Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003"— Presentation transcript:

1 A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003 Zhangh@cnnic.net.cn

2 Introduction Background: Internet, Wireless, Mobile Communication is under very fast development A secure mobile IPv6 network access system is highly needed for mobile IPv6 deployment

3 Scenario

4 Current Status and Problem Current methods and systems are still inadequate, including EAP, PANA, 802.1X, RADIUS, Diameter

5 Security Goals 1) The MN and the network access server could do mutual authentication, in case Man- in-Middle Attack. 2) Inter-domain authentication/authorization must be accomplished to support roaming user. 3) No one including AAA servers in foreign domain could forge access request of MN. 4) Transport service for the MN should be protected and prevent attacker to steal the service after MN is authenticated.

6 Security Association

7 Overview The secure access procedure for MN is comprised of three phases: - initial phase, - authentication- registration phase - termination phase.

8 Initial Phase When MN first enters a foreign network, it is in this phase. The MN will get IPv6 care-of-address by either stateful or stateless address auto-configuration. This system does not modify current IPv6 address auto-configuration protocols. MN sends a server-request packet to access servers with an IPv6 site-local broadcast address. The servers receive the request and send answers. MN will choose one server and build secure channel with it by a TLS-alike way. This secure channel will protect further authentication and registration messages.

9

10 Message 1: Server Request := MN ’ s request for a access server to deal with its access request Message 2: Server Reply := Access Server ’ s reply Message 3: Ack := MN ’ s acknowledge for one of the access servers. Message 4:{Server Cert, Challenge}Sig := the chosen access server returns its certificate and a challenge, the whole message is signed by the access server.

11 Authentication- Registration Phase In this phase, MN will send its NAI, identity credentials to access server through the secure channel built in initial phase. Thus the user identity privacy is achieved by encryption. Authentication of MN may need AAAH if MN is in foreign domain, and AAAH will do binding update registration in HA for the MN. Authentication is accomplished by transferring EAP payload between MN and AAAH.

12

13 Message 1: E{NAI, Cha, N} := MN ’ s NAI, Challenge (Cha) in initial phase, Nonce (N) for message freshness, the whole message is encrypted using the access server ’ s public key Message 2: AMR1 := Auth-MN-Request message, this message contains NAI. AAAL will forward this message to MN ’ s AAAH Message 3: AMA1 := Auth-MN-Answer message, this message contains NAI, EAP-MD5 challenge AVP Message 4: {EAP, N}sig := access server sends the EAP-MD5 challenge to MN. Nonce guarantees the message freshness. This message is signed

14 Message 5: E{NAI, EAP, N, BU} := MN sends NAI, EAP-MD5 response, nonce and binding update (BU) request to access server. Message 6: AMR2 := access server encapsulate NAI, EAP response in AVPs, BU and sends them to AAAL through AMR message Message 7: BUR := Binding Update Request, AAAH sends binding update request to HA, and HA replies BUA(Binding Update Answer)

15 Termination Phase MN sends termination request to the access server and the server replies. In order to detect when MN has disconnected abnormally, the access server uses heartbeat detection mechanism by sending probe message periodically.

16

17 Message 1: E{Terminate Request, N} := MN ’ s request to terminate access, this message is encrypted by temp key Message 2: {Server Reply}sig := Access server ’ s reply with signature

18 Logic Analysis ABBR. AS – Access Server Cert – Certificate Cha – Challenge N - Nonce MN Receives Cert, Cha, { Cert, Cha }Sig MN Verifies Cert MN Believes PK Belongs to AS MN Believes AS Said Cha AS Receives {MN, Cha, N}Pk AS Believes Freshness(Cha)

19 AS Believes Freshness(MN, N) MN Receives EAP-Cha, N, {EAP-Cha, N}sig MN Believes AS Said {EAP-Cha, N} MN Believes Freshness(N) MN Believes Freshness(EAP-Cha) AS Receives{EAP-Res, MN, N }pk AAAH Verifies EAP-Res AAAH Believes MN ’ s Identity

20 Comparison With Former Goals This system accomplishes all of them. 1) The access server is authenticated to MN by certificate. The MN is authenticated later by EAP methods. 2) Inter-domain authentication/authorization is supported by AMR and AMA messages in Diameter protocol. 3) No one could forge access request of MN and send it to AAA servers in home domain. 4) Service theft attack is prevented by security association between MN and router.

21 Thanks !!!

Download ppt "A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003"

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Security Issues In Mobile IP

Security Issues In Mobile IP
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Secure Mobile IP Communication

Secure Mobile IP Communication
Fast and Secure Universal Roaming Service for Mobile Internet Yeali S. Sun, Yu-Chun Pan, Meng-Chang Chen.

Fast and Secure Universal Roaming Service for Mobile Internet Yeali S. Sun, Yu-Chun Pan, Meng-Chang Chen.
Mobile IP in Wireless Cellular Systems from several perspectives Charles E. Perkins Nokia Research Center.

Mobile IP in Wireless Cellular Systems from several perspectives Charles E. Perkins Nokia Research Center.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
Inter-Subnet Mobile IP Handoffs in 802.11b Wireless LANs Albert Hasson.

Inter-Subnet Mobile IP Handoffs in b Wireless LANs Albert Hasson.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.
Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.

Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.
NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From : Proceeding of the First International Conference on Security and Privacy for.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Similar presentations

Ads by Google