2 A session hijacking

attack. Two communicating

parties before attack (�) and

after attack (`)

Wireless Networks (2019) 25:1443–1459 1447

123

attacker’s single fake BU can result in a significant amount

of traffic and overhead in the network.

This vulnerability originates in the decentralization of

mobile traffic and distributed MA responsibility. Decen-

tralization makes it difficult for the BU to validate a

request. The difficulty worsens as the number of networks

visited by the MN increases. The distributed access router

near the edge is prone to physical attacks and opens the

door to participation in man-in-the-middle (MITM) types

of attacks. Furthermore, this attack is possible because the

MN does not participate in the negotiations that set up the

IPsec tunnel; as a result, anyone can change the two end

points of the tunnel. Checking on address ownership by a

reachability test thus will enhance the level of security

significantly.

3.2 Security requirements

In consideration of security requirements we do not pro-

pose any improvements to stand against any attacks already

caused by vulnerabilities in IPv6 security. The security

policy we propose tries to maintain a degree of security at

least equal to the security of the IPv6 and limits the scope

of application only to those related to incidents involving

mobility. We have found at least three weaknesses of the

BU in the considered host-based DMM.

3.2.1 Session ownership

At the time requests are made to switch a serving AMA,

the original AMA is unable to verify if a challenging MN

owns the session. Upon receiving the ABU message in

Fig. 1, the original AMA is ready to switch an end point of

the IPsec tunnel to the new serving AMA specified in the

message. However, the original AMA is unable to verify

that the message just received truly originated from the MN

that created the current session. It is also unable to

authenticate the ABU message as free of manipulation.

3.2.2 Active participation in authentication

As the main entities, the MN and the original AMA should

interact directly with each other to negotiate security

parameters in the BU. However, the MN delegates to the

serving AMA the relay of messages between these main

entities. Working on behalf of the serving AMA, the MN

negotiates directly with the original AMA to detour the

IPsec tunnel to its location. Because of the limited infor-

mation conveyed by the ABU message, the original AMA

cannot examine the authenticity of the request. Conse-

quently, the original AMA grants the detour after simple

checks of the information. The main cause of this weakness

is the MN’s passive role in changing one end of the IPsec

tunnel.

3.2.3 Location reachability

Because the bare IP was designed without any considera-

tion of mobility, a sender of IP packets cannot bind the IP

address to a location, meaning no easy means exist for a

receiver to assert the location of the sender. This inserts a

security weakness into the host-based DMM by permitting

an adversary to manipulate the MN location to one the

adversary chooses. Security in the DMM [6, 8] could be

enhanced by enabling the original AMA to verify each

purported new location of an MN.

AMA1

AMAaA�acker AMAn

AMA2

...

AddressAMA(n)::MN

StatePreferred

Binding Update List

AMA(n-1)::MN Deprecated... Deprecated

AMA2::MN DeprecatedAMA1::MN Deprecated

MNAMAm

Fig. 3 N jump attack. MN has N hosts in the binding update list

1448 Wireless Networks (2019) 25:1443–1459

123

4 Proposed security protocol

The proposed protocol is composed of two phases: (1) an

information register, and (2) information verification. In

implementing the proposed protocol, we eliminated a

heavy-weighted IPsec tunnel for low overheads. We

adopted the quadratic residue problem for the sharing of a

secret key and Rabin public key encryption for finding the

unique square root of the quadratic residue.

4.1 Quadratic residue problem

An element Q 2 Zn is a quadratic residue mod n if there is

an element r 2 Zn such that r2 � Q mod nð Þ [9]. Otherwise,Q is called a quadratic nonresidue mod n. The quadratic

residue problem is to determine if an integer a 2 Zn is a

quadratic residue. This problem is easy to solve if the

moduli are an odd prime. If a is a quadratic residue in the

odd prime modulus, then a has two square roots. If the

moduli are a composite number of two odd primes, that is

n ¼ p � q, and these two primes are congruent to 3 modulo

4 (p � 3mod 4Þ every quadratic residue mod n has four

square roots. Finding square roots of quadratic residue a �r2 mod nð Þ is also easy if p; q are available.

Applying the Chinese remainder theorem to

a � r2 mod nð Þ, we can say that a � r2p mod pð Þ and a �r2q mod qð Þ in which rp and rp are a square root of a quad-

ratic residue mod p and mod q, respectively. Quadratic

residue a has two square roots in mod p (rp1, rp2) and two

square roots in mod q (rq1, rq2). Using the Euler’s criterion,

we can derive Eq. 1 and find four square roots of quadratic

residue a in Eq. 2.

�a pþ1ð Þ=4� �2

� a pþ1ð Þ=2 � a p�1ð Þ=2 � a � a mod p where

a p�1ð Þ=2 � 1 mod p

ð1Þ

rp � �a pþ1ð Þ=4mod p and rq � �a pþ1ð Þ=4mod q ð2Þ

If p; q are unavailable, finding the square root is as hard as

an integer factorization problem. The difficulty of finding a

square of the quadratic residue in composite moduli has

been applied for many cryptographic systems, including

Rabin public key encryption.

In Rabin public key encryption [10], a public key is n,

and a private key is p; qð Þ in which n ¼ p � q. Message M is

encrypted by using C ¼ M2mod n. Ciphertext C is a

quadratic residue mod n of plaintext M. For decryption, the

Rabin scheme solves a square root of the ciphertext. The

solution determines four square roots. Determining which

of these is the plaintext becomes straightforward with a

predetermined redundancy appended to the plaintext. For

instance, the redundancy could be the last ten bits of the

plaintext. If this is the case, finding the plaintext among the

four roots becomes clear: one root with a duplicate of the

last 20 bits. Rabin encryption is quite efficient because it

only involves a single modular squaring. Rabin decryption

is slower than encryption, but comparable in speed to other

encryption schemes with similar strength.

4.2 Phase 1: Information register

The first stage happens once in the beginning of a session.

The main goal at this stage is to share a secret for a session

between the MN and the original AMA. Figure 4 illustrates

a diagram of four messages exchanged in the first phase.

M1-1 and M1-2 (Preparation) The MN is connected to

a network in which AMA1 is an access router. The MN

exchanges the router’s solicitation message and its adver-

tising message with the access router in order to assign the

MN’s IPv6 address to AMA1::MN/64.

M1-3 (Binding update) As shown in Fig. 4, the MN

sends the BU message to the original AMA, AMA1. This

message carries two pieces of information, the MN’s IPv6

address and a composite number, n. The composite number

is a product of two large, distinct odd primes, p and q, that

the MN secretly generates.

M1-4 (Binding acknowledgment) AMA1 checks IPv6

address in the BU message to assure that the MN belongs

to the network. AMA1 selects a prime secret,

SAMA1 1\SAMA1\nð Þ as a relative prime n and computes

VAMA1 in Eq. 3. VAMA1 is a quadratic residue mod n. The BA

message carries VAMA1.

VAMA1 ¼ S2AMA1mod n ð3Þ

Upon receiving the BA message, the MN computes four

square roots of quadratic residue mod n. VAMA1. Secret

SAMA1 is one of these. Determination of the true square root

is straightforward because it must contain a predetermined

redundancy for the secret. The MN and the original AMA

share secret SAMA1.

AMA1

A�achment to AMA1

M1-1. Route Solicita�on

M1-2. Route Adver�sement(AMA1::/64)

M1-3. Binding Update(AMA1::MN/64,n)

M1-4. Binding Acknowledge(VAMA1)

AMA1::MN1/64

VAMA1 = SAMA12 mod n

MN

Fig. 4 Diagram of four messages exchanged in the first phase

Wireless Networks (2019) 25:1443–1459 1449

123

4.3 Phase 2: Information verification

This stage occurs every time the MN enters a new network.

We describe this phase from the perspective of a single

session. However, the second phase happens as many as the

number of on-going sessions in the MN.

To protect the MN’s binding update from malicious

intent, the original AMA and the MN use a simple chal-

lenge and response exchange to confirm that they share the

same secret SAMA1. The confirmation ensures that they own

the session. Furthermore, the MN checks verifies reacha-

bility with the original AMA from its new location and vice

versa. Figure 5 illustrates a diagram of message exchanges

in the second phase.

M2-1 and M2-2 (Preparation) Once the MN is attached

to a new network, the MN exchanges routing information

with a new serving AMA, AMA2, to assign a new IP

address, AMA2::MN/64.

M2-3 (Binding update) This message is sent to the new

serving AMA. It carries five parameters, including the

MN’s random number RiMN and the MN’s past and current

addresses associated with the current session. The MN

chooses another secret for the new network,

SiMN 1\SiMN\n� �

and ViMN � SiMN

� �2mod n

� �. This secret

is valid only in the network in which it is created. It must

be updated in a new network. The new secret SiMN is used to

send the shared secret SAMA1 to the original AMA without

revealing its value over public networks; that is, SAMA1 is

multiplied by SiMN as shown in Eq. 4. The shared secret is

transformed into SKT as shown in Eq. 5. By doing so, the

shared secret changes in every new network, providing

fresh shared keys and forward secrecy. The last parameter,

MACBU , is created in Eq. 6 by using a keyed hash with a

secret SKiT and is included to authenticate the parameters of

the BU message.

PRODY ¼ SiMN � SAMA1modn ð4Þ

SK iT ¼ H1 PRODY ; SAMA1;R

iMN

� �ð5Þ

MACBU ¼ Hk ID2jRiMN jPRODY ; SK

iT

� �ð6Þ

M2-4 (Binding challenge) The serving AMA verifies the

MN’s address and forwards four parameters in the BC

message to the original AMA.

M2-5 (Binding response) The original AMA verifies the

BC message with MACBU . This confirms that the BC

message is an unmodified version and was created by

someone who knows the shared secret. The original AMA

computes MACBR in Eq. 7 and sends this value to the MN,

along with the random number RAMA1.

MACBR ¼ Hk ID2jRAMA1jRiMN þ 1; SKi

T

� �ð7Þ

M2-6 (Access binding update) The MN authenticates

the BR message by verifying MACBR. Correctness of

MACBR authenticates the original AMA because the creator

of MACBR knows the shared secret and because it is the

original AMA. The role of the ABU is quite similar to its

role in the original protocol in Fig. 1. The ABU message

carries the MN’s previous IPv6 address, ViMN a quadratic

1AMA2AMA

A�achment to AMA2

M2-1. Route Solicita�on

M2-2. Route Adver�sement(ID2)

M2-3. Binding Update (ID1,ID2,RMN,PRODY,MACBU)

M2-5. Binding Response(RAMA1,MACBR)

M2-6. Access Binding Update(ID1,V1MN,MACABU)

M2-7. Access Binding Acknowledge

M2-8. Binding Acknowledge Tunneling to and from AMA1::MN/64

IDi = AMAi::MN/64V1MN = (S1MN)2 mod nPRODY = S1MN·SAMA1 mod nSKT = H1(PRODY|SAMA1)MACBU = Hk(ID2|RMN|y,SKT)MACBR = Hk(ID2|RMN+1|RAMA1|VAMA1,SKT)MACABU = Hk(ID1|RAMA1+1|V1MN,SKT)

M2-4. Binding Challenge(ID2,RMN,PRODY,MACBU)

MN

Fig. 5 Time diagram of a message exchange in the second phase for MN’s ith movement in the network

1450 Wireless Networks (2019) 25:1443–1459

123

residue modn of MN’s secret and the MAC of the message,

MACABU , in Eq. 8.

MACABU ¼ Hk ID1jViMN j IP1 � � � � � IPnð Þ; SKi

T

� �ð8Þ

M2-7 (Access binding acknowledgment) The original

AMA finally acknowledges MN’s movement based on the

ABU message.

Y ¼ ViMN � VAMA1modn ð9Þ

Parameter Y in Eq. 9 is compared with the square of

PRODY received in the BC message (see message M2-4 in

Fig. 5). If comparison is positive the original AMA can

confirm that the challenging MN is an owner of the current

session. The original AMA sends the ABA message to the

serving AMA to grant the IPsec tunnel between them.

M2-8 (Binding acknowledgment) The serving AMA

updates the MN’s mobility context in the binding cache.

The MN’s current IP address is assigned to a status of

‘‘preferred,’’ and the rest of the addresses are set to

‘‘deprecated.’’ In this way the serving AMA can distin-

guish a new session from a handover session because this

AMA is required to function as an original AMA for those

new sessions. The BA message delivers a response to the

MN’s request to change the serving network. Upon

receiving the BA message, the MN also updates its

mobility context in the binding cache.

After the BU is completed, an IP security tunnel is

established between the serving AMA and the original

AMA. Because the IKEv2 key exchange protocol in the IP

tunnel is expensive, the proposed protocol dispenses with

the IKEv2. The secret SKiT in Eq. 5 is used for the secret

key. The MN delivers the secret key to the serving AMA

after receiving message M2-8 through a channel secured

by the link-layer protocol. The secret key changes its value

in different networks. Hence, the old serving AMA cannot

access the secret key in the current serving AMA.

5 Performance analysis

5.1 Security analysis

The security of the proposed protocol is verified by

checking how well it satisfies its design requirements and

defends against threat models.

5.1.1 Session ownership

In the proposed protocol, the MN and the original AMA

mutually verify the owner of a session every time the MN

notifies the original AMA of a change in its location. At the

very beginning of a session these two entities share secret

SAMA1 and later authenticate ownership by verifying

knowledge of the shared secret. In the first phase, the

original AMA generates the shared secret and sends the

quadratic residue mod n of the shared secret. Only the MN,

which can factorize the modulus n, can derive the shared

secret from its quadratic residue.

In the second phase, the MN sends

PRODYð¼ SiMN � SAMA1mod n) to the original AMA in

message M2-4 in Fig. 5. Multiplication of the MN’s secret

SiMN to the shared secret SAMA1 serves to demonstrate

knowledge of the shared secret without disclosing it pub-

licly. In message M2-6 in Fig. 5, the MN reveals ViMN to

the original AMA. The original AMA compares ViMN �

VAMA1 with the square of PRODY as shown in Eq. 10.

ViMN � VAMA1 � SiMN

� �2� SAMA1ð Þ2� SiMN � SAMA1

� �2mod n

ð10Þ

If the two values are equal, the original AMA confirms the

challenging MN as an owner of the session. The correct-

ness of the MAC MACBR (see Eq. 5) confirms the chal-

lenging AMA as a holder of the shared secret. Because in

the first phase the MN shares the secret with only the

original AMA, the MN can verify that the challenging

AMA also owns the session.

5.1.2 Active authentication

Based on these four messages, M2-3, M2-4, M2-5, and

M2-6, in Fig. 5, the MN executes a three-way handshake

with the original AMA. Messages M2-3 and M2-4 are

illustrated as two separate messages in Fig. 5, but they are

a single message because the latter message is a part of the

former one. In the three-way handshake, the MN is active

in changing the delivery path of the IPsec tunnel. We can

describe this as an active role because the MN corroborates

with the original AMA that a request for a change is valid

and negotiates mobility parameters directly with the orig-

inal AMA.

5.1.3 Location reachability

We followed a general approach to verify reachability to

and from a new location of the MN. The general approach

is that one end sends a cryptographic token to the other end

to determine if it can then demonstrate knowledge of the

dispatched token. We designed the proposed protocol so

that the verifier includes a random number in the challenge

message, and a proven receiver includes a secure hash of

the random number in its returning message.

Wireless Networks (2019) 25:1443–1459 1451

123

The MN challenges the original AMA with a random

number, RMN , in message M2-4. The original AMA returns

a secure hash value of RMN þ 1 in message M2-5. An

attacker located anywhere in the routing path can obtain

the token in clear text. However, the attacker is unable to

fabricate the secure hash value of the token in the returning

message. The original AMA does the same in a reacha-

bility check to the MN with random number RAMA1 in

messages M2-5 and M2-6. One downside of this approach

is the increased delay imposed because an agreement on

reachability involves at least a three-way exchange

between the MN and the original AMA.

5.2 Performance evaluation

Our consideration at the outset in designing the security

protocol for the host-based DMM was to strengthen its

security. Communication costs and computational delays

are the overhead measurements of the proposed protocol,

and these measurements for our proposal were compared

with those of two other protocols that have been advanced.

For comparison purposes, we computed the communica-

tion costs of the proposed protocol and the communication

costs of the host-based DMM in an IPsec operation with a

pre-shared key.

5.2.1 Communication costs

Communication costs are by definition the number of bits

transmitted in the networks to complete all the BU for N

addresses in the BU list. The N addresses imply that the

MN has N ongoing sessions with different IP addresses of

the MN. These computations in Table 1 are based on the

length of the parameters and the type of operations.

Table 2 lists message notations and their sizes used to

compute the communication costs.

We compared the communication costs in the first phase

of the proposed protocol with the one in the first BUs of the

host-based DMM. The first phases in both protocols are the

same except for messages M1-3 and M1-4 (see Fig. 4).

The messages in the proposed protocol carry additional

parameters such as modulo n and quadratic residue mod n,

VAMA1.

In the second phase, the two protocols contain eight and

ten messages, respectively. The total number of messages

to complete the BUs for N addresses is 4þ 3 N � 1ð Þ for

the proposed protocol and 4þ 6 N � 1ð Þ for the host-basedDMM. Table 4 contains a comparison of communication

costs when the BU list has two addresses. The two proto-

cols cost the same up to the second message. At the fourth

message, the DMM generates more data and more mes-

sages than the proposed protocol. The total communication

cost of the DMM is 18,304 bits, three times more than the

cost of the proposed protocol. The total communication

cost is calculated based on equations in Table 3.

5.2.2 Computational delays

We took advantage of the Crypto ?? Library [11] to

measure the elapsed time of the cryptographic operations.

The measurement ran on an Intel Quad Core 3.60 GHz and

8 gigabyte RAM under an Ubuntu 14.04 operating system

with a Linux kernel version of 3.19.

Figure 6 shows our comparison of the communication

costs for the two protocols with up to ten addresses in the

BU list. As the number of addresses increases, the differ-

ence in the communication costs between the two protocols

is imminent. When the number of addresses in the BU list

is ten the communication cost of the DMM is 148 bit while

the one of the proposed protocol is 43 bit, which is 3.5

times smaller than the DMM.

Table 5 demonstrates an average elapsed time of 12

atomic operations for cryptography. Generating two large

prime numbers and computing a modulus by production of

these two numbers created the longest delay. This delay is

denoted as TQRparam, and its value is 6518.68 microseconds.

The addition of TQRparam and TQRdec brings the total delay

to 6606.02 microseconds. This is the total delay of the

proposed protocol in the first phase. However, the com-

putational delay of the proposed protocol does not include

Table 1 Parameters used in

measurements of

communication costs

Protocol Parameters Details

DMM Initial vector and nonce 32 bits

Encryption AES-128-CBC

MAC and PRF HMAC-SHA1-96

DH Group Alternate 1024-bit MODP group

Proposed ID 128 bits

Random numbers (RX) 32 bits

n; SMN ; SAMA Alternate 1024-bit MODP group

H1ðÞ SHA256

HkðÞ HMAC-SHA256

1452 Wireless Networks (2019) 25:1443–1459

123

this delay. This is because a series of operations related to

this delay can be done ahead of time in the MN before the

BU initiates so they are an offline operation. This claim

concludes the computational delay of the proposed proto-

col in the first phase in which the MN is 87.34 microsec-

onds as shown in Fig. 7.

In contrast, operations on the part of an interactive

protocol cannot be done offline or independently because

input parameters to the operations are determined in real

time. For instance, generation of the secret key in the

Diffie–Hellman key exchange requires an input parameter

from a peer for a fresh key, which means a key must be

established once one peer is connected to another. The

IKEv2 in the IPsec protocol uses the Diffie–Hellman key

exchange. Consequently, the computational delay in the

DMM must include delays associated with the Diffie–

Hellman key exchange whenever new IPsec tunnels are

established between a serving AMA and an original AMA.

Figure 7 depicts a comparison of the computation delays

of both protocols in the MN and in the AMA. In the first

phase, the MN in the DMM does not involve any crypto-

graphic operations at all and neither does the AMA. This

observation sets to zero four computational delays of the

first phase in Fig. 7. In contrast, the two peers in the pro-

posed protocol involve encryption and decryption for

quadratic residue operations. These operations take 43.8

microseconds and 87.34 ls, respectively. In the second

phase, the MN in the DMM does not involve any crypto-

graphic operations because the serving AMA terminates a

secure IP connection toward the MN. The serving AMA

and the original AMA in the DMM do the exactly same

cryptographic operation, which takes 666.3 microseconds.

As shown in Table 6, the serving AMA in the proposed

protocol does not involve any cryptographic operations but

the original AMA in 80.2 microseconds does five hash

operations, two multiplications, one addition, and one

random generation. The original AMA in the DMM took

about eight times longer than the original AMA’s compu-

tation in the proposed protocol. The MN in the proposed

protocol executes operations similar to the original AMA,

except for QR encryption. The computational delay in the

MN is 122.9 microseconds.

2.1

18.3

34.5

50.8

67.0

83.2

99.4

115.6

131.9

148.1

3.67.9

12.316.6

20.925.2

29.533.9

38.242.5

1 2 3 4 5 6 7 8 9 100

20

40

60

80

100

120

140

Com

mun

icat

ion

cost

(Kbi

ts)

Number of binding update list

DMM Proposed

Fig. 6 Communication costs of two protocols when the BU list

contains 10 addresses

Table 2 Message notations and

their sizesNotation Description Size in bytes

SRS; SRA Size of RS/RA messages 52, 80

SBU ; SBA Size of the BU/BA messages 56, 56

SABU ; SABA Size of the ABU/ABA messages 56, 56

SBINDINGCHALL Size of the BINDING CHALLENGE message 168

SBINDINGRES Size of the BINDING RESPONSE message 92

STU ; SMO Size of the tunneling header and mobility option 40, 20

SMAC Size of message authentication code 12

SIKEINITREQ Size of the IKE INIT REQUEST message 298

SIKEINITRES Size of the IKE INIT RESPONSE message 298

SIKEAUTHREQ Size of the IKE AUTH REQUEST message 568

SIKEAUTHRES Size of the IKE AUTH RESPONSE message 568

Four messages at the bottom are related to the IPsec protocol

Table 3 Messages required to complete a single binding update in the proposed protocol and in the DMM

DMM SIKEINITREQ þ SIKEINITRES þ SIKEAUTHREQ þ SIKEAUTHRES þ SABU þ SABA þ 4SMAC þ 2STU þ 2SMO

Proposed SBINDINGCHALL þ SBINDINGRES þ SABU þ SABA þ 2STU þ 2SMO þ 44

Wireless Networks (2019) 25:1443–1459 1453

123

5.2.3 Actual delay measurements

We have implemented the host-based DMM and proposed

protocols in a real LTE-advanced network so as to measure

actual delays. This measurement is of critical importance to

developers and engineers in the mobile industry as a

determinant of whether to deploy these protocols in the real

environment. Figure 8 illustrates an experimental setup for

the measurement. The setup contains a notebook, six

tethered smartphones, and one Wi-Fi access point (AP).

The notebook implements the MN in the setup. The six

smartphones playing the role of the AMA are subscribed to

three service providers in Korea: (1) SK (SK Telecom); (2)

KT (Korean Telecom); and (3) LG U ? . In this setup, the

MN is connected to the AMA over the Wi-Fi, and the

AMA is connected to the Internet over the LTE-Advanced

network. The seventh AP connects the notebook to the

Internet through the research-oriented public Korean

Advanced Research Network (KOREN).

Table 7 lists the six smartphones and the AP in the

experiment and their assignment to each AMA. The

table also shows the number of hops between the AMAs

and the round trip time (RTT) in milliseconds, which were

measured using tools ping and traceroute. The number of

hops varies from 12 to 31. The RTT varies from 33 to

96 ms. The last column in Table 7 shows the average RTT

of each AMA as measured over time.

We have measured three delays based on three experi-

mental scenarios. These are (1) the MN undergoes but one

handover; (2) the MN visits N networks but visits the same

network no more than once; and (3) the MN visits N net-

works but visits the same network more than once.

According to the experimental scenario, the MN chooses a

serving AMA at random and immediately initiates the

handover once the last handover is completed. We have run

each experiment 3500 times and used only those values

within the 97% quantile for averages to present in Figs. 9

and 10.

In the first scenario, we wanted to compare a single

handover delay between the proposed protocol and the

DMM. A delay in the first handover measures the initial

BU delay when a new session is started. Although the

proposed protocol has different protocols for the initial BU

87.343.8

122.9

666.3

80.2

666.3

0.0

DMM Proposed DMM Proposed DMM Proposed100

101

102

103

S-AMAO-AMA

Phase #2 Phase #1

Com

puta

tiona

l del

ay (m

icro

seco

nds)

MN

Fig. 7 Computational delays of two protocols. O-AMA and S-AMA

stand for original and serving AMAs, respectively

Table 4 Communication costs of the BU for the proposed protocol and the DMM with two addresses. The cost is measured in bits

Bits M.2-1 M.2-2 M.2-3 M.2-4 M.2-5 M.2-6 M.2-7 M.2-8 M.2-9 M.2-10 Total

Proposed 416 640 1728 1344 736 1184 928 96 7936

DMM 416 640 704 2384 2384 4640 4640 1024 1024 448 18,304

Table 5 Average elapsed time

of 12 atomic operations for

cryptography used in comparing

computational delays

Operations Symbol Delay in microseconds

Diffie–Hellman parameter TDHparam 221.94

Diffie–Hellman shared key TDHshare 244.84

Nonce Tnonce 1.26

Pseudo random function TPRF 11.18

AES-128-CBC TAES 12.1

HMAC-SHA1-96 THMAC 9.52

Quadratic residue parameter TQRparam 6518.68

Quadratic residue encryption TQRenc 43.8

Quadratic residue decryption TQRdec 87.34

SHA-256 TSHA256, THMAC�256 15.28

Addition of nonce Tadd 0.38

Multiplication in modulo Tmul 1.08

1454 Wireless Networks (2019) 25:1443–1459

123

from the rest of BUs, the DMM shows no difference across

any number of BUs. The first handover delay in the DMM

is 86.9 ms, and the one in the proposed protocol is 95.8 ms.

The initial BU setup in the proposed protocol takes 8.9 ms

longer than the one in the DMM. This is because the

proposed protocol has more cryptographic operations. The

second and later handovers compensate for this extra delay.

The second and third experiments measured the delays

between handovers three and seven. Our prohibition in the

second experiment on a repeat visit to any network permits

us to estimate a range of handover delay in a worst case

scenario. Although this estimate is very general, it gives

service providers numbers they can anticipate and plan to

accommodate. By allowing a repeat visit to a network in

the third scenarios, we are able to measure a handover

delay much closer to reality.

When seven handovers occur in the third experiment,

the host-based DMM takes 3198 ms compared with the

2050 ms required by the proposed protocol. As shown in

Fig. 10, the handover delay in the DMM takes about 50%

Table 7 The number of hops

and the delay between seven

AMAs. The delay is measured

in milliseconds (ms)

RTT (ms) # of hops

SK1 KT1 LG SK2 SK3 KT2 KOREN Average (ms)

AMA1 AMA2 AMA3 AMA4 AMA5 AMA6 AMA7

SK1 AMA1 27 31 30 30 26 16 79.7

KT1 AMA2 79 28 27 27 23 13 69.2

LG AMA3 80 67 31 31 17 17 73.1

SK2 AMA4 89 76 78 30 26 16 77.5

SK3 AMA5 96 83 85 94 26 16 83.4

KT2 AMA6 88 75 77 85 93 12 76.6

KOREN AMA7 46 33 34 43 50 42 41.5

Table 6 Atomic operations

consisting of the computational

delay for MN, original AMA,

and serving AMA for the DMM

and the proposed protocol

Protocol Entity Phase 1 Phase 2

Proposed MN TQRdec TQRenc þ Tnonce þ Tadd þ Tmul þ TSHA256 þ 4 � THMAC�256 ¼ 122:9

Original AMA – Tadd þ Tnonce þ 2 � Tmul þ TSHA256 þ 4 � THMAC�256 ¼ 80:2

Serving AMA TQRenc –

DMM MN – –

Original AMA – TDHparam þ TDHshare þ Tnonce þ 8 � TPRF þ 4 � TAES þ 4 � THMAC

Serving AMA – TDHparam þ TDHshare þ Tnonce þ 8 � TPRF þ 4 � TAES þ 4 � THMAC

S1

NotebookS3

S5

S6

S2

S4

Wi-Fi

SK

KT

LG U+

Internet

KOREN

Fig. 8 Experimental setup for delay measurements

Wireless Networks (2019) 25:1443–1459 1455

123

longer than in the proposed protocol. The slight differences

in results in the second and the third experiments imply that

the computational delay saved in visiting the same network

is so tiny that the communication delay makes up the most

pf the handover delay. The graphs in Fig. 10 are quickly

saturated after the number of handovers passes two. We

can extend this observation to conclude that in a steady

state, the handover delay is quite close to those in Fig. 10.

6 Literature survey

A range of objects in network protocols can enforce

security in mobility management. For ease of understand-

ing, we divide them into two groups, based on the protocol

layer in which each object is located. One group consists of

objects in the IP layer. The other group is made up of

objects in layers other than IP. We will consider these in

turn.

6.1 IP layer

Chuang et al. [12] suggested improvements in the

authentication and handover procedures of the Proxy

MIPv6 (PMIPv6). The PMIPv6 enables network-based

localized mobility management for an MN, thereby pro-

visioning transparency in mobility to the MN and reducing

signaling overheads. However, the PMIPv6 still suffers

from packet losses, inefficient authentication procedures,

and security threats. A bicasting scheme was designed to

avoid packet loss and out-of-sequence delivery. Local

authentication was tested for efficiency in reducing

authentication latency.

Lee [13] introduced secure authentication between the

MN and the distributed anchor through dynamic tunneling

in the DMM that coexists with the PMIPv6. The proposed

scheme considers a session-to-mobility ratio to determine

which distributed anchor is responsible for managing a

tunnel to the local mobility anchor (LMA). If the session-

to-mobility ratio is high, the current distributed anchor

established a tunnel for the MN’s data packets to the CN.

Otherwise, the tunnel established remains between dis-

tributed anchors.

Rossi et al. [14] tackled security issues in routing opti-

mization (RO) for the MIPv6. The former inefficient tri-

angular routing path in the MIPv6 was resolved by having

the RO follow a direct path from the MN to the CN. As a

side effect, the RO raised a number of security issues by

merely being subject to session-hijacking attacks. The

authors proposed a secure and efficient RO by using

enhanced cryptographically generated address (ECGA) and

DNS security (DNSSEC). Because the IP address is gen-

erated cryptographically, their proposed approach makes it

difficult to forge the source IP address. The security keys

are securely stored and delivered to a verifier by use of the

DNSSEC.

6.2 Non-IP layer

One of the main advantages of locating security above the

IP layer is to provide transparency in IP changes to

applications in mobile nodes.

Snoren et al. [15] proposed a mobility management

system implemented in the layers of the transport control

protocol (TCP). An update of IP addresses through the

domain name server (DNS) allows the CN an easy means

to find the MN’s IP address in the new location. Using a

connection migration implemented on a TCP option, peers

87.7

2875.0

98.3

1821.0

1 21

10

100

1000

Del

ay (m

illise

cond

s)

Number of handovers

DMM Proposed

Fig. 9 Delay measurements of two protocols for the first experiment

in the first and second handovers

3 4 5 6 7

2000

2200

2400

2600

2800

3000

3200

3066 3091 3115 3116 3145

19211976

2018 2029 2050

30553099

31433183 3218

1940 19772027 2057 2056

Del

ay (m

illise

cond

s)

Number of handovers

DMM (3rd) Proposed (3rd) DMM (2nd) Proposed (2nd)

Fig. 10 Delay measurements of two protocols for the second and

third experiments in handovers up to seven

1456 Wireless Networks (2019) 25:1443–1459

123

can negotiate changes of IP addresses securely and effi-

ciently without breaking the end-to-end connection

semantic.

Aura et al. [16] introduced DoS attacks, connection

hijacking, and packet flooding. The multihoming function

in the streaming control transport protocol (SCTP) is sub-

ject to these attacks when the function supports dynamic

addressing and endpoint mobility. The authors proposed

countermeasures by changing mobility extensions in the

SCTP.

Seggelmann et al. [17] adopted datagram transport layer

security (DTLS) to support secure mobility. Address

changes will be notified implicitly, a process than is prone

to attacks because the source address is not protected by

DTLS. However, it can be secured by using the Heartbeat

extension to verify the new address. Mobility operations

such as a Heartbeat message are as secure as operations in

the DTLS.

The Request For Comments 5201 (RFC) [18] introduced

a new layer, called the host identity protocol (HIP),

between the TCP layer and the IP layer. Most of the

security issues in mobility management are attributed to the

duplicate roles of IP addresses, which are used to simul-

taneously identify and locate a host. However, this dual

roles became quickly invalid in facing of birth of mobile

hosts. The idea behind the HIP was to insert the identifi-

cation layer to relieve the IP layer of this role. The HIP

innovation is responsible for making IP addresses more

secure.

Multipath TCP (MPTCP) is capable of using multiple

network paths for a single connection and managing mul-

tiple, underlying TCP connections (called subflows) to a

single TCP destination. Mobility management can be

simpler with a capability of simultaneously establishing

connection from network interfaces in MPTCP; a new

subflow is initiated on the second interface before ongoing

subflow is terminated on the first interface. Conversation is

switched to the subflow seamlessly [19]. Jadin et al. [20]

proposed MPTCPsec, an MPTCP extension for protecting

application data and authenticating TCP options.

MPTCPsec can be applied for mobility management in

MPTCP to counter nefarious security attacks.

Quick UDP Internet connections (QUIC) is a transport

protocol developed by Google, running on top of the UDP.

In comparison with the performance of TCP, QUIC redu-

ces connection latency by reducing the number of round-

trip time (RTT) required for connection establishment and

avoiding head-of-line blocking occurred in a single TCP

connections. Every QUIC segment has a 64-bit globally

unique identifier (GUID). This information is used in

mobility management to identify a session after transition

to a new network interface. QUIC provides secure transport

functionalities equivalent to the TLS including encryption

of all segments. However, replay and denial of service

attacks may be applicable in situations [21].

A secure channel is established between the mobile node

and the mobile anchor by using the IPsec. IKEv2 (Internet

Key Exchange version 2) provides a mechanism for mutual

authentication and establishment a Security Association

(SA) for the IPsec. The SA is bound to the IP addresses of

the IPsec endpoints. When the MN changes its IP address

because of mobility lengthy and expensive rekeying of the

IKE SA must occur. The IKEv2 Mobility and Multihoming

(MOBIKE) is defined as an extension to the existing IKEv2

protocol to provide secure mobility. The MOBIKE [22]

offers a solution to the problem by decoupling the SA

identity from the MN’s location (IP address). Besides the

MOBIKE provides multihoming features to allow traffic

movement between different network interfaces.

Complex and expensive operations in the IPsec estab-

lished between the MN and the HA can be replaced by TLS

as recommended in [23]. A Home Agent Controller (HAC)

located in between the MN and the HA can relieve burdens

levied on the MN caused by IPsec operations and man-

agements. Roles and functions in the HAC are less useful

to the MN in the DMM than in the CMM because the HA is

already close enough to the MN in the DMM. The DMM

has shifted functions of the HA on the access router. In

such situations the link-layer security alone can protect

traffic between the MN and the HA.

A Protocol for carrying Authentication for Network

Access (PANA) [24] is an UDP/IP based network access

protocol, offering a unified authentication method transpar-

ent to diverse underneath communication technologies. As

theMAmoved close to the AR, the PANA can be used for an

authentication protocol between the MN and the HA. The

Extensible Authentication Protocol (EAP) compensate for

the PANA by specifying authentication and key agreement.

Handover keying (HOKEY) [25] is an effective han-

dover keying protocol working with keying materials

produced by the EAP. HOKEY was designed to enhance

the EAP by method-independent fast re-authentication with

low handover latencies.

7 Conclusion

This paper proposed an applicable security protocol for the

BU in the host-based DMM. Because the BU in the con-

sidered host-based DMM simply inherits the security

mechanism developed for the MIPv6, it has security

weaknesses and its delay performance is inefficient. The

proposed mechanism improves DMM security by having

the two main entities of the BU share a secret token. This

sharing occurs at the onset of a session. Later, when the

MN enters a new network, the two main entities, the MN

Wireless Networks (2019) 25:1443–1459 1457

123

and the original AMA, mutually confirm session ownership

by checking the value of the token. Thorough analysis and

empirical evaluation in both a laboratory and in a live

network setting confirm that the proposed protocol out-

performs the incumbent BU in the host-based DMM.

Finally, we believe that there are several aspects that still

need be investigated to improve the delay response associ-

ated with the BU. We plan to expand experiments with the

study into diverse service usages to assess how the system

performs in different environments. Further, our proposed

mechanism could be extended tomake use ofmore advanced

access networks, such as the Tactile Internet.

Acknowledgements This work was supported by Institute for Infor-

mation and communications Technology Promotion (IITP) grant

funded by the Korea government (MSIT) (No. 2017-0-01861,

Research on the security of operating system).

References

1. Simsek, M., et al. (2016). 5G-enabled Tactile Internet. IEEE

Journal of Selected Areas in Communications, 34(3), 460–473.

2. Maier, M., et al. (2016). The Tactile Internet: vision, recent

progress, and open challenges. IEEE Communications Magazine,

54(5), 138–145.

3. Perkins, C., Johnson, D., & Arkko, J. (2011). Mobility support in

IPv6. IETF RFC 6275.

4. Gundavelli, S., et al. (2008). Proxy mobile IPv6. IETF RFC 5213.

5. Soliman, H. (2009). Mobile IPv6 support for dual stack hosts and

routers. IETF RFC 5555.

6. Lee, J., et al. (2014). Mobile data offloading: A host-based dis-

tributed mobility management approach. IEEE Internet Com-

puting, 18(01), 20–29.

7. Liu, D., et al. (2015). Distributed mobility management: Current

practices and gap analysis. IETF RFC 7429.

8. Lee, J., et al. (2013). Distributed IP mobility management from

the perspective of the IETF: Motivations, requirements, approa-

ches, comparison, and challenges. IEEE Wireless Communica-

tions, 20(5), 159–168.

9. Dummit, D., Dummit, E., & Kisilevsky, H. (2016). Characteri-

zations of quadratic, cubic, and quartic residue matrices. Journal

of Number Theory, 168, 167–179.

10. Elia, M., Piva, M., & Schipani, D. (2015). The Rabin cryp-

tosystem revisited. Applicable Algebra in Engineering, Commu-

nication and Computing, 26(3), 251–275.

11. Crypto ?? Libtsty 5.6.3. http://www.cryptopp.com/.

12. Chuang, M., Lee, J., & Chen, M. (2013). SPAM: A secure

password authentication mechanism for seamless handover in

proxy mobile IPv6 networks. IEEE Systems Journal, 7(1),

102–113.

13. Lee, J. (2016). Secure authentication with dynamic tunneling in

distributed IP mobility management. IEEE Wireless Communi-

cations, 23(5), 38–43.

14. Rossi, A., Pierre, S., & Krishnan, S. (2013). Secure route opti-

mization for MIPv6 using enhanced CGA and DNSSEC. IEEE

Systems Journal, 7(3), 351–362.

15. Snoeren, A., & Balakrishnan, H. (2000). An end-to-end approach

to host mobility. In Proceedings of ACM/IEEE international

conference on mobile computing and networking (MobiCom).

16. Aura, T., et al. (2004). Effects of mobility and multihoming on

transport-protocol security. In Proceedings of IEEE symposium

security and privacy.

17. Seggelmann, R., et al. (2012). DTLS mobility. In Proceedings of

international conference of distributed computing and network-

ing (ICDCN), pp. 443–457, Hong Kong, China.

18. Moskowitz, R., et al. (2008). Host identity protocol. IETF RFC

5201.

19. Raiciu, C., et al. (2011). Opportunistic mobility with multipath

TCP. In Proceedings of the sixth international workshop on

MobiArch, pp. 7–12, Bethesda, USA.

20. Jadin, M., et al. (2017). Securing multipath TCP: Design and

implementation. In Proceedings of IEEE international confer-

ence on computer communications (INFOCOM), Atlanta, USA.

21. Cui, Y., et al. (2017). Innovating transport with QUIC: Design

approaches and research challenges. IEEE Internet Computing,

21(2), 72–76.

22. Eronen, P., et al. (2006). IKEv2 mobility and multihoming

(MOBIKE) protocol. IETF RFC 4621.

23. Korhonen, J., et al. (2012). Mobile IPv6 security framework using

transport layer security for communication between the mobile

node and home agent. IETF RFC 6618.

24. Forsberg, D., et al. (2008). Protocol for carrying authentication

for network access (PANA). IETF RFC 5191.

25. Zorn, G., et al. (2012). Handover Keying (HOKEY) architecture

design. IETF RFC 6697.

Seyeong Lee received a master’s

degree in IT convergence from

Sungkyunkwan University,

South Korea in 2016. He is a

software engineer at Samsung

Electronics. His research inter-

ests include network and

android security.

Hyoung-Kee Choi received a

Ph.D. degree in electrical and

computer engineering from

Georgia Institute of Technol-

ogy, USA, in 2001. He is a

professor in Department of

Computer Science and Engi-

neering, Sungkyunkwan

University, South Korea. He

joined Lancope in 2001 and

remained until 2004, where he

guided and contributed to

research in Internet security. His

research interests include net-

work security and vulnerability

assessment.

1458 Wireless Networks (2019) 25:1443–1459

123

Ejin Kim is a master’s degree

student in electronic, electrical

and computer engineering at

Sungkyunkwan University,

South Korea. She received her

bachelor’s degree in informa-

tion security from Seoul

Women’s University, South

Korea in 2016. Her research

interests include authentication,

Internet mobility management

and reverse engineering.

Jong-Hyouk Lee received a

Ph.D. degree in Computer

Engineering at Sungkyunkwan

University, South Korea in

2010. In 2009, he joined the

project team IMARA at INRIA,

where he undertook the protocol

design and implementation for

IPv6 vehicular (ITS) communi-

cation and security. Dr. Lee

started his academic profession

at the Network, Security, and

Multimedia (RSM) Department

of TELECOM Bretagne, France

in 2012 as an Assistant Profes-

sor. In September 2013, he moved to Sangmyung University,

Republic of Korea. He has involved in standardization activities at the

ISO TC204 WG16, ETSI TC ITS, and IETF. He twice received

Excellent Research Awards from the School of Information and

Communication Engineering, Sungkyunkwan University. Dr. Lee

won the Best Paper Award at the IEEE WiMob 2012 and received the

2015 Best Land Transportation Paper Award from the IEEE Vehic-

ular Technology Society. He was a tutorial speaker at the IEEE

WCNC 2013, IEEE VTC 2014 Spring, and IEEE ICC 2016. In

November 2014, he was selected as the Young Researcher of the

month. He is a senior member of the IEEE. He is an associate editor

of Wiley Security and Communication Networks, IEEE Transactions

on Consumer Electronics, IEEE Consumer Electronics Magazine, and

Springer Annals of Telecommunications. His research interests

include malware, vulnerability exploitation, authentication, privacy,

mobility management, and protocol analysis.

Wireless Networks (2019) 25:1443–1459 1459

123