We have described attacks against Mobile IPv6 Route Optimization and mechanisms for protecting the protocol participants and third parties. Some of the attacks may be new in the sense that they have not been considered in earlier BU authentication requirements and protocol drafts. It is our hope that this paper will help in designing BU authentication protocols and in the process of choosing the protocol.
6.1 Conclusion
Our approaches, selective source address and routing path, leverage the RR Test of MIPv6 and the new transport layer protocol, SCTP, which provides a multi-homing solution.
From categorized threats of MIPv6 in section 2.3, we understand most of the threats can be solved by a sound authentication methodology. Besides, from the perspective of IPv6, IPSec is bound to be the likely way for authentication and encryption in the future.
However, current status of PKI was suffered as there is no pervasive MIPv6 implementation. Thus, many approaches have been raised and researches are now undertaking in this transition period.
Return routability test is one of promising approach among many other solutions and has been adopted in MIPv6 as the standard for basic authentication. Two independent paths to complete authentication is a good way but static routing paths can only prevent attacks to certain extent. That is why we would like to improve it with minimum change and yet achieve maximum effect. With the multi-homing support of SCTP and distributed Home Agents, the routing paths vary. Because of multi-homing feature, carriers can be very different, such as 802.3, 802.11, and 802.16. For each fix attachment or radio link, their access technology and network router are distinct. Attackers should have capability
to intercept signals or messages from different carrier at same time. Thus, our approach greatly reduced the probability to be compromised.
With the formula provided in section 4.4, we can compute the probability of our approach comparing to conventional RR. Our approach enhances the security during authentication and can reduce the chance of being compromised especially when CN is also a multi-homing host.
However, from the experimental result in last chapter, we also observe some issues when the Binding Update process associated to multiple interfaces. If separating the binding process to several individual sub-processes, we should consider the cooperation between them. Once the binding fail in one of process but success in the rest of binding, we should assume it as failure binding. Accordingly, this kind of waiting will inevitably increase the latency when we consider employing this mechanism to radio links, such as WiFi, 3G, and WiMAX. Their latency will be different compared to fix network attachment.
6.2 Future work
The new paradigm of the Mobile IPv6 networks presents new challenges on security due to its salient characteristics that are totally different from the conventional wired and wireless networks.
In this paper, we studied the security issues in the MIPv6 networks and analyzed the problems in order to come up a workable solution. The existing solutions, like Return Routability (RR), cannot solve the security issues for the MIPv6 networks well. Therefore, we propose the use of multiple source addresses. It may be quite a luxury in IPv4 but considerably more addresses in IPv6 gives us a chance to do that. Our mechanisms, selective source and routing paths, not only showed the ability to authenticate Binding
Update against many attacks effectively but also gained the benefit of SCTP features to increase the throughput for multimedia applications.
In the future, we intend to undertake more experiments to study feasibility of distributed HA (Home Agent), multi-homing CN (Correspondent Node) and multi-stream feature of SCTP. How distributed Home Agents synchronize data and how to find Home Agents that are near to Mobile Node in order to reduce the authentication latency?
Besides, the experiment of RR latency to different carriers whether wired or wireless, 3G or 4G, can be another topic for research.
References
[1] D. Johnson, C. Perkins, J. Arkko, “Mobility Support in IPv6”, RFC3775, June 2004
[2] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998.
[3] W Fritsche, F Heissenhuber, ”Mobile IPv6-Mobility Support for the Next Generation Internet”, IPv6 Forum, white paper, 2000.
[4] T. Aura and J. Arkko, “MIPv6 BU Attacks and Defenses”, Internet Draft draft-aura-mipv6-bu-attacks-01, expired, March 2002.
[5] M. Roe, T. Aura, G. O'Shea, and J. Arkko, “Authentication of Mobile IPv6 Binding Updates and Acknowledgments”, draft-roe-mobileipupdateauth-02 , expired, March 2002.
[6] P. Nikander, T. Aura, J. Arkko, G. Montenegro, and E. Nordmark, “Mobile IP version 6 Route Optimization Security Design Background” , Internet Draft draft-nikander-mobileip-v6-ro-sec-00.txt, work in progress, April 7, 2003.
[7] R. Bush, and D. Meyer, “Some Internet Architectural Guidelines and Philosophy”, RFC3439, Internet Engineering Task Force, December 2002.
[8] E. Nordmark, “Securing MIPv6 BUs using return routability (BU3WAY)”, Internet Draft draft-nordmark-mobileip-bu3way-00.txt, expired, November 2001
[9] M. Kulkarni,A. Patel , K. Leung, “ Mobile IPv4 Dynamic Home Agent (HA) Assignment”, RFC 4433 ,March 2006
[10] M Ratola, ” Which Layer for Mobility?-Comparing Mobile IPv6, HIP and SCTP”, Helsinki Institute for Information Technology, 2004
[11] Feng BAO,Robert DENG,Ying QIU,Jianying ZHOU, “Improvement of Return Routability Protocol”, August 30, 2004
[12] J. Arkko,V. Devarapalli,F. Dupont,"Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents",RFC 3776,June 2004
[13] Shaojian Fu , Mohammed Atiquzzaman, “SCTP : State of Art in
Research ,Products , and Technical Challenges ”, IEEE Communication Magazine, April 2004
[14] S. Deering, S. and Hinden, R. Internet Protocol, Version 6 (IPv6) Specification.
Internet Engineering Task Force (IETF) RFC2460. December 1998.
[15] Greg O'Shea,Michael Roe,"Child-proof authentication for MIPv6 (CAM)",pp.
4-8, ACM SIGCOMM Computer Communication Review, 2001
[16] Tuomas Aura,"Cryptographically Generated Addresses (CGA)", Volume 2851/2003,pp. 29-43,Springer Berlin/Heidelberg,Dec. 2003
[17] Matthew Emery Neal Whitehead , Sirisha R. Medidi, “Buddy enhanced return routability for authentication in mobile IPv6”, In proceedings of Defense and Security Conference on Digital Wireless Communication, vol. 5400, pages 347-358, April 12-13, 2004
[18] Seok Joo Koh,Moon Jeong Chang,Meejeong Lee,"mSCTP for soft handover in transport layer ", Communications Letters, IEEE,Volumn 8,Issue 3,pp.
189-191,March 2004
[19] Microsoft Corporation, “Understanding Mobile IPv6”, April 2004 [20] W.Haddad,L. Madour,J. Arkko," Applying Cryptographically Generated
Addresses to Optimize MIPv6 (CGA-OMIPv6)", IETF, draft-haddad-mip6-cga-omipv6-04, May 3, 2005