Network Security: Security of Internet Mobility
27
Network Security: Security of Internet Mobility Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2011
description
Network Security: Security of Internet Mobility. Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2011. Outline. Mobile IPv6 Spoofed bindings, bombing attack Return routability test. Mobile IPv6. Mobile IPv6 and addresses. The mobile node (MN) has two IPv6 addresses - PowerPoint PPT Presentation
Transcript of Network Security: Security of Internet Mobility
Network Security: Security of Internet Mobility
Tuomas AuraT-110.5241 Network security
Aalto University, Nov-Dec 2011
2
OutlineMobile IPv6Spoofed bindings, bombing attackReturn routability test
Mobile IPv6
5
Mobile IPv6 and addressesThe mobile node (MN) has two IPv6 addressesHome address (HoA):
Subnet prefix of the home networkUsed as address when MN is at home. Used as node identifier when MN is roaming in a foreign networkHome network may be virtual – MN never at home.
Care-of address (CoA):MN’s current point of attachment to the InternetSubnet prefix of the foreign network
Correspondent node (CN) can be any Internet host(Note: MN and CN are hosts, not routers.)
6
Mobility
How to communicate after MN leaves its home network and is roaming in a foreign network? (HoA, CN and CoA are IPv6 addresses)
Foreign Network
Home NetworkCorrespondent node (CN)
Mobile node (MN)
Home address(HoA)
Care-of address (CoA)
8
Mobile IPv6 tunnelling
Home agent (HA) is a router at the home network that forwards packets to and from the mobileMN always reachable at HoA
source = HAdestination = CoA
CN
MN at CoA
tunnel
source = CNdestination = HoAHome agent HA
at HoA
Home Network
Encapsulatedpacket source = CN
destination = HoA
10
Route optimization (RO)
HA at HoA
MN at CoA
source = CNdestination = CoAFor HoA
Routing header (RH)
source = CoAdestination = CNThis is HoAI'm at CoA
2. Binding Update (BU)3. Followingpackets
1. First packet
source = CoAdestination = CNFrom HoA
Home addressoption (HAO)
CN
tunnel
Threats and protectionmechanismsAll weaknesses shown here have been addresses in the RFC
15
16
Attack 1: false binding updates
A, B and C can be any IPv6 nodes (i.e. addresses) on the Internet
source = Cdestination = BThis is AI'm at C
False BU
Stolen data
Attacker
A B
C
17
Spoofed data
Connection hijacking
source = Cdestination = BThis is AI'm at C
False BU
Stolen data
Attacker
source = C destination = BFrom A
Attacker could highjack old connections or open newA, B and C can be any Internet nodes
A B
C
18
Man-in-the-middle attack
False BU
Attacker
False BUThis is BI'm at C
This is AI'm at C
A B
C
19
If no security measures addedAttacker anywhere on the Internet can hijack connection between any two Internet nodes, or spoof such a connectionAttacker must know the IPv6 addresses of the target nodes, though
20
BU authenticationMN and HA trust each other and can have a secure tunnel between them. Authenticating BUs to CN is the problemThe obvious solution is strong cryptographic authentication of BUs Problem: there is no global system for authenticating any Internet node
21
Authentication without infrastructure?How authenticate messages between any two IPv6 nodes, without introducing new security infrastructure?Set requirements to the right level: Internet with Mobile IPv6 deployed must be as secure as before it → no general-purpose strong authentication neededSome IP-layer infrastructure is available:
IPv6 addressesRouting infrastructure
Surprisingly, both can be used for BU authentication:Cryptographically generated addresses (CGA)Routing-based “weak” authentication, called return routability
22
BU Authentication – v.1
CN send a key in plaintext to HoA
MNat CoA
HAat HoA
securetunnel
2. K
1. BU
3. BU, MACK(BU)
accept BU
CN
23
Is that good enough?“Weak”, routing-based authentication, but it meets the stated requirementAttacker has to be on the path between CN and HA to break the authentication and hijack connections
This is true even if the MN never leaves home, so mobility does not make the Internet less secureNot possible for any Internet node to hijack any connection → significantly reduced risk
K is not a general-purpose session key! Only for authenticating BUs from MN to CNAnything else?
The routing-based authentication, CGA, and other protocols discourage lying about who you areStill possible to lie about where you are!
24
Attack 2: bombing attack
Attacker can flood the target by redirecting data streams
source = Cdestination = BThis is AI'm at C
False BU
Unwanted video stream
Target
bbc.co.ukVideo streamAttacker
A B
C
25
Bombing attack - ACKs
Attacker participated in the transport-layer handshake → can spoof TCP ACKs or similar acknowledgementsAttacker only needs to spoof one ACK per sender window to keep the stream goingTarget will not even send a TCP Reset!
False BU
Unwanted video stream
Target
bbc.comAttacker
source = Cdestination = BThis is AACK
Falseacknowledgments
AB
C
A
26
BU Authentication – v.2
CN sends a message to CoA to ask whether someone there wants the packetsCommon misconception: the purpose is not to send K0 and K1 along two independent paths!
MNat CoA
HAat HoA
securetunnel
2a. K0
1. BU
3. BU, MACK(BU)K=h(K0,K1)
accept BU
2b. K1
CN
27
Is that good enough?Not possible to lie about identity or location; all information in BUs is trueAlmost ready, but we still need to consider standard denial of service attacks against the BU protocol
28
Attack 3: Exhausting state storage
Correspondent will generate and store K0, K1Attacker can flood CN with false BUs → CN has to remember thousands of K0s and K1s
Attacker
2a. K0
1. BU
2b. K1
lost
lost
source = Ddestination = BThis is EI'm at D
C
B
29
BU authentication – v.3
We can make the correspondent stateless
securetunnel
2a. K0 = h (N, HoA)
1. BU
3. BU, MACK(BU) K=h(K0,K1)
accept BU
N
periodically changing
random value
MNat CoA
HAat HoA
CN
2b. K1 = h (N, CoA)
30
Attack 4: reflection and amplification
Two DDoS packets become one — minor issueIP trace-back cannot find the attacker
securetunnel
2a. K0
1. 2b. K1
DDoS Attacker
B
MNat CoA
HAat HoA
31
BU Authentication – v.4
Balanced message flows prevent amplification
2a. K0
1b. BU
3. BU, MACK(BU) K=h(K0,K1)
accept BU
2b. K1
securetunnel
1a. BU
MNat CoA
HAat HoA
CN
32
4. BA
The Mobile IPv6 Standard (RFC 6275)
Return routability (RR) test for HoA and CoA
2a. HoT
1b. CoTIESP tunnel
1a. HoTI
MNat CoA
HAat HoA CN
3. BU
2b. CoT
34
Puzzle of the dayCompare identity protection in
PGPKerberosTLS + username and password in web formTLS + HTTP Digest AuthenticationEAP-TLSPEAP-MSCHAP2IPsec.
1. Can a passive sniffer learn the identities of the authenticating parties?
2. What about active attackers?3. Does one side in the protocol have an advantage?
35
ExercisesBased on the historical flaws in Mobile IPv6, are there any potential security problems in dynamic DNS? Does Secure DNS solve these problems?Could a SIP INVITE specify a false destination for a data stream? How could this be prevented?Design a more efficient binding-update protocol for Mobile IPv6 assuming a global PKI is availableHow could the return-routability test for the care-of address (CoA RR) be optimized if the mobile is opening a TCP connection? What are the advantages and disadvantages?What problems arise if mobile node can automatically pick a home agent in any network?
