Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.

Slides:

Advertisements

Similar presentations

Security Issues In Mobile IP

Advertisements

Secure Mobile IP Communication

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

Mobility Support in IPv6 Advanced Internet, 2004 Fall 8 November 2004 Sangheon Pack.

MIP Extensions: FMIP & HMIP

Mobile IP: enable mobility for IP-based networks CS457 presentation Xiangchuan Chen Nov 6, 2001.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

CS470, A.SelcukIPsec – AH & ESP1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

資管 Lee Lesson 12 IPv6 Mobility. 資管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Authentication In Mobile Internet Protocol version 6 Liu Ping Supervisor: professor Jorma Jormakka.

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

1 Route Optimization based on ND-Proxy for Mobile Nodes in IPv6 Mobile Networks Jaehoon Jeong, Kyeongjin Lee, Jungsoo Park, Hyoungjun Kim ETRI

MOBILITY SUPPORT IN IPv6

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

Protocol for Hiding Movement of Mobile Nodes in Mobile IPv6 draft-qiu-mip6-hiding-movement-00.txt F. BAO, R. DENG, J. Kempf, Y. QIU and J.Y ZHOU.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

1 Utilizing Multiple Home Links on Mobile IPv6 Waseda University Hongbo Shi Shigeki Goto

1 Overview of Mobility Protocols Md. Shohrab Hossain Dec 6, 2014.

1 /160 © NOKIA 2001 MobileIPv6_Workshop2001.PPT / / Tutorial Mobile IPv6 Kan Zhigang Nokia Research Center Beijing, P.R.China

Mobile IPv6 Binding Update: Return Routability Procedure Andre Encarnacao and Greg Bayer Stanford University CS 259 Winter 2008 Andre Encarnacao, Greg.

National Institute Of Science & Technology Mobile IP Jiten Mishra (EC ) [1] MOBILE IP Under the guidance of Mr. N. Srinivasu By Jiten Mishra EC

1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.

1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.

IP Security Lawrence Taub IPSEC IP security — security built into the IP layer Provides host-to-host (or router-to-router) encryption and.

NEtwork MObility (NEMO) Houcheng Lee. Main Idea NEMO works by moving the mobility functionality from Mobile IP mobile nodes to a mobile router. The router.

Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli.

49th IETF - San Diego - 1 Mobile Networks Support in IPv6 - Draft Update draft-ernst-mobileip-v6-01.txt - Thierry Ernst - MOTOROLA Labs Ludovic Bellier.

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.

1 IETF 78: NETEXT Working Group IPSec/IKEv2 Access Link Support in Proxy Mobile IPv6 IPSec/IKEv2-based Access Link Support in Proxy Mobile IPv6 Sri Gundavelli.

Thierry Ernst - MOTOROLA Labs / INRIA Ludovic Bellier - INRIA project PLANETE Claude Castelluccia - INRIA project PLANETE Hong-Yon Lach - MOTOROLA Labs.

1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

Introduction to Mobile IPv6

1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,

PMIPv6 Route Optimization Protocol draft-qin-mipshop-pmipro-00.txt Alice Qin Andy Huang Wenson Wu Behcet Sarikaya.

IP security Ge Zhang Packet-switched network is not Secure! The protocols were designed in the late 70s to early 80s –Very small network.

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.

IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

Overview of draft–16 for MIPv6 MIPv6 Design Team March 19 th, 2002.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).

Currently Open Issues in the MIPv6 Base RFC MIPv6 security design team.

IETF70 - Mobopts RG1 On Mobile IPv6 Optimization and Multihoming draft-ng-mobopts-multihoming-00.txt Chan-Wah Ng

Multiple Care-of Address Registration on Mobile IPv6 Ryuji Wakikawa Keisuke Uehara Thierry Ernst Keio University / WIDE.

Network Mobility (NEMO) Advanced Internet 2004 Fall

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

Multiple Care-of Address Registration draft-ietf-monami6-multiplecoa-02.txt.

IP Address Location Privacy and Mobile IPv6: Problem Statement draft-irtf-mobopts-location-privacy-PS-00.txt Rajeev Koodli.

K. Salah1 Security Protocols in the Internet IPSec.

Improvement of Return Routability Protocol draft-qiu-mip6-RR-improvement-00.txt Institute for Infocomm Research Singapore.

SECURITY THREATS ANALYSIS OF ROUTE OPTIMIZATION MECHANSIM IN MOBILE IPV6 BY Wafaa Al-Salihy.

Mobile IP Security Konidala M. Divyan International Research Center for Information Security Network Security (ICE 615) Term Project – 2002 Autumn.

ROUTING MOBILE IP  Motivation  Data transfer  Encapsulation.

Mobile IPv6 Location Privacy Solutions draft-irtf-mobopts-location-privacy-solutions-01.txt Ying Qiu, Fan Zhao, Rajeev Koodli.

RFC 3775 IPv6 Mobility Support

Mobile IP and Upper Layer Interaction

Support for Flow bindings in MIPv6 and NEMO

Mobility Support in IPv6 (MIPv6)

Presentation transcript:

Mobile IPv6 Location Privacy Solutions UPDATE draft-irtf-mobopts-location-privacy-solutions-04.txt Ying Qiu, Fan Zhao, Rajeev Koodli

Mobopts IETF 68 2 Outline Why Need Location Privacy? How to Protect the Location Privacy? –Pseudo Home Address –Dynamic SPI –Home Binding Update –RR signaling –Correspondent Binding Update What is different from original operation?

Mobopts IETF 68 3 Analysis of Location Privacy in MIP6 IP Address Location Privacy and Mobile IPv6: Problem Statement : –draft-ietf-mip6-location-privacy-ps-07.txt

Mobopts IETF 68 4 Pseudo Home Address pHoA Requirements: –Secure –Routable –Dynamic pHoA = Prefix_m || Enc(Kph_i, interface ID) Kph_i = HMAC_SHA1(Kph, IPsec sequence number) where, Kph is the symmetrical key between MN and HA, and Prefix_m is one of home network prefixes

Mobopts IETF 68 5 Using RR to compute pseudo- hoa privacy keygen token = First (64, Kcn(home address set to all zeros | nonce | 2)) Kpm = SHA1 (privacy keygen token | care-of keygen token) pseudo home address = string XOR HoA String = First (128, HMAC_SHA1 (Kpm, (care-of address | Home nonce index | Care-of nonce index)))

Mobopts IETF 68 6 Dynamic SPI SPI update After getting BU and BA, HA and MN change their SPIs respectively in order to protect the profiling attack. new SPI = (the current SPI + SPI_increment) SPI_increment = First(8, HMAC_SHA1(Kph, the current SPI)) If SPI_increment = 0, then set SPI_increment = 1

Mobopts IETF 68 7 Home Binding Update Home Binding Update with IPsec Transport Mode (i) BU message: IPv6 header source = CoA destination = HA Destination option header Home Address option (pHoA) ESP header in transport mode (with dynamic SPI) Mobility header Home Binding Update Alternative CoA option (CoA) SA in Home Agent: SA_in (IN, spi_a’, home_agent, ESP, TRANSPORT): source = home_address & destination = home_agent & proto = MH

Mobopts IETF 68 8 Home Binding Update Home Binding Update with IPsec Transport Mode (ii) BA message: IPv6 header source = HA destination = CoA Destination option header Home Address option (pHoA) ESP header in transport mode (with dynamic SPI) Mobility header Home Binding Acknowledgement SA in Home Agent: SA_out (OUT, spi_b’, home_address, ESP, TRANSPORT): source = home_agent & destination = home_address & proto = MH

Mobopts IETF 68 9 Home Binding Update Home Binding Update with IPsec Tunneling Mode BU message: IPv6 header source = CoA destination = HA ESP header in Tunnel mode (with dynamic SPI) source = HoA destination = HA Mobility header Home Binding Update Alternative CoA option (CoA) BA message: IPv6 header source = HA destination = CoA ESP header in transport mode (with dynamic SPI) source = HA destination = HoA Mobility header Home Binding Acknowledgement

Mobopts IETF RR signaling CoTI/CoT no change HoTI in MN-HA path: IPv6 header source = CoA destination = HA ESP header in tunneling mode IPv6 header source = pHoA destination = CN Mobility header HoTI HoTI in HA-CN path: IPv6 header source = pHoA destination = CN Mobility header HoTI

Mobopts IETF RR signaling HoT in CN-HA path: IPv6 header source = CN destination = pHoA Mobility header HoT HoT in HA-MN path: IPv6 header source = HA destination = CoA ESP header in tunneling mode IPv6 header source = CN destination = pHoA Mobility header HoT

Mobopts IETF Correspondent Binding Update BU message IPv6 header source = CoA destination = CN Destination option pHoA Mobility header Seq# home nonce index care-of nonce index Enc(Kbm, iHoA) First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BU))) where –Kbm = SHA1 (home keygen token | care-of keygen token) ; no change –home keygen token = First (64, HMAC_SHA1(Kcn, (pHoA | nonce | 0))) –care-of keygen token = First (64, HMAC_SHA1(Kcn, (CoA | nonce | 1))); no change –The identity address iHoA could be the real HoA or the first pHoA when established the session.

13 What is different from original operation? CN side: Original RR | With additional option | 1) check the packet MUST contain | the same a unicast routable home address | | 2) the Sequence Number field in | the same the Binding Update is greater | than the Sequence Number | received in the previous valid | Binding Update. | | 3) a Nonce Indices mobility option | the same MUST be present | | 4) the correspondent node MUST | In the network i, we use the re-generate the home keygen | same pHoA_i in HoTI_i and BU_i token and the care-of keygen | messages, and CoTI and CoT as token from the information | usual, so the new method can contained in the packet. It | generate the valid Kbm and then then generates the binding | pass the step. management key Kbm and uses | it to verify the authenticator | field in the Binding Update | | 5) create/update the BU entry | first decrypt the new item Enc(Kbm, iHoA), according to HoA | get the iHoA, then create/update | the BU entry according to the iHoA. | BINDING CACHE: pHoA  HoA iHoA CoA Lifetime Seq

14 What is different from original operation? HA side: Operation is almost the same as the original, but the key for searching the binding cache is the pHoA instead of the real HoA. MN side: The additional operation is that MN needs to generate a pHoA at every new location and store/update the pHoA in the binding update list. BINDING UPDATE LIST: pHoA iHoA CN HoA CoA Lifetime Seq# BINDING CACHE: pHoA HoA CoA Lifetime Seq#

Mobopts IETF BU format IPv6 header (source = care-of address, destination = correspondent node) – Destination Option – pseudo home address Mobility header Binding Update = (sequence number, home nonce index, care-of nonce index) First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | Binding Update)))

Q & A Thank You