Mobile IP Survey
description
Transcript of Mobile IP Survey
Mobile IP: Security Threats
BY: G. CHANDRASEKHAR & GAURAV SHEKHARPG-DESD,
CDAC, HYDERABAD.
Mobile IP Entities
● Mobile Node (MN)● The entity that may change its point of attachment from
network to network in the Internet– Detects it has moved and registers with “best” FA
● Assigned a permanent IP called its home address to which other hosts send packets regardless of MN’s location
– Since this IP doesn’t change it can be used by long-lived applications as MN’s location changes
● Home Agent (HA)● This is router with additional functionality● Located on home network of MN● Does mobility binding of MN’s IP with its COA● Forwards packets to appropriate network when MN is away
– Does this through encapsulation
Mobile IP Entities● Foreign Agent (FA)
● Another router with enhanced functionality● If MN is away from HA the it uses an FA to send/receive
data to/from HA● Advertises itself periodically● Forward’s MN’s registration request● Decapsulates messages for delivery to MN
● Care-of-address (COA)● Address which identifies MN’s current location● Sent by FA to HA when MN attaches● Usually the IP address of the FA
● Correspondent Node (CN)● End host to which MN is corresponding (eg. a web server)
Mobile IP Support Services
● Agent Discovery● HA’s and FA’s broadcast their presence on each network
to which they are attached– Beacon messages via ICMP Router Discovery Protocol (IRDP)
● MN’s listen for advertisement and then initiate registration● Registration
● When MN is away, it registers its COA with its HA– Typically through the FA with strongest signal
● Registration control messages are sent via UDP to well known port
● Encapsulation – just like standard IP only with COA
● Decapsulation – again, just like standard IP
Mobile IP Operation● A MN listens for agent advertisement and then initiates
registration● If responding agent is the HA, then mobile IP is not necessary
● After receiving the registration request from a MN, the HA acknowledges and registration is complete
● Registration happens as often as MN changes networks● HA intercepts all packets destined for MN
● This is simple unless sending application is on or near the same network as the MN
● HA masquerades as MN● There is a specific lifetime for service before a MN must re-
register● There is also a de-registration process with HA if an MN
returns home
Registration Process
How is Mobile IP Deployed?
● All hosts are wholly owned by the enterprise● Each router performs both home agent and foreign agent
functionality:
Mobile IP Summary Allows node mobility across media of similar or dissimilar types Uses the Mobile Node’s permanent home address when it
changes its point of attachment to the Internet Not requires any hardware and software upgrades to the
existing, installed base of IPv4 hosts and routers – other than those nodes specifically involved in the provision of mobility services
Mobile Node must provide strong authentication when it informs its Home Agent of its current location
Uses tunneling to deliver packets that are destined to the Mobile Node’s home address
3 main entities: Mobile Nodes, Foreign Agents and Home Agents
3 basic functions: Agent Discovery, Registration, Packet Routing
Security Issues:
Insider Attack Mobile Node Denial-of-Service Replay Attacks Theft of Information: Passive
Eavesdropping Theft of Information: Session-Stealing
(Takeover) Attack Tunnel spoofing
Insider Attacks
Usually involve a disgruntled employee gaining access to sensitive data and then forwarding it to a competitor Enforce strict control who can access what data Use strong authentication of users and
computers Encrypt all data transfer on an end-to-end basis
between the ultimate source and ultimate destination machines to prevent eavesdropping
Mobile Node Denial-of-Service
An Attacker sends a tremendous number of packets to a host (e.g., a Web server) that brings the host’ CPU to its knees. In the meantime, no useful information can be exchanged with the host while it is processing all of nuisance packets
An Attacker somehow interferes with the packets that are flowing between two nodes on the network. Generally speaking, the Attacker must be on the path between the two nodes on order to wreak any such havoc
Denial-of-Service Attack
An Attacker generates a bogus Registration Request specifying his own IP address as the care-of address for a mobile node. All packets sent by correspondent nodes would be tunneled by the node’s home agent to the Attacker:
How Does Mobile IP Prevents this Denial-of-Service Attack?
Note: In case of mobility an Attacker could attack from anywhere in the network, it does not have to be “on the way”.
Solution: to require cryptographically strong authentication in all registration messages exchanged by a mobile node and its home agent.
Mobile IP by default supports MD5 Message-Digest Algorithm (RFC 1321) that provides secret-key authentication and integrity checking
Replay Attacks
An Attacker could obtain a copy of a valid Registration Request, store it, and then “replay” it at a later time, thereby registering a bogus care-of address for the mobile node
To prevent that the Identification field is generated is a such a way as to allow the home agent to determine what the next value should be
In this way, the Attacker is thwarted because the Identification field in his stored Registration Request will be recognized as being out of date by the home agent (timestamps or random numbers are used for Identification field)
Theft of Information: Passive Eavesdropping
A passive eavesdropping attack happens when an attacker start to listen to the traffic that is transferred between mobile device and its home agent.
Use of Link-Layer Encryption Use of End-to-End Encryption (SSH,
SSL…)
Session-Stealing on the Foreign Link
The Attacker waits for a mobile node to register with its home agent
The Attacker eavesdrops to see if the mobile node has any interesting conversation taking place (remote login session to another host, connection to the electronic mailbox)
The Attacker floods the mobile node with nuisance packets
The Attacker steals the session by sending the packets that appear to have come from the mobile node and by intercepting packets destined to the mobile node
Session-Stealing Prevention
Same method as in the case of Passive Eavesdropping:
minimally link-layer encryption between the mobile node and the foreign agent (session-stealing on the foreign link)
With the preference of end-to-end encryption between the mobile node and its corresponding node (elsewhere)
Note: a good encryption scheme provides a method by which a decrypting node can determine whether the recovered plaintext is gibberish or whether it is legitimate (integrity checking)
Tunnel spoofing
The tunnel to the home network or foreign network may be used to hide malicious packets and get them to pass through the firewall.
Mobile IP uses identification fields and timestamp to protect registration from any such attacks.
Other Active Attacks
The Attacker connects to the network jack, figures out he IP address to use, and tries to break to the other hosts on the network
He figures out the network-prefix that has been assigned to the link on which the network jacks connected
The Attacker guesses a host number to use, which combined with the network-prefix gives him an IP address to use on the current link
The Attacker proceeds to try to break into the hosts on the network guessing user-name/password pairs
Protection against such attacks
All publicly accessible network jacks must connect to foreign agent that demands any nodes on the link to be registered (authenticated).
Remove all non-mobile nodes from the link and require all legitimate mobile nodes to use (minimally) link-layer encryption
THANK YOU!!!