Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005."— Presentation transcript:

1 Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005

2 Motivation Support deployments in which Home Network Access Provider and Mobility Service Provider are different providers Support deployments with a loose trust relationship between Serving Network Access Provider and Mobility Service Provider Examples: –Enterprise networks –Hotspots with nonAAA-based network entry authorization Maybe 90% of WLAN public access deployments in the US? –Future deployment possibilities –Infrastructureless deployments

3 Example: Universal Access Method (UAM) Border Router AR AP Access Network Mobile Node Internet PAC PAC relays credentials to credit card provider Terminal initiates HTTP GET PAC sends Redirect to Login Page HTTP PUT sends credentials to PAC Authorization Decision! Credit card provider sends authz decision to PAC Internet Access! Original page displayed AP: Access Point PAC: Public Access Control Gateway

4 Basic Problems Addressed No AAA “hook” during network access authentication to provision the Mobile Node with the Home Agent address and mobility service authorization credentials –EAP solutions such as draft-giaretta-mip6-authorization require AAA during network access authentication Tight trust lacking between Mobility Service Provider and Access Service Provider –DHCP solutions such as draft-ohba-mip6-boot require very high trust between networks for roaming support Home Network Access Service Provider uses AAA but is not also a Mobility Service Provider

5 What the Mobile Node Starts With A connection to the Internet on the serving (local) network authenticated and authorized (or not) through any means, i.e. 802.1x, PANA, etc. The domain name of the Mobility Service Provider Credentials to allow Home Agent IKEv2 to authenticate and authorize for mobility service –NAI or similar non-topological identity –Certificate or preshared key if IKEv2 auth/authz done with certificate or preshared key –User name/password or other credentials if IKEv2 auth/authz done using EAP Optional: certificate for Home Agent if not available during DNS or IKE transaction

6 The Protocol Border Router AR AP Access Network Mobile Node Internet Terminal now has Home Address and IPsec SAs Border Router Mobility Service Provider MSP DNS Server MIP6 HA IKEv2 + EAP if required ESP + MIP6 BU! Local DNS Server DNS SRV Rqst: mip6 ipv6 DNS SRV Rqst Forwarded (if not cached) DNS SRV Rply: HA Address

7 Security of BMIP Protocol Replay protection provided by message identity code in DNS –RFC 1035 Server to host data integrity and origination authentication provided by DNSSEC –RFC 2535 –DNSSEC is not today widely deployed, but then neither is MIP6 –For future DNS security, DNSSEC should be deployed

8 Security of Home Agent Address Host to server authorization can be done by using DNS TSIG –RFC 2845 –Upside Only authorized hosts can get the address –Downside Requires MSP DNS server to perform auth on SRV Rqst in real time (i.e. no caching) Address is unencrypted in transit so it can be intercepted by MiTM Confidentiality protection can be provided by encrypting the address before inserting into DNS –Anybody can get the record, only authorized users with keys can decrypt –Draft in preparation for DNSEXT  Assumption: These measures assume some utility to “hiding” the address in the first place, presumably to prevent DoS

9 DoS Attack on the Home Agent Address Address is in public DNS, anybody could snatch it! IKEv2 contains measures to slow down an attacker if they should get it But... DoS is a problem with any solution (including manual configuration) that exposes the Home Agent address to users on the Internet –User goes rogue –Someone steals the address from a legitimate user –Distributed worm probing attack discovers the Home Agent  Bottom line: “Hiding” the address from unauthorized users only makes launching a DoS attack a little harder

10 Realistic DoS Mitigation Measures Overprovisioning –Network connections and Home Agent server capacity are enough to handle any conceivable load Change Home Agent addresses aperiodically –Especially if someone suspicious has their account revoked Provision Home Agents with: –Few users to avoid inconveniencing lots of users when an attack occurs –On topologically widely separated subnets to slow worm probing attacks

11 Questions/Comments?

Download ppt "Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005."

Similar presentations

RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Doc.: IEEE 802.11-01/039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE802.11 System Submitted to IEEE802.11.

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE
Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.
Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
H ELSINKI U NIVERSITY OF T ECHNOLOGY AAA Architecture for hierarchical wireless Mobile IPv4 Tom Weckström Telecommunications Software and Multimedia Laboratory.

H ELSINKI U NIVERSITY OF T ECHNOLOGY AAA Architecture for hierarchical wireless Mobile IPv4 Tom Weckström Telecommunications Software and Multimedia Laboratory.
AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
DHCP Security Analysis Dallas Holmes / Matt MacClary ECE 478 Project Spring 2003.

DHCP Security Analysis Dallas Holmes / Matt MacClary ECE 478 Project Spring 2003.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003

A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003
A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs

A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Similar presentations

Ads by Google