Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Slides:

Advertisements

Similar presentations

RadSec – A better RADIUS protocol

Advertisements

Internet Protocol Security (IP Sec)

Doc.: IEEE /039 Submission January 2001 Haverinen/Edney, NokiaSlide 1 Use of GSM SIM Authentication in IEEE System Submitted to IEEE

Secure Mobile IP Communication

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

Washinton D.C., November 2004 IETF 61 st – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

H ELSINKI U NIVERSITY OF T ECHNOLOGY AAA Architecture for hierarchical wireless Mobile IPv4 Tom Weckström Telecommunications Software and Multimedia Laboratory.

AAA Mobile IPv6 Application Framework draft-yegin-mip6-aaa-fwk-00.txt Alper Yegin IETF 61 – 12 Nov 2004.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

DHCP Security Analysis Dallas Holmes / Matt MacClary ECE 478 Project Spring 2003.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003

A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From ： Proceeding of the First International Conference on Security and Privacy for.

AAA-Mobile IPv6 Frameworks Alper Yegin IETF Objective Identify various frameworks where AAA is used for the Mobile IPv6 service Agree on one (or.

PaC with unspecified IP address. Requirements Assigning an IP address to the client is outside the scope of PANA. PANA protocol design MAY require the.

ERP for IKEv2 draft-nir-ipsecme-erx-01. Why ERP for IKEv2? RFC 5296 and the bis document define a quick re- authentication protocol for EAP. ERP requires.

Virtual Private Network

Telecommunication Networks Group Technical University Berlin Secure WLAN Operation and Deployment in Home and Small to Medium Size Office Environments.

DYNAMIC HOST CONFIGURATION PROTOCOL (DHCP) BY: SAMHITA KAW IS 373.

Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.

1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.

Internet Goes Mobile Alper Yegin KIOW 2003 at APNIC 16 August 19th, Seoul, Korea.

November st IETF MIP6 WG Mobile IPv6 Bootstrapping Architecture using DHCP draft-ohba-mip6-boot-arch-dhcp-00 Yoshihiro Ohba, Rafael Marin Lopez,

7/14/2003IETF57 PANA enabling IPsec based Access control draft-mohanp-pana-ipsec-00.txt Mohan Parthasarathy Tahoe Networks - Presented by Hannes Tschofenig.

1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.

CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

1 RADIUS Mobile IPv6 Support draft-ietf-mip6-radius-01.txt Kuntal Chowdhury Avi Lior Hannes Tschofenig.

SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

輔大資工所在職研一報告人：林煥銘學號： Public Access Mobility LAN: Extending The Wireless Internet into The LAN Environment Jun Li, Stephen B. Weinstein, Junbiao.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

Module 5: Designing Security for Internal Networks.

An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.

Web Caching and Replication Presented by Bhushan Sonawane.

Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.

Security Mechanisms for Delivering Ubiquitous Services in Next Generation Mobile Networks Haitham Cruickshank University of Surrey workshop on Ubiquitous.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

Mobile IPv6 with IKEv2 and revised IPsec architecture IETF 61

1 Alternative (Future) Proposals for MIPv6 Security MIP6 BOF/WG IETF-57 Jari Arkko, Ericsson Research NomadicLab Charlie Perkins, Nokia Research Center.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

San Diego, August 2004 IETF 60 th – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-01) Gerardo Giaretta.

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Submission doc.: IEEE /313r1 March 2016 Guido R. Hiertz, Ericsson et al.Slide 1 The benefits of Opportunistic Wireless Encryption Date:

Security Data Transmission and Authentication Lesson 9.

Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.

Softwire Security Update Shu Yamamoto Carl Williams Florent Parent Hidetoshi Yokota 67 IETF, San Diego.

Thoughts on Bootstrapping Mobility Securely Chairs, with help from James Kempf, Jari Arkko MIP6 WG/BOF 57 th IETF Vienna Wed. July 16, 2003.

Encryption and Network Security

Radius, LDAP, Radius used in Authenticating Users

Wireless LAN Security 4.3 Wireless LAN Security.

Presentation transcript:

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005

Motivation Support deployments in which Home Network Access Provider and Mobility Service Provider are different providers Support deployments with a loose trust relationship between Serving Network Access Provider and Mobility Service Provider Examples: –Enterprise networks –Hotspots with nonAAA-based network entry authorization Maybe 90% of WLAN public access deployments in the US? –Future deployment possibilities –Infrastructureless deployments

Example: Universal Access Method (UAM) Border Router AR AP Access Network Mobile Node Internet PAC PAC relays credentials to credit card provider Terminal initiates HTTP GET PAC sends Redirect to Login Page HTTP PUT sends credentials to PAC Authorization Decision! Credit card provider sends authz decision to PAC Internet Access! Original page displayed AP: Access Point PAC: Public Access Control Gateway

Basic Problems Addressed No AAA “hook” during network access authentication to provision the Mobile Node with the Home Agent address and mobility service authorization credentials –EAP solutions such as draft-giaretta-mip6-authorization require AAA during network access authentication Tight trust lacking between Mobility Service Provider and Access Service Provider –DHCP solutions such as draft-ohba-mip6-boot require very high trust between networks for roaming support Home Network Access Service Provider uses AAA but is not also a Mobility Service Provider

What the Mobile Node Starts With A connection to the Internet on the serving (local) network authenticated and authorized (or not) through any means, i.e x, PANA, etc. The domain name of the Mobility Service Provider Credentials to allow Home Agent IKEv2 to authenticate and authorize for mobility service –NAI or similar non-topological identity –Certificate or preshared key if IKEv2 auth/authz done with certificate or preshared key –User name/password or other credentials if IKEv2 auth/authz done using EAP Optional: certificate for Home Agent if not available during DNS or IKE transaction

The Protocol Border Router AR AP Access Network Mobile Node Internet Terminal now has Home Address and IPsec SAs Border Router Mobility Service Provider MSP DNS Server MIP6 HA IKEv2 + EAP if required ESP + MIP6 BU! Local DNS Server DNS SRV Rqst: mip6 ipv6 DNS SRV Rqst Forwarded (if not cached) DNS SRV Rply: HA Address

Security of BMIP Protocol Replay protection provided by message identity code in DNS –RFC 1035 Server to host data integrity and origination authentication provided by DNSSEC –RFC 2535 –DNSSEC is not today widely deployed, but then neither is MIP6 –For future DNS security, DNSSEC should be deployed

Security of Home Agent Address Host to server authorization can be done by using DNS TSIG –RFC 2845 –Upside Only authorized hosts can get the address –Downside Requires MSP DNS server to perform auth on SRV Rqst in real time (i.e. no caching) Address is unencrypted in transit so it can be intercepted by MiTM Confidentiality protection can be provided by encrypting the address before inserting into DNS –Anybody can get the record, only authorized users with keys can decrypt –Draft in preparation for DNSEXT  Assumption: These measures assume some utility to “hiding” the address in the first place, presumably to prevent DoS

DoS Attack on the Home Agent Address Address is in public DNS, anybody could snatch it! IKEv2 contains measures to slow down an attacker if they should get it But... DoS is a problem with any solution (including manual configuration) that exposes the Home Agent address to users on the Internet –User goes rogue –Someone steals the address from a legitimate user –Distributed worm probing attack discovers the Home Agent  Bottom line: “Hiding” the address from unauthorized users only makes launching a DoS attack a little harder

Realistic DoS Mitigation Measures Overprovisioning –Network connections and Home Agent server capacity are enough to handle any conceivable load Change Home Agent addresses aperiodically –Especially if someone suspicious has their account revoked Provision Home Agents with: –Few users to avoid inconveniencing lots of users when an attack occurs –On topologically widely separated subnets to slow worm probing attacks

Questions/Comments?