Protection of Binding Update Message in Mobile IPv6

Hero ModaresDepartment of Computer system and Technology University of Malaya Kuala Lumpur, Malaysia

Hero.modares@siswa.um.edu.my

Hassan Keshavarz Department of Computer system and Technology University of Malaya Kuala Lumpur, Malaysia

keshavarz_hassan@siswa.um.edu.my

Amirhossein Moravejosharieh Department of Computer system and Technology University of Malaya Kuala Lumpur, Malaysia

amirhosein.moravej@siswa.um.edu.my

Rosli Salleh Department of Computer system and Technology University of Malaya Kuala Lumpur, Malaysia

rosli_salleh@um.edu.my

Abstract— Mobile Nodes (MN) in Mobile IPv6 (MIPv6) are given the opportunity to eliminate triangle routing that is inefficient with their own corresponding node (CN) using Route Optimisation (RO). This greatly improves the performance of the network. Unfortunately, using this method allows several security vulnerabilities to manifest itself with the MIPv6. Among those, common issues are those concerns the verification of authenticity and authorisation of Binding Updates during the process of RO. These types of unauthenticated and unauthorised BUs are the key to various types of malicious attacks. Since it is expected that MIPv6 will be supported by IPv6, several mechanism to ensure BU security will be crucial in the next generation Internet. This article focuses on Mobile IPv6 and security considerations.

Keywords- mobile IPv6; mobile networking; network security; Internet Key Exchange protocol; EAP.

I. INTRODUCTION (HEADING 1)The way MIPv6 operates can be seen in Figure 1 [1],

with 3 node types, namely the Home Agent (HA), Mobile Node (MN) and the Corresponding Node (CN) [2], while MN’s mobility is detected by a router advertisement message including an MN able to make a router send its advertisement message by request, if needed. Following mobility detection, the MN gets a CoA unlike in MIPv4, after which it sends the BU message to the HA and the communicated corresponding node (a node wishing to connect to, or is communicating with MN). The HA and corresponding node update the binding list and send acknowledgement messages [1], meaning that the Mobile IPv6 allows an MN to alter its attachment point to the internet while maintaining established communications [3].

This paper presents an analysis of both Route Optimisation (RO) and Identity Based Encryption (IBE) protocol with proposal to strengthen the level of security of a BU method. This method uses the public key to create an authentication that is stronger.

II. IBE AUTHENTICATION BETWEEN A MOBILE NODE AND ITS HOME AGENT

Mutual authentication between an MN and its HA is mandatory in MIPv6, and usually performed with IPSec and IKE, while session key generation and authentication are done with IKE. Using X.509 certificates in IKE is the existing method of performing these tasks.

Figure 1. The way MIPv6 operates.

1. The MN moves to a foreign network and obtains a new CoA.

2. MN carries out a BU on its HA (where the new CoA is registered). HA sends a binding acknowledgement to MN.

3. A Correspondent Node (CN) tries to contact MN, with HA intercepting packets destined to MN.

4. Next, HA tunnels all packets from CN to MN using MN's CoA.

2012 UKSim-AMSS 6th European Modelling Symposium

978-0-7695-4926-2/12 $26.00 © 2012 IEEE

DOI 10.1109/EMS.2012.54

409

2012 UKSim-AMSS 6th European Modelling Symposium

978-0-7695-4926-2/12 $26.00 © 2012 IEEE

DOI 10.1109/EMS.2012.54

410

2012 UKSim-AMSS 6th European Modelling Symposium

978-0-7695-4926-2/12 $26.00 © 2012 IEEE

DOI 10.1109/EMS.2012.54

444

5. When MN replies to the CN, it may use its current CoA (and bind to the CN) and communicate with the CN directly (“route optimization”), or it could tunnel all its packets through the HA.

Sometimes MN and HA share a common secret, possibly occurring in WLAN instances when MN shifts to another WLAN which requires authentication [4]. If there are no shared secrets, extending the IKEv2 authentication process to identity-based authentication as opposed to X.509-based authentication certificates is usual. It can also be assumed that both MN and HA use the same PKG, and according to the relationship between these three entities, any trust level from I to III may be applied during private key delivery. Regarding IKE, two main methods of implementing IBE exist, the first of which involves modifying IKE’s four-way handshake while the second utilizes EAP to generate a new IBE-based EAP authentication method [4].

A. Modifying IKE IKE could implement IBE through the addition of a

third authentication method, other than the previous shared secret and X.509 authentication. Instead of X.509 certificates, IKE also uses “IBE certificates”. IBE-based authentication functions fundamentally the same as X.509 authentication, in that to authenticate peers the same information block should be signed as in the X.509-based authentication, in addition to a signature based on IBE (i.e. the Hess signature). Currently, identities are replacing certificates and revocation lists do not need to be checked. Ehmke (2007) implemented a prototype which can realize this idea. Performance wise, clearly transmit certificates or certificate requests are no longer necessary since the IKE identity can be used straight as the public key for authentication. Also, expensive certificate-chain checking is redundant while elliptic curve cryptography-based hardware- accelerated IBE algorithms are sometimes quite efficient, particularly in embedded devices [4].

B. Extensible Authentication Protocol Several wireless networks utilize the Extensible

Authentication Protocol (EAP) [5] for access authentication. EAP techniques commonly deal with AAA servers which affect the required authentications, after which notifications are relayed back to a functional module (Network Access Server) in the access network. For Mobile IPv6 [6], the Binding Authentication Data option [7] helps enable different authentication techniques, while a subtype exists for AAA- based authentication like EAP. On the other hand, there still are EAP methods requiring extra handling and specifications which present Binding Authentication Data option documentation does not provide. Currently, specification from this document is for at least some very widely deployed EAP methods, so, often, when EAP is needed, Mobile IPv6 tunnel redirection to a wireless device’s new CoA can be done much faster [8-10].

C. Using Extensible Authentication Protocol Figure 2 illustrates possible steps in EAP

implementation. It is advisable to use EAP as part when establishing a concurrent shared key to be used in the final two message exchanges leading to authentication [4]. Chen and Kudla’s key agreement with IBE technique is one alternative protocol (protocol 2’ in [11]) that can function in the absence of a key escrow, so CERTREQ and CERT messages in steps 2, 3, 4 are not necessary (Figure. 2). Figure 3 illustrates the resulting IKE Initial Message exchange.

1. I � R: HDR, SAi1, KEi, Ni2. R � I: HDR, SAr1, KEr, Nr, [CERTREQ]3. I � R: HDR, ESK{IDi,[CERTREQ,][IDr,]SAi2,TSi,TSr}4. R � I: HDR, ESK{IDr,[CERT,]AUTH,EAP}5. I � R: HDR, ESK{EAP}6. R � I: HDR, ESK{EAP}.. ... ...n. R � I: HDR, ESK{EAP(success)}n+1. I � R: HDR, ESK{AUTH}

n+2. R � I: HDR, ESK{AUTH,SAr2,TSi,TSr}

Figure 2. IKE Initial Message Exchange: Authentication using EAP [12].

Here, the same PKG is shared by MN and HA, where P is a public PKG parameter, and HA and MN choose the random numbers a and b, respectively. The Chen-Kudla protocol produces a session key solely for message 7 and 8 authentication. The AUTH payloads have to authenticate messages 3 and 4 based on MAC and a secret key generated by an EAP protocol [11].

1. MN � HA: HDR, SAMN1, KEMN, NMN2. HA � MN: HDR, SAHA1, KEHA, NHA3. MN � HA: HDR, ESK{IDMN,[IDHA,]SAMN2,TSMN,TSHA}4. HA � MN: HDR, ESK{IDHA,AUTH,EAP�CK�Req(a·P,a·QHA)}5. MN � HA: HDR, ESK{EAP�CK�Res(b·P,b·QMN)}6. HA � MN: HDR, ESK{EAP(success)}7. MN � HA: HDR, ESK{AUTH}8. HA � MN: HDR, ESK{AUTH,SAHA2,TSMN,TSHA}

Figure 3. IKE Initial Message Exchange: Authentication using EAP with IBE [12].

But since IBE uses PKG, it is almost impossible to guess which MN will be communicated by the CN. We cannot simply assume the same PKG is used by both MN and CN. Multi-PKG is used instead but it is not recommended for larger networks.

III. AUTHENTICATION BETWEEN A MOBILE NODE AND CORRESPONDING NODE

Via the MIPv6 protocol, MN can keep its network connection even when the network attachment modifies [13]. An MN can be reached at its home address (HA) anytime, even when not physically in its home network. When an MN is connected to a foreign network it obtains a CoA from the local router through stateless or stateful autoconfiguration. Next, for home regis tra t ion , the MN sends HA its current location information (CoA) in a BU message, then HA can redirect and tunnel packets intended

410411445

for the MN’s home address, to the MN’s CoA. When a foreign network MN is in contact with a CN (a stationary or mobile peer communicating with a MN) through the HA, bidirectional tunnelling takes place for instances when CN is not bound to the MN (registration is in progress) or MIPv6 is not supported by CN [4].

If the CN supports MIPv6, a more effective mobile routing technique, Route Optimization (RO), can be used. RO is effective as it provides the most direct, shortest path of transmitting messages between an MN and a CN, eliminating the need for packets to pass through the HA, and avoiding triangular routing (bidirectional tunnelling). Prior to setting up RO, the MN must send CN a BU packet containing its CoA with present location data. On the other hand, security risks with RO [14] can be for example that an MN may send CN a false BU packet and redirect the communication stream to a desired location, resulting in a Denial-of-Service (DoS) attack. Thus, for increased security, it is important to authenticate BUs in RO [4] [15].

What happens between a CN and MN is not the same as between an MN and its HA. Since CN could be any node, MN and CN have no shared secrets or trusted certificates. Thus, Return Routability (RR) can be used, as:

• An MN sends CN a home test init (HoTi) and care-of test init (CoTi). HoTi is sent directly through the HA and CoTi. HoTi has the home address and CoTi has the CoA as source addresses, both including a cookie.

• Upon receiving either HoTi or CoTi message, CN immediately answers with a home test (HoT) and care- of test (CoT) message which gets sent to the respective source address. Each reply contains the cookie recovered from the nonce indenx, corresponding init message, and a keygen token, later for BU authentication use.

When MN receives HoT and CoT, RR is done. Only MN can receive packets sent to both its HA and CoA, and can now hash the two tokens to calculate the binding key. This key is utilized for generating a Message Authentication Code (MAC) for BUs, and MAC can be verified by CN. RR provides an analysis of a node's reach-ability during authentication but do not validate address ownership in IPv6.

IV. SECURITY ANALYSIS IN MIPV6 Providing security against different types of malicious

attacks e.g. denial of service (DoS), connection hijacking, man- in-the-middle and impersonation, are the basic objectives for the development of IPv6. The objective of improved security is to create routing changes that are safe against all threats. Threats are based on the routing changes that provides mobility in the network. Threats faced by Mobile IPv6 security can be divided into different categories:

�� Binding update (BU) to HA type threats �� Route Optimisation to CN type threats �� Threats that attack the tunnelling process between

HA and MN

�� Threats that uses Mobile IPv6 routing header to return traffic of other nodes

Binding update and route optimisation threats are related to authentication of binding messages. Communication between MN and HA needs trust and communication authentication. This is because MN agrees to implement the HA services therefore relationship between the two must first be secure. However, the CN and MN does not have prior relationship but authenticating messages between the two is still possible. For example, this is possible by authenticating the public key. If a malicious packet is sent to the HA using the same source address as the MN, the HA will then forward the packet containing the MN's source address contained in the malicious node. However, this DoS attack can be prevented by using an algorithm to verify the BU message receives by the HA. Such threat can also be avoided when a new routing header is used to replaces the incorrect header that manoeuvres around firewall rules and obtaining a constrained address [16, 17].

V. PROPOSED METHOD TO PROTECT BINDING UPDATE MESSAGE

Once the BU message is complete, the MN will receive normal traffic from the CN with the new CoA. The CN with the new nonce sends to the MN a Binding Update Verification (BUV) within a specific time frame e.g. 10 seconds. The MN then needs to reply within 10 seconds otherwise the connection between MN and CN will be terminated. This method minimises any damages caused by bombing attacks where packets are sent to the MN by malicious nodes. Cryptography Generated Address (CGA) can also be use to make spoofing type attacks more harder. Private keys can be use to signed the message as well. Since redirection attacks requires both public and private keys to perform[18-20]. Possible threats and solution is listed in table 1 [4, 17].

VI. CONCLUSION The requirement for Mobile IPv6 is still not complete

considering there are some essential issues that are not addressed. One of the most important issues are protocol security because without secure protection against attacks, the protocol would not be accepted thus will not work at all. Presently, the standard method use for BU protection in transport mode as well as securing the connection for control message sent during home registration method is the Encapsulation Security Payload (ESP). IPSec has several advantages over SSL/TLS which is IPSec can perform without IP restriction, any protocol can be encrypted and also encrypt any packets with just their IP headers. Unfortunately, IPSec needs to be configured with various settings thus making it complicated. The IKE protocol can control the mutual authentication and cryptographic algorithm negotiations as well as dynamic key management. Additionally, authentication method such as shared secret, Extensible Authentication Protocol (EAP)

411412446

or X.509 certificates can be use to create safe communication between peers.

ACKNOWLEDGMENT

This work was supported in part by the University of Malaya, Kuala Lumpur Malaysia under UMRG Grant (RG080/11ICT).

REFERENCES [1] Y. Jung, et al., "Comparative Evaluation of TCP Performances on

MIPv4 and MIPv6 Protocols in Mobile Mesh Networks," 2007, pp. 1-9.

[2] H. Wang, et al., "Performance testing of Mobile IPv6 protocol," 2008, pp. 772-779.

[3] M. S. S. Henry and V. S. Kumar, "A Review on Protocol Verification in Mobile Internet Protocol Version 4 and 6," 2011, p. 60.

[4] M. Ehmke, et al., "Securing Control Signaling in Mobile IPv6 with Identity-Based Encryption," Issues in Informing Science and Information Technology, vol. 6, 2009.

[5] B. Aboba, et al., "Extensible authentication protocol (EAP)," 2004. [6] C. Perkins and D. Johnson, "J. Arkko," Mobility Support in

IPv6," RFC 6275, July2011. [7] A. Patel, et al., "Authentication Protocol for Mobile IPv6," draft-

patel-mip6-rfc4285bis-00 (work in progress), 2006. [8] B. Patil and C. E. Perkins, "Optimizing IP Mobility Authentication

with EAP," 2011. [9] D. Kroeselberg, et al., "Transport Layer Security- based Mobile

IPv6 Security Framework for Mobile Node to Home Agent Communication," Transport, 2011.

[10] D. Premec, et al., "Problems with the use of IPsec as the security protocol for Mobile IPv6," 2011.

[11] L. Chen and C. Kudla, "Identity based authenticated key agreement protocols from pairings," 2003, pp. 219-233.

[12] C. Kaufman, "Internet key exchange (IKEv2) protocol," 2005. [13] D. Johnson, et al., "Mobility support in IPv6," 2004. [14] [14] P. Nikander, et al., "Mobile IP version 6 route optimization

security design background," draft-ietf- mip6-ro-sec-03 (work in progress), 2005.

[15] D. Kavitha, et al., "Securing Binding Updates in Routing Optimizaton of Mobile IPv6," ICGST-CNIR Journal, vol. 10, 2010.

[16] T. Koskiahde, "Security in Mobile IPv6," Tampere University of Technology, 2002.

[17] A. Moravejosharieh, et al., "Overview of Mobile IPv6 Security," 2012, pp. 584-587.

[18] A. Encarnacao and G. Bayer, "Mobile IPv6 Binding Update - Return Routability Procedure " 2008.

[19] T. G. o. t. H. K. S. A. Region, "IPv6 SECURITY " May 2011. [20] T. Scheffler, "Security Achitectures for Mobile IPv6 " presented at

the Euro6IX/6NET Workshop Limerick, Ireland 2002.

412413447