Bootstrapping MIP6 Using DNS and IKEv2 (BMIP)

James KempfSamita Chakrarabarti

Erik Nordmarkdraft-chakrabarti-mip6-bmip-01.txt

Monday March 7, 2005

Motivation

• Support deployments in which Home Network Access Provider and Mobility Service Provider are different providers

• Support deployments with a loose trust relationship between Serving Network Access Provider and Mobility Service Provider

• Examples:– Enterprise networks– Hotspots with nonAAA-based network entry authorization

• Maybe 90% of WLAN public access deployments in the US?

– Future deployment possibilities– Infrastructureless deployments

Example: Universal Access Method (UAM)

Border Router

AR

AP

Access Network

Mobile Node

Internet

PAC

PAC relays credentials

to credit card

provider Terminal initiates

HTTP GET

PAC sends Redirect to Login Page

HTTP PUT sends

credentials to PAC

Authorization Decision!

Credit card provider

sends authz decision to

PAC

Internet Access!

Original page

displayed

AP: Access PointPAC: Public Access Control Gateway

Basic Problems Addressed

• No AAA “hook” during network access authentication to provision the Mobile Node with the Home Agent address and mobility service authorization credentials– EAP solutions such as draft-giaretta-mip6-authorization require

AAA during network access authentication

• Tight trust lacking between Mobility Service Provider and Access Service Provider– DHCP solutions such as draft-ohba-mip6-boot require very high

trust between networks for roaming support

• Home Network Access Service Provider uses AAA but is not also a Mobility Service Provider

What the Mobile Node Starts With• A connection to the Internet on the serving

(local) network authenticated and authorized (or not) through any means, i.e. 802.1x, PANA, etc.

• The domain name of the Mobility Service Provider

• Credentials to allow Home Agent IKEv2 to authenticate and authorize for mobility service– NAI or similar non-topological identity– Certificate or preshared key if IKEv2 auth/authz done

with certificate or preshared key– User name/password or other credentials if IKEv2

auth/authz done using EAP• Optional: certificate for Home Agent if not

available during DNS or IKE transaction

The Protocol

Border Router

AR

AP

Access Network

Mobile Node

Internet

Terminal now has Home

Address and IPsec SAs

Border Router

Mobility Service Provider

MSPDNS Server

MIP6 HA

IKEv2 + EAP if

required ESP + MIP6 BU!

LocalDNS Server

DNS SRV Rqst: mip6

ipv6

DNS SRV Rqst

Forwarded (if not

cached)

DNS SRV Rply: HA Address

Security of BMIP Protocol

• Replay protection provided by message identity code in DNS – RFC 1035

• Server to host data integrity and origination authentication provided by DNSSEC– RFC 2535– DNSSEC is not today widely deployed, but

then neither is MIP6– For future DNS security, DNSSEC should be

deployed

Security of Home Agent Address

• Host to server authorization can be done by using DNS TSIG– RFC 2845– Upside

• Only authorized hosts can get the address– Downside

• Requires MSP DNS server to perform auth on SRV Rqst in real time (i.e. no caching)

• Address is unencrypted in transit so it can be intercepted by MiTM

• Confidentiality protection can be provided by encrypting the address before inserting into DNS– Anybody can get the record, only authorized users with keys can

decrypt– Draft in preparation for DNSEXT

Assumption: These measures assume some utility to “hiding” the address in the first place, presumably to prevent DoS

DoS Attack on the Home Agent Address

• Address is in public DNS, anybody could snatch it!• IKEv2 contains measures to slow down an attacker if

they should get it

But...• DoS is a problem with any solution (including manual

configuration) that exposes the Home Agent address to users on the Internet– User goes rogue– Someone steals the address from a legitimate user– Distributed worm probing attack discovers the Home Agent

Bottom line: “Hiding” the address from unauthorized users only makes launching a DoS attack a little harder

Realistic DoS Mitigation Measures

• Overprovisioning– Network connections and Home Agent server

capacity are enough to handle any conceivable load

• Change Home Agent addresses aperiodically– Especially if someone suspicious has their account

revoked

• Provision Home Agents with:– Few users to avoid inconveniencing lots of users

when an attack occurs– On topologically widely separated subnets to slow

worm probing attacks

Questions/Comments?