MIPv6透過選擇性起始位址及路徑之位置更新認證研究

i

國 立 交 通 大 學

資訊學院 資訊學程

碩 士 論 文

MIPv6 透過選擇性起始位址及路徑之位置更新認

證研究

Binding Update Authentication through Selective Source Address

and Routing Path in MIPV6

研 究 生：呂威德

指導教授：蔡文能 教授

ii

MIPv6 透過選擇性起始位址及路徑之位置更新認證研究

Binding Update Authentication through Selective Source

Address and Routing Path in MIPv6

研 究 生：呂威德 Student：Wei-De Lu

指導教授：蔡文能 Advisor：Wen-Nung Tsai

國 立 交 通 大 學

資訊學院 資訊學程

碩 士 論 文

Submitted to College of Computer Science National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Master of Science

in

Computer Science June 2006

Hsinchu, Taiwan, Republic of China

iii MIPv6 透過選擇性起始位址及路徑之位置更新認證研究 學生：呂威德 指導教授：蔡文能教授

國 立 交 通 大 學 資 訊 學 院 資 訊 學 程 碩 士 班

中 文 摘 要

MIPv6 是下一代的行動 IP 網路通訊協定，它是在 IPv6 網路通訊協

定下所作的延伸，有鑑於 MIPv4 在傳統 IPv4 的網路架構下的複雜延

展， MIPv6 在路徑繞送做了相當的簡化，由改良 MIPv4 的客端代理

(Foreign Agent)的間接轉送，轉變為移動點(Mobile Node)與本籍代理者

(Home Agent)的直接的聯繫，因為少掉了客端代理的轉送機制，相對

簡化了移動點與本籍代理及通訊節點(Correspond Node)間，溝通時的

複雜度及延遲。MIPv6 繼承了 IPv6 的特性，除了在 IP 位址不足的問

題做了解決之外，對其安全性、擴充性、服務品質等方面的弱點也做

了改善，並針對 MIPv4 做了許多改進。

在行動設備高速成長趨勢之下，將對現行的網際網路帶來衝擊。讓

人類的從溝通型態、娛樂方式、交易/消費行為有了戲劇性的變革，進

而改變了許多現代人的生活模式；而這些變革也同時對網際網路帶來

不斷推陳出新、且非實體性的攻擊與資訊竊奪，成為網路科技進步下

的的陰影，造成人們對於網際網路的安全有著莫大的恐慌和疑慮。有

iv

鑑於此，許多專家學者紛紛提出防禦及保護的技術及研究，特別是針

對行動技術的安全性研究上。畢竟，IP 網路的未來是 Mobile IP 的世

界,而因應 MIPv6 的安全性所做的防禦措施是必要且急迫的。事實上，

MIPv6 在設計之初，便考量援用 IPv6 內建的安全性協定(IPSec)，然而

在 PKI 發展遲滯的狀態之下，讓專家學者不得不尋求過渡性方案，或

者是替代性的方案。然而，在沒有周慮的安全考量下，對許多的新興

的網路服務而言，都可能會是個很大的障礙。

本篇論文將針對已發覺 MIPv6 位置更新時的安全性弱點提出解決

方案，讓移動中的行動點能夠透過 Multiple source address 及 Seletive

routing path 的 RR Test 認證機制，來防止駭客偽造行動點，及進行

Man in the middle 方式的攻擊，裨益 CN(Correspond Node)在更新 CoA

的位置資訊快取時，得到可靠的確認；在相容於現有之 RR Test 認證

機制並整合 SCTP multi-homing 技術之研究下，提出一些新的概念及

想法，冀望對於 MIPv6 在安全性的研究上能有所貢獻。

v

Binding Update Authentication through Selective Source

Address and Routing Path in MIPv6

Student：Wei Der Lu Advisor：Prof. Wen-Nung Tsai

Degree Program of Electrical Engineering Computer Science

National Chiao Tung University

Abstract

MIPv6 is the protocol of next generation Mobile IP, extending from IPv6. In consideration of complicated structure of MIPv4, MIPv6 makes a progress in routing optimization which greatly reduces known delay. Through simplifying routing path, MIPv6 eliminates Foreign Agent in MIPv4 and is able to communicate with Home Agent and Correspondent Node directly. MIPv6 inherits characteristics from IPv6, like solving insufficient address problem, improving vulnerability in IPv4 security, enhancing extensibility, reforming several Qualities of Services issues and, above all, greatly changing the infrastructure of MIPv4.

Rapid growing of mobile devices brings great impact to current Internet ecosystem and dramatically changes our lifestyle, such as the way we communicate, entertain, conduct business and consume. At the same time, this kind of change brings out non-physical Internet attack and information stealing that cast the shadow on human beings for the fear of unsecure trading, privacy prying and even personal properties tampering as Internet technology grows. In response to this fear, experts and scholars devote their researches to

vi

the protection and the defensive mechanisms against known weaknesses, especially those on mobile networks. Eventually, the future of IP network is mobility. It’s imperative to work out a good way for resolving security issues while facing the future of mobility. In fact, at the very beginning of designing IPv6, researchers already envision of what future network will be. There are numerous IAs (Intelligent Appliance) with a variety of functions: autoconfiguration, network sensibility, infrastructureless, mobility, and carrying multimedia capability. Those infinite creativity encourages us to develop more and more products and features. Nevertheless, without sound security, all of them will become mere nightmares.

This thesis aims at solving the known vulnerability of current MIPv6. By changing source IP address and selecting routing path, our approach prevents the hacker from forging the source IP address or eavesdropping packets through Man-in-the-middle attack. This kind of enhanced RR Test results in a more stringent authentication which inherits the original RR Test and integrate Multi-homing feature of SCTP. Consequently, this thesis has certain contributions toward academic research.

vii

誌 謝

viii

Index

2.1 Mobile IPv6 overview ... 5

2.1.1 Mobile IPv6 ... 5

2.1.2 Route Optimization ... 9

2.1.3 Return Routability... 10

2.2 SCTP (Stream Control Transmission Protocol)... 14

2.3 Threat and Defense in MIPv6... 17

2.3.1 Current Threat in MIPv6... 18

2.3.2 Defense in MIPv6 ... 21

Chapter 3 Related Work ... 25

3.1 Self-Certifying Address... 25

3.2 Enhancing Return Routability ... 31

3.3 Mobile SCTP (mSCTP) for IP mobility ... 33

Chapter 4 Selective Source and Routing Path ... 38

4.1 Message Flow... 38

4.2 Protocol Specification ... 40

4.3 Processing Bindings ... 45

4.4 Reduce probabilities of compromise ... 48

Chapter 5 Simulation and experimental result ... 53

5.1 Environment and simulation scenario ... 53

5.2 Experimental Result ... 55

5.3 Discussion and Limitation... 67

Chapter 6 Conclusion and Future Work ... 70

6.1 Conclusion... 70

6.2 Future work ... 71

ix

List of Tables

Table 1 Mobility Header ... 40

Table 2 Mobility Header Type... 41

Table 3 Hit ratios by increasing nodes ... 49

Table 4 Hit ratios by increasing HA nodes... 50

Table 5 Hit ratios by increasing HA nodes but by fixing MN to 3 ... 51

Table 6 Wired format... 60

Table 7 Symbol explanation ... 61

Table 8 Collection of successful RR Test... 61

Table 9 Binding latency of two different interfaces ... 62

Table 10 Collection of multi-homed interface- interface 1 ... 64

Table 11 Collection of multi-homed interface- interface 2... 64

Table 12 Latency of HoTI-HoT/CoTI-CoT for interface 1 and interface 2... 65

i

List of Figures

Figure 1 Environment of MIPv6 ... 6

Figure 2 Route Optimization... 10

Figure 3 Return Routability of MIPv6 ... 12

Figure 4 SCTP in transport layer... 14

Figure 5 multiple message-streams of SCTP ... 15

Figure 6 Byte-stream vs. message-stream ... 15

Figure 7 SCTP protocol stack ... 16

Figure 8 CGA packet format ... 27

Figure 9 CAM structure ... 28

Figure 10 CGA format with sec fields... 28

Figure 11 HIP packet structures ... 36

Figure 12 HIP establish connection... 36

Figure 13 message flow... 39

Figure 14 Structure of the Mobility extension header ... 41

Figure 15 Home Test Init message ... 42

Figure 16 Care of Test Init message ... 42

Figure 17 Care of Test message... 42

Figure 18 Binding Update message... 43

Figure 19 the structure of the new Type 2 Routing header (from cisco) ... 44

Figure 20 Packet between two Mobile Nodes (from cisco) ... 45

Figure 21 Selective Source address and Routing Path ... 47

Figure 22 Equation... 48

Figure 23 Hit ratios by increasing node ... 49

Figure 24 Hit ratios by increasing HA and by fixing MN to 1 ... 50

Figure 25 Hit ratios by increasing HA and by fixing MN to 3 ... 51

Figure 26 Scenario of MN movement ... 54

Figure 27 Data packets sent by CN to MN indirectly via HA... 55

Figure 28 Binding process dump ... 58

Figure 29 raw data of trace file ... 58

Figure 30 Latency of HoTI-HoT and CoTI-CoT... 62

Figure 31 Latency of RR Test ... 63

Figure 32 Latency between RR Test and movement registration to HA ... 64

Figure 33 Latency of HoTI-HoT/CoTI-CoT for interface 1 and interface 2 ... 65

Figure 34 BU variance of interface 1 and interface 2... 66

Figure 35 Latency between interface1 and interface 2... 67

Chapter 1 Introduction

Due to the popularization of numerous portable devices and the desire of having continuous Internet connectivity regardless of the mobile device’s physical position, location information update and management of mobile network are becoming increasingly important. Accordingly, Mobile IPv6 [1] is developed as a subset of Internet Protocol version 6 to support the mobile capability. Mobile IPv6 is now a standard which allows mobile devices whose IP addresses are associated with one network to stay connected when moving to another different network. Unlike traditional devices with fixed attachment to the network, mobile devices may change their point of attachment frequently. Since a mobile device frequently moves among secure private networks and highly unguarded public networks, the security issue is much more significant. This thesis reveals the current threats in Mobile IPv6 networks and proposes an approach that mitigates some of these threats.

1.1 Motivation

IT industry is now facing the challenge of mobility revolution, where the spread of mobile and ubiquitous services have a more significant effect on commercial and social life than Internet revolution. Besides, the introduction of new communication protocol (WiMAX) technology brings a significant influence to Telecom industry, speeds up the growth of mobile devices and blurs the boundary between 3G and Wi-Fi. Users expect services that are unique and fully mobility ready, which mean that the roles of the operators will change, new business models will emerge and new methods for developing and marketing services will surface. Nevertheless, those services will reside on the widespread IP based network, because IP based infrastructure had gradually shared the

telecom market and been an essential part of communication. Not only datacom, but telecom industry also assumed IP based services as the roadmap at present or in the future.

Internet Engineering Task Force (IETF) noticed this trend and designed Mobile IP version 4 in 1996. However, MIPv4 has not been deployed widely enough and has several major shortcomings, including a cumbersome communication process and a limited number of IP addresses. A limited address space is an important issue because the number of mobile devices is increasing rapidly and without enough IP address, they cannot access Internet or communicate with peers. In order to overcome these deficiencies and introduce new capabilities, the IETF has been developing MIPv6. Therefore, MIPv6 increases the available IP addresses, introduce lots of new features and retains mobile users’ connections to the Internet as they move between networks.

Once our computing devices are mobile, they are exposed to the same kinds of vulnerabilities as public networks. Compared to fixed attachment network, mobility brings many new security issues that need to attend to. Even though IPv6 [2] introduced many mechanism(AH and ESP of IPSec) for securing IP packets, new mechanism of Mobile IPv6 causes some other issues, such as false binding update. How to overcome these issues becomes an important next step for MIPv6 implementation.

After the successful story of Youtube, the potential market for sharing and watching videos through the Internet cannot be ignored. Some manufacturers are considering embedding media players in handheld devices for watching videos provided by Youtube and Joost. In addition, more and more vendors are developing new audiovisual streaming technology to integrate into mobile devices. Consequently, researches, such as Stream Control Transmission Protocol (SCTP), that supports multiple streams in an attempt to boost throughput for multimedia application, are now underway.

1.2 Research focus

Our research focuses on the security enhancement of RR Test in MIPv6. MIPv6 enables a Mobile Node to move from its home network to another network while retaining its IPv6 address. That is, a Mobile Node can always be reached through its home address. Packets are routed to the Mobile Node’s home address when MN is away from home. This is due to the fact that whenever Mobile Node changed its attached network, Home Agent (HA) will be notified through Binding Update messages containing Mobile Node’s Care-of-Address (CoA).

Return Routability (RR) is the basic technique for authenticating MIPv6 Binding Updates (BUs). Because RR can choose to apply any data encryption mechanism or not and the exchanged messages for weak authentications in RR are through known static routes, it is possible for attackers to launch Man-in-the-middle attacks. Thus, we would like to make some changes to MN/HA/CN that reduces the opportunities against such attacks.

We also find a way to enhance the throughput for massive multimedia data transfers by modifying SCTP over MIPv6. In order to increase routing path diversity, we considered introducing multiple HAs (Home Agent), multi-homed HA or distributed HAs as selective intermediate nodes when Mobile Nodes request for Return Routability authentication. Through the ideas proposed above, we are able to enhance RR authentication mechanism by making a few changes yet substantially reduce the probability of being compromised due to the weaknesses of original RR Test. At the same time, we would like to gain the benefit of applying SCTP for better throughput between MN and CN.

1.3 Thesis Organization

some of its threats and defenses. Chapter 3 presents an overview of related works in the field. Chapter 4 describes our proposal of enhancing Return Routability (RR) by using selective routing paths and employ multihomed feature of SCTP with selective source addresses. In Chapter 5, we use NS2 with additional Mobiwan module to demonstrate the security improvement and to analyze the performance of our scheme through simulation results. Conclusions and future work are addressed in Chapter 6.

Chapter 2 Background

2.1 Mobile IPv6 overview

Mobile Internet Protocol has been proposed by IETF to supply IPv6 nodes with mobility. Mobility means that when devices change their network attachment, they still keep existing connections. When a conventional IPv6 node changes its location, its address may need to be changed. However, because of the change, the IPv6 node cannot maintain connectivity with its correspondent prior to the change.

Although IPv6 nodes can travel between different links and change their addresses without intervention, the existing connections using the address assigned by previous network cannot be maintained or even forcefully terminated with the change of their address. Therefore, two important concepts of Mobile IPv6 mechanism will be introduced. One is “Location Update” and the other is “Location Management”. Location Update means that Mobile Node should initiate the update of location change to the related parties when move to another network. With location Management, Mobile Nodes can be reached wherever the current location is. MIPv6 specification defines Location Management by assigning a Home Address to the mobile node and through which the mobile node is always reachable. With the two features described earlier, an IPv6 node then becomes mobile.

2.1.1 Mobile IPv6

Without support for mobility in IPv6, packets cannot reach the destination Mobile Node while it is away from the home network. In order to continue communicating, a Mobile Node could change its IP address from time to time while moving to a foreign network, but it would not be possible to maintain transport and higher-layer connections.

dominating the network access device market originally belonged to PCs and in the near future, they are likely to account for the majority of Internet access machines. From the concept of last section, we can know that Mobile IPv6 allows a Mobile Node to move from one network to another without changing the Mobile Node's IP address and keep Mobile Node always addressable by its Home Address (An IP address assigned to the MN within its home subnet prefix on its home link).

Packets may be routed to the MN (Mobile Node) using its home address regardless of the mobile node's current point of attachment to the Internet. Thus, the mobile node is able to communicate with other nodes, either stationary or mobile, after moving to a new network. And the movement of a mobile node away from its home link is also transparent to transport layer and higher-layer protocols applications.

In the following paragraphs, we introduce some components and terminology [3] used by Mobile IPv6.

Figure 1 Environment of MIPv6

․Home link : the link that is assigned the home subnet prefix of mobile node

․Home address (HoA) : an address assigned to the mobile node and through this address the mobile node is always reachable. A Mobile Node can have multiple home addresses. When the mobile node is away from home, packets destined to the mobile node's home address are intercepted by the home agent and tunneled to the mobile node's current location. The same as above, when the mobile node is at home network, MIPv6 processes are not used.

․Home agent (HA) : a router on the home link that maintains registrations of Mobile Nodes’ CoA (Care-of Address). When the MN (Mobile Node) is away from home, it registers its current address to home agent. The home agent tunnels data sent to the mobile node's home address to the mobile node's CoA (Care-of-Address) and forwards tunneled data sent by the MN (Mobile Node).

․Mobile Node (MN) : an IPv6 node that can change links and maintain reachability using its home address. A mobile node is aware of its home address and CoA (care-of address), and indicates its home address/care-of address mapping to the home agent and Correspondent Node with which it is communicating.

․Foreign link : a link other than MN's home link.

․Care-of address :a unicast routable address used by a Mobile Node while it is attached to a foreign link. For stateless address configuration, the care-of address is a combination of the foreign subnet prefix and an interface ID determined by the mobile node. A mobile node can be assigned multiple care-of addresses. Only one care-of address is registered as the primary care-of address with the mobile node's home agent. The association of a home address with a care-of address for a mobile node is known as a binding. CN (Correspondent Nodes) and HA (home agents) keep information on bindings in their binding cache.

․Correspondent Node : a peer node communicating with a MN (Mobile Node) is named as Correspondent Node. A correspondent node does not have to be Mobile IPv6-capable. A CN (Correspondent Node) can be either mobile or stationary.

․ Binding Update : the process to update the home agent with a new primary care-of address is known as a home registration binding update. There is also a binding of correspondent registration which runs between Mobile Node and Correspondent Node. The home agent uses the home address in the Home Address option and the care-of address in a Care-of Address mobility option to update its Home Address/ Care-of Address binding cache entry for the mobile node.

Binding Cache : the table maintained by Home Agents and Correspondent node with Home Address of Mobile Node, Care-of address for mobile node and lifetime of binding cache entry.

MN will update its new location to an actively communicating Mobile IPv6-capable correspondent node with a binding that maps the home address of the mobile node to its care-of address. This process is known as a correspondent registration binding update. To update cache entry for Mobile Node’s Home Address/Care-of Address, the correspondent node uses the home address in the Home Address option and the source address of the packet.

Mobile IP protocol can handle movement in both wired and wireless local area and wide area of both wired and wireless networks. However, Mobile Node is required to notify its change of location to its home network. When moving to a foreign network, the care-of address (CoA) of Mobile Node has to be registered with its home agent. If there is a far distance between the foreign network and the home network of the mobile node, the signaling delay for these registrations may be long. This is why we have a proposal for distributed HA (Home Agent) which may be located in different geographical region to reduce the delay because of the distance.

To reduce the latency for real-time applications, a route optimization option will be necessary in Mobile IP. Therefore, Mobile IPv6 introduced a way for eliminating triangle routing by allowing Correspondent Nodes (CN) to cache bindings of the mobile nodes’ current locations. CN can then send packets for the mobile node directly to its care-of address without going through the home network. In the next section, we will give more details of Route Optimization feature of MIPv6.

2.1.2 Route Optimization

Mobile IP is designed to provide mobility support on top of existing IP infrastructure. Also, supporting route optimization [4] is a fundamental part of Mobile IP protocol, even though it may cause some security issue (discussed in later chapter). In route optimization, a correspondent node (CN) learns a binding between the mobile node’s stationary home address and its current temporary care-of-address.

A correspondent should be MIPv6 capable so that the data traffic can be sent directly between Correspondent Node and Mobile Node. Route optimization gives the chance for directly communication through shortest path. It not only avoids the possible failure of home network or home agent but also eliminates the congestion at mobile node’s home network. When routing data traffic directly to Mobile Node using Mobile Node’s care-of address, correspondent set type 2 routing header as an extension of IPv6 header to indicate mobile’s home address. Similarly, the Mobile Node set the source address to its current care-of address and includes the Home Address destination option to indicate its home address.

As mentioned above, the “Route Optimization” requires correspondent registration. That is Mobile Nodes should register its current binding before sent directly with correspondent. The Correspondent Node maintains a table of current binding of Mobile Node and will check its binding cache entries for the Mobiles address mapping (CoA and

HoA), last binding request and lifetime. If the entry being founded, Correspondent Node sends the packet carrying mobile node’s home address and direct to Mobile Node’s care-of address, when mobile is away from home.

Figure 2 Route Optimization

In most cases, Mobile IPv6 packets are sent using IPv6 routing header rather than IP encapsulation in order to reduce the overhead. It is expected that route optimization can be deployed without the PKI infrastructure. Besides, Mobile IPv6 route optimization can still operate securely even without pre-arranged security associations.

2.1.3 Return Routability

Return Routability is the process devised to provide a weak authentication procedure for binding update, in Mobile IPv6. RR is a weak authentication scheme since its authentication messages are sent unencrypted. Any intermediate nodes along the routing path can have full access to the authentication messages exchanged between them without doing any cryptographic work whatever.

The following types of mobility messages are defined:

․Binding Refresh Request : sent by a correspondent node or the home agent to request the current binding from a mobile node.

If a mobile node receives a binding refresh request, it responds with a binding update. A correspondent node sends a binding refresh request when a binding cache entry is in active use and the lifetime of the binding cache entry approaches expiration. A home agent sends a binding refresh request when the lifetime of its binding cache entry approaches expiration.

․Home Test Init (HoTI) : sent by the mobile node to initiate the Return Routability procedure and test the indirect path from a mobile node to a correspondent node via the home agent.

․Care-of Test Init (CoTI) : sent by the mobile node to initiate the Return Routability procedure and test the direct path from a mobile node to a correspondent node.

․Home Test (HoT) : sent by the correspondent node to respond to the HoTI message during the Return Routability procedure. The response packet will carry Home Nonce Index, Home Init Cookie, and Home keygen Token.

․Care-of Test (CoT) : sent by the correspondent node to respond to the CoTI message during the Return Routability procedure. The response packet will carry Care-of Nonce Index, Care-of Init Cookie, and Care-of keygen Token.

Figure 3 Return Routability of MIPv6

After Home Test Init and Care-of Test Init are acknowledged, Mobile Node might send Binding Update to Correspondent Node to complete authentication procedure.

Binding Acknowledgement (BA): Binding Update message will be responded with BA from Correspondent Node to MN’s care-of address. This response message carry sequence number as the Binding Update. There is a hash added to replying parameter which include “First (96, HMAC_SHA1 (Kbm, (care-of address | correspondent | BA)))” in a Binding Acknowledgement message as a means to weak authentication.

The process described above is known as a home registration binding update. There is also a binding of correspondent registration which runs between Mobile Node and Correspondent Node. The home agent uses the home address in the Home Address option and the care-of address in a Care-of Address mobility option to update its Home Address/ Care-of Address binding cache entry for the mobile node.

Binding Refresh Request (BRR): A correspondent node uses this request to re-establish its binding with a Mobile Node, when the binding’s lifetime in Correspondent Node’s cache is about to expire. This is also a way to limit the number of attackers and their

targets intending to test the return routability (RR) of the HoA and CoA.

In RR protocol, MN will send HoTI and CoTI to CN. The HoTI message will go through HA to CN and CoTI will be sent to CN directly. After CN received these two messages, CN use its private secret (Kcn) and nonces to generate a pair of Home-keygen-token and Care–of-keygen-token. CN put this Home-keygen-token into HoT targeting MN but going through HA. Care–of-keygen-token will be put into CoT and go directly to MN.

After the MN receives both (Home-keygen-token and Care–of-keygen-token messages, it generate a secret (Kbm) known only by MN and CN. MN sends a BU to CN using Kbm as an authentication. Once CN receive BU, it calculates Kbm and then use Kbm to process authentication. If accept, CN will commit ‘Binding Update” to Binding Cache. However, if not, CN will reject this binding update. The RR test is, in fact, a variation of the cookie exchange, which has been used as part of the TCP handshake and in authentication protocols, including Photuris and IKE.

The binding management key derived from correspondent is sent to both claimed routing paths to assure reachability. Two token values are then retrieved from individual path carried by HoT and CoT message. If malicious entity is able to capture packet or access the path between Correspondent Node and Home Agent, it can only learn home token in the HoT message. Should tokens in separate paths be captured by an attacker, it will be possible for him/her to calculate the binding management key. However, most Internet users do not have such capability. A typical attacker is able to attack only the correspondents and mobile node in his/her own local network. These kinds of verifications should be able to prevent spoofing of binding update and denial-of service attacks for most cases.

2.2 SCTP (Stream Control Transmission Protocol)

In this section, we would like to introduce SCTP (Stream Control Transmission Protocol) [13], for our thesis will employ this protocol together with Mobile IPv6. By incorporating the multi-homing feature from SCTP, we can masquerade source addresses by picking one or more IP addresses randomly for RR authentication. Moreover, we also want to utilize other features, such as multi-streaming, for boosting the throughput.

The IETF Signaling Transport (SIGTRAN) working group defined the Stream Control Transmission Protocol (SCTP) in 2000. Originally, SCTP designers wanted to create a protocol that duplicates in IP some of the reliability attributes of the SS7 signaling network.

Figure 4 SCTP in transport layer

Stream control transmission protocol (SCTP) is an end-to-end, connection-oriented protocol that transports data in independently sequenced streams. SCTP endpoints support multi-homing, multi-streaming, initiation protection, message framing, configurable unordered delivery and graceful shutdown. SCTP provides applications with enhanced performance, reliability, and control functions. This protocol is essential where detection of connection failure and associated monitoring is mandatory. Furthermore, SCTP could be implemented in network systems and applications that deliver voice/data supporting real-time services, such as streaming video and multimedia services.

Figure 5 multiple message-streams of SCTP

TCP transports a single byte-stream at a time, whereas SCTP can transport multiple message-streams. TCP send packets in bytes and all bytes must be delivered in order. A byte transmitted first must safely arrive at the destination before a second byte can be processed even if the second byte manages to arrive first. SCTP in contrast, conserves message boundaries by operating on whole messages instead of single bytes.

Figure 6 Byte-stream vs. message-stream

SCTP is able to transmit several independent streams of messages in parallel which it terms “multi-streaming”. You can imagine multi-streaming as several bundling TCP-connections in one SCTP association operating with messages instead of bytes when transmitting few video streaming in RTP application in parallel over the same SCTP association.

TCP ensures the correct order of bytes in the stream by conceptually assigning a sequence number to each byte sent and ordering these bytes based on that sequence

number when they arrive. SCTP, on the other hand, assigns different sequence numbers to messages sent in a stream. This allows independent ordering of messages in different streams. However, message ordering is optional in SCTP. If the user application so desires, messages will be processed in the order they are received instead of the order they were sent, should these differ.

However, signaling in PSTN (Public Switched Telephone Networks) requires message-based delivery. Multi-Streaming is one of SCTP feature which provides an advantage over PSTN services. An SCTP connection can be set up to carry multiple phone calls within one call stream. Therefore, if a single message is lost in only one phone call, the other calls will not be affected. Due to the limitation of TCP, while handling multiple phone calls in TCP, certain form of multiplexing would be necessary to put all phone calls into a single byte-stream. The drawbacks will be that once a single packet for phone call n is lost, the following packets could not be processed until the missing bytes are retransmitted, thus causing unnecessary delays and effecting voice quality.

Figure 7 SCTP protocol stack

An SCTP association is similar to a TCP connection except that it can support multiple IP addresses at either ends. This feature is also an important function which we will

discuss at Chapter 4 of this thesis. Besides, an SCTP association is comprised of multiple logical streams, ensuring the sequenced delivery of user datagrams within a single stream. SCTP make use of its multistreaming feature to speed up the transfer of data. Sequencing of data is done within a stream, even if a datagram is lost in one stream does not affect datagrams in other streams. This feature results in a better response time for applications.

2.3 Threat and Defense in MIPv6

We would like to discuss and describe some attacks against Mobile IPv6 in this section. In my opinion, it seems that all the vulnerabilities can be attributed to the “Binding Update”. Various protocols and mechanisms are used to manage mobile nodes’ movements. To ease our discussion, we define “False Binding Update” as the ones that provide offensive opportunities for attackers. In the following sections, we assume the threats of MIPv6 in some sense synonymous to “False binding Update”. Thus, we categorize the causes of “False Binding Update” and describe them in more details in the sub-sections. We also consider to compensating those threats.

Although the process of route optimization reduces the communication delay between MN and CN, this process also exposes more vulnerability to attackers at the same time. By sending false BUs, the attacker can forge false entries in the CN's (correspondent node) Binding Cache and cause IP packets to route to designated destinations. Without protection of cryptographic mechanism, data transmit between CoA and CN easily lead to compromise of secrecy and integrity. The most annoying part will be DoS (Denial-of-service) attack which bomb target host or network with unwanted data.

In order to prevent those kinds of attacks[4], several of Binding Update authentication mechanisms has been proposed, such as CGA or RR. We will introduce CGA or RR after explaining current threats in Mobile IPv6.

2.3.1 Current Threat in MIPv6

In this section, we would like to introduce several known attacks which should be considered when designing a protocol for authenticating BUs. They are categorized and described in several sub-sections.

Replaying and Blocking Binding Updates

Any protocol for authenticating BUs will have to consider replay attacks. That is, an attacker may be able to replay recent authenticated BUs to the correspondent and, in this way, direct packets to the mobile host's previous location. Like spoofed BUs, this can be used both for capturing packets and for DoS. The malicious node can capture the packets and try to impersonate the MN if it reserves MN's previous address after the MN has moved away and then replays the previous BU to redirect packets back to the previous location.

By jamming the radio link, by launching a flooding attack, or by taking over a mobile node’s connection at the old location, the attacker could block binding updates from the mobile node at its new location. If an attacker stays between MN and CN, they will be able to capture the packets sent to the mobile and to impersonate the mobile until the correspondent's Binding Cache entry expires.

We believe that these kinds of attacks are not so serious as ones that can be mounted from remote sites, for both of the above attacks require the attacker to be on the same local network as the mobile node, where the attacker can easily observe packets and can block them even if the mobile does not move to a new location.

Man in the middle attack

Updates [5]. That is, the attacker can send spoofed BUs to both Alice and Bob and insert itself to the middle of all connections between them. Therefore, the attacker is able to see and modify the packets sent between Alice and Bob. If the target host or its correspondent supports Route Optimization and the attacker happened to know their IP addresses, this attack is possible.

Bombing Attack

An attacker will keep sending spoofed BUs, while the Binding Updates are not authenticated. We cannot identify the mobile host that sent spoofed BUs. Thus, all Internet hosts are vulnerable to this kind of attack because they all might support the correspondent functionality.

For example, if a host, Alice, sends IP packets to another host Bob, the attacker can redirect the packets to an arbitrary address Carl by sending to Alice a Binding Update where the home address (HoA) is Bob and the care-of address (CoA) is Carl. After receiving this BU, Alice will send all packets intended for Bob to the address Carl. The attacker may select the CoA to be either its own current address or any other IP address. If the attacker selects a local CoA where it can receive packets, it will be able to send further packets to a correspondent, which the correspondent believes to be coming from the mobile.

The attacker can bomb an arbitrary Internet address with excessive amounts of data or target a network by redirecting data to one or more IP addresses within the network. Therefore, CoA and HoA are easily to be victims, because they are the one providing services and, for the most time, known to everyone.

Bombing CoA with unwanted data

An attacker could learn that there is heavy data stream from media server, say Alice, to some client Bob. An attacker then subscribes to a data stream from Alice, such as a video

stream, pretending itself as Bob and then redirects this to the target address Carl. This kind of attack might be destructive because the target can be any host or network, not only mobile one which without powerful computation capability. Moreover, it is particularly serious compared to the other attacks .The target itself cannot do anything to prevent the attack.

Bombing HoA with unwanted data

Another type of bombing attack targets the HoA instead of the CoA. The attacker could initiate a video data stream download from a media server, and then sends a BU cancellation to delete the previous binding from the Binding Cache, or simply allows the cache entry to expire, which will cause the data stream to be redirected to the HoA. At first sight, you may not think it will be a serious event. However, just like bombing the CoA, the attacker can keep the stream alive by spoofing acknowledgments and this will result in a denial of service (DoS) attack.

In the beginning, the attacker needs to find a correspondent that is willing to send data streams to unauthenticated recipients. By observation, lots of popular web sites provide such video or other media streams. After the success of YouTube, this kind of web site is getting more and more popular. The attacker needs to know or guess the target's IP address, if the target is a single host. On the other hand, if the target is an entire network, the attacker can also congest the link toward that network by bombing random addresses within its routing prefix or group of prefixes. Although a firewall on the gateway of the target network may be able to filter out data that is sent to nonexistent addresses, we can not only depend on this way that network are managed or rely on addressing privacy features of IPv6 would include such filtering.

Exhausting State Storage

In this section, we describe defenses against denial-of-service attacks that exploit features of the BU protocol to exhaust the target host's resources. The better approach is to

increase the cost and difficulty of the attacks and to mitigate impact, as you know, it is hardly impossible to completely prevent DoS attacks.

A general way of attack is to exhaust the memory resource for storing protocol state. Hosts like Home Agent (HA) or CN (Correspondent Node) keep this kind of Binding Message entries in their memory cache to accelerate access speed. Binding Cache will store “Binding Update” and include Correspondent Registration and Home Registration.

2.3.2 Defense in MIPv6

In order to prevent the corruption of routing tables, Binding Update has to be authenticated. The later subsection will deliver few authentication methods. Two of them are strong, public-key authentication and the other will be weak authentication through independent routing path. Current solutions, such as Cryptographically Generated Address (CGA) and Return Routability (RR) tests, are regarded as promising for BU authentication. In certain situations, public key cryptography is considered too expensive; the best solution may be through routing path.

Public Key Authentication

IPv6 had included IP Security which acts at the network layer, protecting and authenticating IP packets between participating IPSec peers. With IPSec, data can be sent across a public network without being observed, modified, or spoofed. Moreover, a key management protocol, Internet Key Exchange (IKE) can be used in conjunct with IPSec. Mobile IPv6 authentication would use this suite of strong authentication mechanisms.

This level of strong encryption in MIPv6 can prevent all kinds of attacks against data secrecy and integrity. When the data is encrypted with public key, the spoofed BUs can only result in denial of service but not in disclosure or in corruption of sensitive data. Thus, the attack like man-in-the-middle will not be easily to crack or modify packets

between Mobile Node, Home Agent, or Correspondent Node. If correspondent can authenticate requester by IPSec, that will ensure the BU cancellation must be from requester itself and the request for deleting the binding from binding cache is real. When attackers spoof BUs to redirect heavy streaming data to specific host or arbitrary address, they cannot easily cheat Correspondent Node (CN) under strong public key authentication.

Nevertheless, the reasons why the PKI is not as prevalent as expected may be the consequence of the failure of commercializing PKIs and the slow pace of the IPSec standardization process. They could also explain the current lack of a standard BU authentication protocol.

There are some reasons that the generic protocol suites may not be suitable for BU authentication. First of all, just like the power technology is not at the same pace as the requirement of lots light weight devices. The generic authentication protocols have usually been designed with general-purpose computers and application-level security. However, it’s too expensive for low-end mobile devices, such as PDA or smart phone for this kind of computation and communication overhead. Secondly, the researchers intend to design Mobile IPv6 protocol with the capability to accommodate any node with mobility and every kind of hosts as correspondents. When even local infrastructures have failed to emerge at the expected rate, it is thought a clearly formidable goal that a single PKI should cover the entire Internet. Therefore, it is necessary to look for alternative solutions that do not rely on such global infrastructures.

Return Routability for HoA and CoA

A BU authentication scheme that uses two independent routes has been proposed. In this approach, a mobile node will initiate the Return Routability procedure by direct and indirect path to the correspondent node. After that, the correspondent, which receives both

initial messages through different paths, responds to both addresses, and then recognizes Binding Updates only from mobiles that are able to receive both returned messages. Some malicious entities residing on the correspondent's local network may be able to capture one or both packets. To a typical attacker, the best place to intercept both messages is to stay in end point’s local network. In fact, the RR test also includes a variation of the cookie exchange, which has been used in many authentication protocols such as IKE.

As a weaker alternative to CGA or other public key authentication, the RR test provides a light weight authentication mechanism for HoA and CN. The RR test prevent bombing attack against CoA and HoA by periodically checking expired the binding cache entries Thus, an effective attack will be under a situation that the attacker must have recently visited the target network (CoA or CN’s local network) during the time when the entry in binding cache is valid. This is a way of checking that the mobile is not lying about its location and, in fact, a frequently location change makes attack difficult. This provides a level of authentication but is not entirely secure because the attacker could be somewhere on the path from correspondent to CoA. That’s why we raise our enhanced Return Routability idea by making the routing paths hard to guess.

Cryptographically Generated Address (CGA)

A Cryptographically Generated Address (CGA) is an IPv6 address, which the last 64 bits of interface identifier is generated by hashing the IPv6 address with owner's public key. The binding can be verified by re-computing and comparing the hash value and other parameters sent in the specific message.

A one-way hash function makes it difficult for attacker to match a given address and to spoof BU. Using CGA has some advantages. CGA provides public-key authentication without the need of a global PKI or any trusted third parties. CGA protocol can reduce signaling overhead and handoff latency. CGA makes the spoofing attack much harder and

allows signing messages with the owner's private key. Even though an attacker can create its own CGA address, the attacker cannot spoof someone else's address since he/she does not know the private key of the address owner.

Chapter 3 Related Work

Mobile IPv6 brings innovations to current Mobile IP network; however, it did raise quite a few issues with added complication. Many researchers ponder over them to ensure that Mobile IPv6 is more secure and efficient than that in Mobile IPv4. In the following sections, we group some proposed ideas into 3 major categories: Self-Certifying Address, Return Routability Enhancement and Mobile SCTP for IP mobility.

3.1 Self-Certifying Address

In order to provide a transition to comprehensive IPSec infrastructure, Cryptographically Generated Address (CGA) and CAM (Child-Proof Authentication) [15] were proposed. Without a PKI or other security infrastructure, the address owner uses the correspondent’s private key to assert address ownership by hashing address owner’s public key and using that hash to generate some address bits of their own IPv6 address. Nowadays, many researchers consider CGA (Cryptographically Generated Address) [16] as one of the most promising authentication solution for Binding Update. The attractive part of this technique is that it provides public-key authentication independent of any trusted third parties, PKI, or other global infrastructure. That is, CGA can work even without global infrastructure so that it can provide peer to peer communication under certain security.

We cannot forgo CAM (Child-Proof Authentication), an initial work of CGA, if we want to talk about Cryptographically Generated Address (CGA). Greg O’Shea and Michael Roe presented CAM (Child-Proof Authentication) for Mobile IPv6 in [16]. Their work makes a mobile node use a partial hash of its public key for its IPv6 address to prevent falsification of network address.

derives the low order 64 bits from the MAC (EUI-64 identifier) address and listens to router advertisement to obtain its high order 64-bit address prefix. Generally, the lower 64 bit from interface’s MAC address but ,in CAM or CGA, it generates the interface id from cryptographic one way hash by SHA1 algorithm of node’s public key.

CAM protocol requires the hash algorithm used to be one way so that inversion of hash becomes infeasible. Messages sent from an IPv6 mobile node can be protected by attaching the public key and those parameters. This kind of solution can works without a certified authority or other security infrastructure.

Besides, it is important to note that CAMs themselves are not certified. CAM protocol cannot prevent against an attacker who deliberately generates address with its own or some other’s public key and communicate with victims, such as Mobile Node or Correspondent Node, but it can, for sure, to provide non-repudiation proof in this protocol. That is, attacker cannot take a generated address by someone else and then send the signed messages to pretend to be the owner of that address.

Even though using a 62-bit value may be a tough requirement for most low-end devices, such as handheld PDA and cell phone, it is better to change keys several times at during a day. Generally, a given key must be retained for the duration of any existing TCP connections, so that Mobile Node can operate without Home Agent during lifetime of this key and can safely communicate with correspondent without security infrastructure. In addition, during the transition to a new key, the previous key (and associated Home Address) can remain in use.

Except for CAM, CGA is also a technique that provides an intermediate level of security which is below public-key authentication but above routing-based weak methods (RR). The idea, originally introduced in CAM, is to form the last 64 bits of the IP address (the interface identifier) by hashing the host's public signature key. Through generated public key pair of mobile, Binding Updates can then be signed with this key. A secure

one-way hash function makes it difficult for the attacker to come up with a key that matches a given address and to forge signed BUs. The attraction of this technique is that it provides public-key authentication independent of any trusted third parties, PKI, or other global infrastructure.

Let us take a look at CGA format:

Modifier : With 128 bit unsigned integer, this value adds randomness to the address during CGA generation.

Subnet Prefix: 64 bit subnet prefix of CGA

Collision Count: During CGA generation, collision count increase by detecting duplicated address.

Public Key: A variable length field containing the public key of the address owner

CGA is associated with above parameters and comprised of Hash1 and Hash2 by those parameters.

CGA generation

To generate CGA, we need several input values: modifier, subnet prefix, collision count, public key and security parameter. To prevent attacker from using pre-computed database of subnet prefixes, subnet prefix was include as a parameter in hash computation. Using modifier, 9 zero octets, and public key, a Hash2 value can be computed. By comparing the 16xsec leftmost bits of Hash2 with zero to check if sec=0, the procedure should go back to Hash2 generation if sec is not equal to zero. By concatenating modifier value, the subnet prefix, collision count and public key, a Hash1 value can be derived by apply SHA1 algorithm.

Figure 9 CAM structure

Figure 10 CGA format with sec fields

The main weakness of the CAM scheme is that only 62 bits of the IP address can be used for the hash. Thus, it is vulnerable to brute force attack as attackers could easily find a matching signature key with current computing power. That is why CGA proposed a way for extending hash by counting subnet prefix in hash. This forces the attacker to

perform the search separately for each subnet prefix. The attacker may create a database of global table which hash values and their corresponding keys, even if that seems out of practical for the large storage needed. The side effect of the idea is that only for globally routable address but not for link local addresses. It is relatively expensive to for a Mobile Node to recomputed hash when it move to other network and change its subnet.

CGA Signaling Diagram

Although the correctness of claimed address is assured, CGA still need a minimal address testing procedure for both home and care-of address. However, one of main goals for CGA is to reduce the latency caused by signaling.

The CGA protocol provides two kinds of signaling: initial contact establishment and subsequent messaging. The initial signaling should be rerun at least once every 24 hours. The signaling process for initial contact is listed below.

1. MN to CN (via HA): Pre Binding Update

2a. CN to MN (via HA): Pre Binding Acknowledgement 2b. CN to MN (directly): Pre Binding Test

3. MN to CN (directly): Binding Update + ESN + CGA Key + SIG + BAD 4. CN to MN (directly): Binding Acknowledgment + ESN + SKey + BAD

The signaling diagram for subsequent messaging shows as below. 1. MN to CN (directly): Care-of Test Init [+ ESN + KeepFlow + BAD] 2. CN to MN (directly): Care-of Test

3. MN to CN (directly): Binding Update + NI + ESN + BAD 4. CN to MN (directly): Binding Acknowledgment + ESN + BAD

ESN (extended sequence number): a 64 bit unsigned integer, increased by the mobile node when sending a new message to the correspondent.

SIG (signature): SIG option contains the signature signed by the mobile node with CGA's private key.

BAD (Binding Authorization Data option): an authentication code generated by MN to prevent replay attacks

Skey (Shared key): Binding acknowledgment messages sent by the correspondent node use Skey option to carry key encrypted by mobile node's public key.

Signature option: The Signature option is calculated with the mobile node's private key.

CGA Key Option: CGA Key Option is used to carry the mobile node's CGA public key and other parameters. Binding Update sent by Mobile Node having this option signed with CGA corresponding private key.

Readers can notice that the Home address Test doesn't show up in the subsequent messaging process. It is not needed anymore for continuing messages exchange. The correspondent node will respond Binding Acknowledgment after receiving the signature and verification of address owner's public key in BU message. Through ESN sent with Binding Update, Correspondent Node can prevent replay attacks using past BU message.

Generating new public keys and changing addresses at regular intervals should also discourage brute-force attacks. You might know that, CGA themselves are not certified, so the malicious node may create a new CGA from any subnet prefix and its own public key. This concept addresses the limitation of the cryptographically generated addresses (CGA). Although CGA prevent the theft of another host's address, they do not stop the attacker from inventing new false addresses with an arbitrary routing prefix. The attacker can generate a public key and a matching IP address in any network and use it to launch bombing attacks. So, there is a trade off that the stronger the complex of key, the computing consuming for the resource limited mobile devices.

public-key protocols provide a reasonable protection against unauthentic BUs, they are computationally intensive and therefore the participants are exposed to denial-of-service attacks.

3.2 Enhancing Return Routability

In this section, we present some other approaches for Binding Update Authentication. Return Routability is a light weight authentication approach using independent routing path to authenticate the sender’s identification. Here, we would like to introduce a paper called “Buddy Enhanced Return Routability for authentication in mobile IPv6” [17] which based its method on the foundation of “Return Routability “ and extend the technique by making use of stochastic route selection. Our idea is somewhat similar to the solution provided by ERR. Without adding strong cryptographic security and significant overhead, ERR chooses the path randomly and relies on the buddy node which may be any node in the network.

Return Routability protocol enables correspondent node (CN) to obtain a reasonable assurance that claimed CoA (Care of Address) of Mobile Node (MN) is addressable as well as at its home address (HA). Accordingly, correspondent node (CN) is able to accept both Return Routability Test direct from MN’s (MN) care-of-address (CoA) and indirect from MN’s Home Agent and able to response to them through different but static routing paths. Only Mobiles who can receive both of message is able to send binding update (BU) to CN (Correspondent Node) as an identity authentication. Return Routability was intentionally developed as an authentication without strong cryptographic based protection, so that is why this paper eager to find an improvement for it.

According to [17], the security of RR is assumed under two premises. (1) The independent messages through different route (CN<->HA<->MN, CN<->MN) will not be

intercepted simultaneously. Basically, there is option that the message between CN and MN can be protected using IPSec. (2) If we take serious check to RR mechanism, we can find there is no much authentication mechanism.

The goal of “Buddy enhanced return routability for authentication in mobile IPv6” is to overcome the weak authentication of legacy Return Routability protocol without applying any cryptographic method. Enhanced return routability, ERR, was designed with these weaknesses of RR in mind. ERR, attempts to overcome the problems with RR without adding strong cryptographic security or other overhead. Making the authentication paths between MN and CN as secret as possible was one motivating factor of ERR.

ERR keeps authentication paths secure by letting MN select a stochastic path. In [17], MN selects a group of random paths to the CN. There are two different ways for selecting random paths. First, MN use buddy node as a relay point which might be any node in the network. However, this is under the assumption that most nodes in the network are trustworthy. Thus, attacker won’t know which paths are being selected. The other way for random selection is from the entry in binding cache. Authors of “Buddy enhanced return routability for authentication in mobile IPv6” think those entries in binding cache are assumed to be trustworthy and are more suitable than random intermediate nodes which selected randomly from network.

In conclusion, since these paths are selected randomly at the time of binding update, an attacker would be unable to determine the selected paths, and therefore be unable to launch an attack against ERR. However, ERR is designed under an assumption that most nodes in the network are trustworthy. But, when the binding cache is empty, selecting any node at random is nothing short of high risk. In other word, choosing intermediate node without a mechanism to assure the trustworthy level might be worse than simply using a legacy static routing path.

3.3 Mobile SCTP (mSCTP) for IP mobility

Stream Control Transmission Protocol (SCTP) is a new transport protocol featuring multi-streaming and multi-homing. In the beginning of this thesis, our research focuses in the utilization in mobility. In what follows, we would like to pay more attention to the use of SCTP for IP mobility support in the transport layer.

Seok J. Koh and Qiaobing Xie [19] discussed how to make use of SCTP for IP handover support in “Mobile SCTP (mSCTP) for IP Handover Support”. Through the way of the dynamic address reconfiguration, the SCTP with the ADDIP extension (mSCTP) would provide soft handover for the mobile node without any additional network layer support of routers or agents. As to location management, mSCTP could be used along with Mobile IP, SIP (Session Initiation Protocol) or Reliable Server Pooling. At latter, this document will also discuss mSCTP along with Mobile IP for mobility support.

The mSCTP[18] may be used as an alternative scheme against the handover schemes based on Mobile IP v4 and Mobile IPv6. The mobile SCTP provides the handover management at the transport layer without the support from routers, not like Mobile IP based handover schemes which rely on the support of network agents or routers for tunneling between access routers,.

The mSCTP is targeted for the client-server services such that mobile client initiates an SCTP session with a fixed server. For peer-to-peer services, in which a session is terminated at the mobile host, the mSCTP must be used with another location management scheme such as Mobile IP, Session Initiation Protocol (SIP), Reliable Server Pooling (Reproof) or Dynamic DNS (DDNS).

SCTP intrinsically provides the multihoming feature which allows a mobile node to bind multiple IP addresses simultaneously. Recent works on the SCTP include the ADDIP extension which enables the SCTP to add, delete and change the IP addresses during

active SCTP association. Mobile SCTP, so-called (mSCTP), implemented SCTP with the ADDIP extension can be used for soft handover while the mobile node is moving foreign network during the session. Besides, mSCTP provides a way for Route Optimization without using any Binding Update Procedures.

The following depicts the procedure for mSCTP Handover: 1. Session Initiation by Mobile Client

2. Obtaining an IP Address in the New Location 3. Adding the New IP address to the SCTP Association 4. Changing the Primary IP Address

5. Deleting the Old IP Address from the SCTP Association 6. Repeating the mSCTP Handover Procedures

Accordingly, mSCTP with MIP is focused on the mobile sessions that are initiated by CN to MN. Only Mobile needs to be aware of MIP, whereas CN do not need use of MIP. Namely, Mobile IP will be used only for location management, by which the CN can locate the location of MN and establishes an SCTP association. HoA will be used for location management either, but after SCTP session establishment, HoA won’t be used for following data transfer. Once the SCTP association has been established, the on-going SCTP session will be supported by the mSCTP soft handover procedures and CoA is employed as continuing data transfer. Specifically, MIP functionality for data transport will not be used in SCTP. Once the association is established, the data transport between MN and CN relies on SCTP over IP.

The home address (HoA) of MN is not involved in the data transport between CN and MN in the proposed scheme. No additional route optimization procedures are required, that is, no binding update is needed between MN and CN. The reason for this is to exploit

the intrinsic route optimization feature of mobile SCTP. Once CN gets the current location of MN, the basic SCTP initialization completes. HoA is just a backup IP address in case of the failure of reachability to the primary address (CoA).

For location management, the mSCTP may be used along with MIP or SIP. In case of using MIP for location management, only the MN needs to be aware of MIP, whereas the CN need not use MIP. Using mSCTP with MIP, the MN must also be able to bind the CoA as well as HoA to its applications. The HoA will be used only for location management. After establishment of an SCTP session, the HoA will not be used for data transport. Instead, the CoA is employed for the SCTP data transport. On the other hand, in MIP, only HoA is bound to the applications of MN regardless of the different CoAs.

The MIP provides the location management in the network layer, and it can support seamless handover with the support from network devices. In related papers, SIP is introduced as a signaling protocol that supports the location management for user or personal mobility. SIP itself does not provide seamless handover but it can be used together with mSCTP for seamless handover.

Mika Ratola [10] made a comparison of Mobile IPv6, HIP, and SCTP even though they are in different layer. He compared the protocols by architecture, security and problems in the paper “Which Layer for Mobility? Comparing Mobile IPv6, HIP and SCTP”. Ratola pointed out that the key factor in functioning MIPv6 is Binding Update. Therefore, binding messages must be authenticated and protected against replay attacks. IPSec Security Association (SA) between MN and Home Agent can be pre-installed. However, in IPv6 [14], IPSec framework, Authentication Header (AH) or Encapsulated Security Payload (ESP), is employed as a build-in security function. An alternative authentication, RR (Return Routability) procedure is used.

Host Identity Payload (HIP) by Robert Markowitz introduces a new Host Identity layer between the IP layer and upper layers. HIP avoid the situation where binding sockets to IP

addresses forces the address into dual role of endpoint and forwarding identifier. In HIP, upper layer sockets are bound to Host Identities (HI) instead of IP addresses.

Figure 11 HIP packet structures

HI is represented via its 128 bit (SHA-1) hash which is known as Host Identity Tag (HIT) or 32 bit Local Scope Identity (LSI). However, HITs should be unique in the whole IP universe. HIP protocol is used to authenticate the connection. The HIP protocol uses a four-way handshake with Diffie-Hellman key exchange. Following figure illustrates the exchange. With HIT, it is easy to achieve multi-homing by binding multiple IP addresses to a host, thus correspondent can identify hosts by their HIT instead of IP addresses.

Figure 12 HIP establish connection

SCTP provides a general purpose transport protocol for message-oriented applications. A key difference to TCP is the concept of several streams within a connection which are known as associations. The association establishment in SCTP uses four-way handshake.

While establishing association, CN sends INIT chunk to trigger association setup by way of HA. MN responds with INIT-ACK chunk by put MAC into a COOKIE and returned in an INIT-ACK chunk. Correspondent using the received COOKIE assemble a COOKIE-ECHO chunk and return it to Mobile Finally, the MN verifies with the MAC, that the COOKIE is the same as it sent, and replies with a COOKIE-ACK chunk.

mSCTP is targeted for client-server services. Once supporting peer to peer services, SCTP must use along with additional location management scheme. HIP is designed to solve the problem of location and identity of a node in order to achieve mobility. However, it needs to make change to operation system kernel and adds new layer to existing communication model which the architecture remain for decades.

There is no straight-forward solution while considering both mobility and security issues. Nevertheless, lots of alternative solutions have been proposed.

Chapter 4 Selective Source and Routing Path

Similar to return routability, we do not rely on some pre-existing security relationship (including security properties tied to the IPv6 addresses) or apply complicated cryptographic computation in order to reduce excessive computation overhead on portable or mobile devices.

4.1 Message Flow

In this section, we borrowed the existing multihoming feature of SCTP which we need for switching packet sources. Also, we implemented load-balanced Home Agent (HA) or distributed Home Agent (HA) to give a more selective intermediate node for advanced authentication.

We make use of these features to perform authentication before transferring data to the Correspondent Node. Once MN (Mobile Node) changed its location, MN (Mobile Node) will send binding update to Correspondent Node in order to maintain binding with Correspondent. But, before that, a Return Routability procedure has to complete first for proofing Mobile Node is reachable through direct path and indirect path as we mentioned in Chapter 2. Readers can refer to Figure 13 for the difference to conventional way. MN1 and MN2 stand for the two different interface of Mobile Node, and HA1 and HA2 represent independent Home Agent in home link or other place. Home Test Init (HoTI) and Care-of Test Init (CoTI) are sent simultaneously through two different interfaces and go through each routing path as described of conventional Return Routability individually.

Thus, multiple messages are sent out by different source IP addresses and pass through different intermediate node (Home Agent). Besides, when the source addresses and intermediate nodes are selected randomly by application, it forms a way of new authentication except conventional Return Routability.

Figure 13 message flow

The Correspondent Node responds to HoTI1, HoTI2, CoTI1, and CoTI2 individually either directly or indirectly through HA1 and HA2. By exchanging the binding management key during Binding Update and Binding Acknowledgement, each node gets proof of participating Return Routability procedure.

Correspondent Node will discard packets if they can’t be matched Home Address option in a Destination Option header with its binding cache entry. This is a kind of protection to resist attacker attempting to impersonate Mobile Node when it is away from home.