Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Similar presentations


Presentation on theme: "1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig."— Presentation transcript:

1 1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig Nokia Siemens Networks Georgios Karagiannis University of Twente

2 2Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Overview The Mobile IP protocol family Security Challenges of the MIP protocol family Security solutions standardized by the IETF – Mobile IPv6 and Proxy Mobile IPv6 Applications of MIP and MIP security solutions – in 3GPP and WiMAX Open Problems Conclusion

3 3Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente MIP Protocol Family Mobile IPv4 (RFC 3344), Mobile IPv6 (RFC 3775) – Enable MN to keep IP address although moving to new subnet Proxy Mobile IP (PMIP, draft) – Enables network node to do mobility signalling on behalf of mobile nodes that do not support MIP Dual Stack Mobile IP (DSMIP, draft) – Supports MIPv4 and MIPv6 collocated/home addresses within one protocol Hierarchical Mobile IP (HMIP, RFC 4140) – Hierarchy of home agents to optimize routing in local mobility Fast Handovers for Mobile IP (FMIP, RFC 4068) – Enables fast handover by preparing before movement

4 4Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Network architecture for MIPv4, MIPv6, and DSMIP ↔ Mobility signaling between MN and HA for  binding updates (BU): binds home IP address to care of address (CoA)  binding acknowledgements (BA): acknowledges binding ↔ Data traffic between CN and MN (via HA) Correspondent Node (CN) Mobile Node (MN) Network of Correspondent Node Visited Network Home Network Home Agent (HA) Home AAA Server Foreign AAA Server

5 5Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Network architecture for HMIP ↔ Mobility signaling between MN, MAP and HA for BUs/BAs ↔ Data traffic between CN and MN (via HA and MAP) Correspondent Node (CN) Network of Correspondent Node Visited Network Home Network Home Agent (HA) Home AAA Server Foreign AAA Server Mobile Node (MN) Visited Network Foreign AAA Server Mobility Anchor Point (MAP)

6 6Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Network architecture for PMIP ↔ Mobility signaling between PMIP Client and HA  Proxy MIP Client binds home address of MN to care of address with BUs  Home agent (LMA) acknowledges binding with BAs ↔ Data traffic between CN and MN Correspondent Node Mobile Node Network of Correspondent Node Visited Network Home Network Home Agent (Local Mobility Anchor) Home AAA Server Foreign AAA Server Proxy MIP Client (Mobile Access Gateway)

7 7Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Main Security Challenges Establishment of security associations (SAs) between mobility signaling end points Integrity and replay protection of mobility signaling

8 8Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Security solutions for MIPv6 standardized in IETF IPsec / IKEv2 (Internet Key Exchange v2) RFC 4877 – Part of base MIPv6 RFC 3775 – IPsec for Integrity and replay protection – IKEv2 with EAP (Extensible Authentication Protocol) for authentication used for SA establishment between MN and HA, ▪ home AAA server acts as EAP authentication server Authentication protocol RFC 4285 – Message authentication code on BUs/BAs for integrity protection – Sequence numbers / Time stamps for replay protection – MN-HA security association established during first binding update ▪ with the help of a security association between MN and HAAA ▪ draft-devarapalli-mip6-authprotocol-bootstrap-03.txt – MN-HAAA SA static or established during network authentication ▪ out of scope

9 9Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Security Solutions for PMIPv6 Base PMIPv6 draft ( draft-ietf-netlmm-proxymip6 ) – IPsec for integrity and reply protection between PMIP client MAG and PMIP home agent LMA ▪ same IPsec SAs used for all mobile nodes in base PMIP draft – IKEv2 to set up SAs between MAG and LMA ▪ only one pair of SAs need to be setup – Requires MAG to be trusted ▪ send only BUs for MNs that are present

10 10Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Application of MIP in the EPS/E-UTRAN context MIP protocols used – for mobility between E-UTRAN and non 3GPP networks – not for mobility within E-UTRAN or mobility with 3GPP networks Evolved Packet System of 3GPP will support – MIPv4 in FA (Foreign Agent) mode – DSMIPv6 – Proxy MIPv6 MIPv4 security – As in base RFC but establishement of MN-AAA key currently unsolved DSMIPv6 – IPsec/IKEv2 was selected over RFC 4285 recently Proxy MIPv6 – Will use NDS (Network Domain Security) for IPsec SA establishment – Open problem: compromised MAG problem if non 3GPP not trusted

11 11Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Application of MIP in WiMAX MIP protocols used for mobility within WiMAX – MIPv4 – MIPv6 – Proxy MIPv4 Proxy MIPv6 will be supported in future MIPv6 currently secured with RFC 4285 – MN-AAA key established during EAP-based network authentication ▪ MN-AAA key derived from Extended Master Session Key Use of IPsec/IKEv2 planned as option for MIPv6 Proxy MIPv6 used with RFC 4285 – Separate key per mobile node used – MAG-LMA key established during EAP-based network authentication

12 12Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Main Open Problems / Work in Progress IETF – Firewall traversal problem (RFC 4487) ▪ Off-the-shelf firewalls interfere with MIP signaling traffic MN behind firewall: BUs protected with ESP blocked,... CN behind firewall: problems if route optimization is used as state is created based on HoA,... HN behind firewall: blocking ESP traffic, blocking of unsolicited incoming traffic – Location privacy (RFC 4882) ▪ CoA reveals location information to CN and eavesdroppers ▪ Eavesdropping on BUs allows for identifying the MN by its HoA and observing the binding tracking of MN on subnet granularity 3GPP – Compromised MAG problem if PMIP used for global mobility – Dynamic establishment of MN-AAA key for MIPv4 in 3GPP

13 13Nokia Siemens Networks Presentation / Author / 26 November 2007 University of Twente Conclusion MIP protocol family matured Used more and more in mobile systems Security issues still often solved in system specific way – WiMAX as very obvious example – Goal is often to ▪ optimize the system as a whole ▪ leverage security procedures already available – E.g. WiMAX derives MIP SAs from keys established during network authentication

14 14Nokia Siemens Networks Presentation / Author / Date University of Twente Thank You! Questions?


Download ppt "1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig."

Similar presentations


Ads by Google