Mobile IP: Security Threats

BY: G. CHANDRASEKHAR & GAURAV SHEKHARPG-DESD,

CDAC, HYDERABAD.

Mobile IP Entities

● Mobile Node (MN)● The entity that may change its point of attachment from

network to network in the Internet– Detects it has moved and registers with “best” FA

● Assigned a permanent IP called its home address to which other hosts send packets regardless of MN’s location

– Since this IP doesn’t change it can be used by long-lived applications as MN’s location changes

● Home Agent (HA)● This is router with additional functionality● Located on home network of MN● Does mobility binding of MN’s IP with its COA● Forwards packets to appropriate network when MN is away

– Does this through encapsulation

Mobile IP Entities● Foreign Agent (FA)

● Another router with enhanced functionality● If MN is away from HA the it uses an FA to send/receive

data to/from HA● Advertises itself periodically● Forward’s MN’s registration request● Decapsulates messages for delivery to MN

● Care-of-address (COA)● Address which identifies MN’s current location● Sent by FA to HA when MN attaches● Usually the IP address of the FA

● Correspondent Node (CN)● End host to which MN is corresponding (eg. a web server)

Mobile IP Support Services

● Agent Discovery● HA’s and FA’s broadcast their presence on each network

to which they are attached– Beacon messages via ICMP Router Discovery Protocol (IRDP)

● MN’s listen for advertisement and then initiate registration● Registration

● When MN is away, it registers its COA with its HA– Typically through the FA with strongest signal

● Registration control messages are sent via UDP to well known port

● Encapsulation – just like standard IP only with COA

● Decapsulation – again, just like standard IP

Mobile IP Operation● A MN listens for agent advertisement and then initiates

registration● If responding agent is the HA, then mobile IP is not necessary

● After receiving the registration request from a MN, the HA acknowledges and registration is complete

● Registration happens as often as MN changes networks● HA intercepts all packets destined for MN

● This is simple unless sending application is on or near the same network as the MN

● HA masquerades as MN● There is a specific lifetime for service before a MN must re-

register● There is also a de-registration process with HA if an MN

returns home

Registration Process

How is Mobile IP Deployed?

● All hosts are wholly owned by the enterprise● Each router performs both home agent and foreign agent

functionality:

Mobile IP Summary Allows node mobility across media of similar or dissimilar types Uses the Mobile Node’s permanent home address when it

changes its point of attachment to the Internet Not requires any hardware and software upgrades to the

existing, installed base of IPv4 hosts and routers – other than those nodes specifically involved in the provision of mobility services

Mobile Node must provide strong authentication when it informs its Home Agent of its current location

Uses tunneling to deliver packets that are destined to the Mobile Node’s home address

3 main entities: Mobile Nodes, Foreign Agents and Home Agents

3 basic functions: Agent Discovery, Registration, Packet Routing

Security Issues:

Insider Attack Mobile Node Denial-of-Service Replay Attacks Theft of Information: Passive

Eavesdropping Theft of Information: Session-Stealing

(Takeover) Attack Tunnel spoofing

Insider Attacks

Usually involve a disgruntled employee gaining access to sensitive data and then forwarding it to a competitor Enforce strict control who can access what data Use strong authentication of users and

computers Encrypt all data transfer on an end-to-end basis

between the ultimate source and ultimate destination machines to prevent eavesdropping

Mobile Node Denial-of-Service

An Attacker sends a tremendous number of packets to a host (e.g., a Web server) that brings the host’ CPU to its knees. In the meantime, no useful information can be exchanged with the host while it is processing all of nuisance packets

An Attacker somehow interferes with the packets that are flowing between two nodes on the network. Generally speaking, the Attacker must be on the path between the two nodes on order to wreak any such havoc

Denial-of-Service Attack

An Attacker generates a bogus Registration Request specifying his own IP address as the care-of address for a mobile node. All packets sent by correspondent nodes would be tunneled by the node’s home agent to the Attacker:

How Does Mobile IP Prevents this Denial-of-Service Attack?

Note: In case of mobility an Attacker could attack from anywhere in the network, it does not have to be “on the way”.

Solution: to require cryptographically strong authentication in all registration messages exchanged by a mobile node and its home agent.

Mobile IP by default supports MD5 Message-Digest Algorithm (RFC 1321) that provides secret-key authentication and integrity checking

Replay Attacks

An Attacker could obtain a copy of a valid Registration Request, store it, and then “replay” it at a later time, thereby registering a bogus care-of address for the mobile node

To prevent that the Identification field is generated is a such a way as to allow the home agent to determine what the next value should be

In this way, the Attacker is thwarted because the Identification field in his stored Registration Request will be recognized as being out of date by the home agent (timestamps or random numbers are used for Identification field)

Theft of Information: Passive Eavesdropping

A passive eavesdropping attack happens when an attacker start to listen to the traffic that is transferred between mobile device and its home agent.

Use of Link-Layer Encryption Use of End-to-End Encryption (SSH,

SSL…)

Session-Stealing on the Foreign Link

The Attacker waits for a mobile node to register with its home agent

The Attacker eavesdrops to see if the mobile node has any interesting conversation taking place (remote login session to another host, connection to the electronic mailbox)

The Attacker floods the mobile node with nuisance packets

The Attacker steals the session by sending the packets that appear to have come from the mobile node and by intercepting packets destined to the mobile node

Session-Stealing Prevention

Same method as in the case of Passive Eavesdropping:

minimally link-layer encryption between the mobile node and the foreign agent (session-stealing on the foreign link)

With the preference of end-to-end encryption between the mobile node and its corresponding node (elsewhere)

Note: a good encryption scheme provides a method by which a decrypting node can determine whether the recovered plaintext is gibberish or whether it is legitimate (integrity checking)

Tunnel spoofing

The tunnel to the home network or foreign network may be used to hide malicious packets and get them to pass through the firewall.

Mobile IP uses identification fields and timestamp to protect registration from any such attacks.

Other Active Attacks

The Attacker connects to the network jack, figures out he IP address to use, and tries to break to the other hosts on the network

He figures out the network-prefix that has been assigned to the link on which the network jacks connected

The Attacker guesses a host number to use, which combined with the network-prefix gives him an IP address to use on the current link

The Attacker proceeds to try to break into the hosts on the network guessing user-name/password pairs

Protection against such attacks

All publicly accessible network jacks must connect to foreign agent that demands any nodes on the link to be registered (authenticated).

Remove all non-mobile nodes from the link and require all legitimate mobile nodes to use (minimally) link-layer encryption

THANK YOU!!!